Blog

Dropbox Abused in Novel Phishing Attack to Obtain M365 Credentials

The file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform to harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an email from the no-reply[@]dropbox.com account, a legitimate email account that is used by Dropbox. The emails included a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had been created by one of the organization’s partners. If the PDF file was opened, the user would see a link that directs them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email reminding them to open the PDF file that was sent in the first email. They did, and they were directed to a phishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected in the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be associated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP address.

Multifactor authentication was correctly configured on the account but this appears to have been bypassed, with the logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have unknowingly approved the MFA authentication request which allowed the account to be compromised. The attacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s accounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent from the account to the accounts team in an apparent attempt to compromise their accounts.

Phishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify. Security awareness training programs often teach users about the red flags in emails they should look out for, such as unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have urgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this case, the impersonation went further with the emails sent from a valid and trusted account. That means that the email is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails include a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent, which in this case proved effective even though the second email was delivered to the junk email folder. The login page to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside from the domain on which it was hosted.

Many businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack demonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how important it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing solutions on the market. All emails are scanned – internal and external – for phrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various threat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The solution also learns from feedback provided by users and detection improves further over time. The curated and unique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s email security solutions feature sandboxing, where attachments are subjected to deep analysis. When a malicious email is detected, all other instances are removed from the entire M365 tenant.

If you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you are a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and malware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs of MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.

Employee Error is the Biggest Cybersecurity Threat in 2024

What would you say is the biggest cybersecurity threat in 2024? Ransomware is certainly a major concern, with attacks being reported with increasing frequency, and phishing attacks continue to cause headaches for businesses; however, a recent survey of Chief Technology Officers (CTOs) by STX Next has revealed the biggest perceived cybersecurity threat is neither of these. When asked about the biggest cybersecurity threat faced by their organization in 2024, 59% of CTOs said human error, 48% said ransomware and 40% said phishing.

It is possible to implement a range of cybersecurity measures to combat threats such as ransomware and phishing to ensure that these attacks do not succeed. An email security solution can be implemented that will scan all emails for signs of phishing and will prevent the majority of malicious and unwanted messages from being delivered to inboxes. Email security solutions also scan emails for malware to prevent it from reaching employees. Security solutions can detect and block attempts by hackers to breach systems and implementing cybersecurity best practices will ensure that vulnerabilities are addressed before they can be exploited; however, employees are a weak point that many businesses are failing to address, and hackers know all too well that targeting employees is the easiest way to breach a company network.

Hackers can search for and exploit unpatched vulnerabilities in software and investigations of cyberattacks often show highly sophisticated attack methods have been used, but hackers have not required high levels of sophistication in most breaches. It is far easier to use social engineering to trick employees into providing access to accounts and systems and to take advantage of security mistakes by employees. Verizon’s 2023 Data Breach Investigations Report found the human element was involved in 74% of all cybersecurity breaches, with some studies suggesting the figure is closer to 95%.

Human error includes setting weak passwords that can easily be guessed, leaving systems unsecured, disclosing passwords in phishing emails, downloading malware onto their devices, sending emails containing sensitive data to incorrect recipients, installing unauthorized software, and more. It is not possible to stop employees from making mistakes, but if businesses provide security awareness training and teach employees security best practices, it is possible to reduce errors to a low and acceptable level. Security awareness training allows businesses to develop a security culture, where employees are constantly looking for threats and stop and think before they take any action that could potentially open the door to hackers.

The key to successful security awareness training is to provide it regularly. A once-a-year training session is better than nothing, but it won’t create a security culture and employees will not be sufficiently up-to-date on the new tactics that hackers are using to breach business networks. Training needs to be provided continuously throughout the year with employees instructed about the latest tactics hackers are using to target them so they can recognize threats and avoid them.

The SafeTitan Security Awareness Training platform makes it easy for businesses to create effective security awareness training programs. Courses can be developed that run continuously throughout the year, and the training content can be easily tailored to the organization, departments, job roles, and even individuals to ensure it is relevant and tackles the specific threats they are likely to face. The training content covers all aspects of security, teaches best practices, and makes employees aware of the threats they are likely to encounter. SafeTitan is a modular training platform with each computer-based training module lasting no more than 10 minutes, so it is easy to fit training into busy workflows. It is easy for businesses to monitor who is completing training and see how effective the training has been.

In addition to providing training, employees’ knowledge needs to be tested to make sure that the training material has been understood and is being applied. SafeTitan includes a phishing simulation platform that allows businesses to see how employees respond to simulated attacks and identify employees who are making mistakes. Those weak points can then be addressed before they can be exploited by hackers. SafeTitan is the only security awareness training platform that delivers training in real-time in response to employee errors. When an error is detected, such as a phishing test failure, training is delivered to individual employees in real-time when the additional training is likely to be most effective at changing behavior.

Employees are the first line of defense and it is important for the defensive line to be fortified. To find out more about the SafeTitan platform, give the TitanHQ team a call today. SafeTitan is also available on a free trial so you can see for yourself how easy it is to create and automate your training courses.

CryptoChameleon Phishing Kit Targets FCC Employees and Cryptocurrency Platform Users

A new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications Commission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency platforms such as Binance, Coinbase, Caleb & Brown, Gemini, Kraken, ShakePay, and Trezor.

A phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns. These kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having to invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide phishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle attacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting phishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing campaigns can be conducted in a matter of minutes.

The new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on (SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single solution, through which they authenticate with many business applications. The kit also includes templates for phishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that impersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.

The phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this campaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and phone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to a phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with the credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions from identifying the phishing site.

In the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login page that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] – differs only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not normally enough to gain access to accounts as many are now protected by MFA. The captured login credentials are used to log in to the real account in real time, and the victim is then directed to the appropriate page where additional information is collected to pass the MFA checks. This could be a page that requests their SMS-based token or the MFA token from their authenticator app. Once the MFA check has been passed and the account has been accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a message that the login has been unsuccessful and they must try again later.

To target cryptocurrency platform users, messages are sent about security alerts such as warnings that their account has been accessed. These messages are likely to attract a rapid response due to the risk of substantial financial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log in they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed to access the account as the FCC campaign.

This is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a combination of measures including an advanced spam filter, web filter, and security awareness training. For further information on cybersecurity solutions capable of combatting advanced phishing attempts, give the TitanHQ team a call.

Warning About Phobos Ransomware

Phobos ransomware may not be the most prolific ransomware group, but the group poses a significant threat, especially to municipal and county governments, emergency services, education, and healthcare organizations. The group issues ransom demands for millions of dollars and the group’s attacks have caused hundreds of millions of dollars in losses. Phobos is a ransomware-as-a-service operation where the infrastructure to conduct attacks and encrypt files is provided to affiliates – individuals who specialize in breaching company networks – in exchange for a percentage of any ransom payments they can generate. The affiliates benefit from being able to concentrate on what they do best, and the ransomware group makes up for the loss of a percentage of the ransom by conducting many more attacks than would be possible on their own.

The group engages in double extortion tactics involving data theft and file encryption. Threats are issued to publicly leak stolen data on the group’s data leak site and payment is required for the keys to decrypt data and prevent data exposure. Several ransomware variants are connected to Phobos based on the tactics, techniques, and procedures (TTPs) used in attacks, including Elking, Eight, Devos, Faust, and Backmydata ransomware. The latter variant was recently used in an attack in Romania that affected around 100 hospitals.

Affiliates use several methods to gain initial access to victims’ networks, with phishing one of the most common. The phishing attacks conducted by the group usually involve spoofed email attachments with hidden payloads, with one of the favored payloads being the Smokeloader backdoor trojan. Smokeloader gives the group initial access to victims’ networks, from where they use a variety of methods and legitimate networking tools for lateral movement, credential theft, privilege escalation, and data exfiltration. These include 1saas.exe or cmd.exe for privilege escalation, Windows shell functions for control of systems, and built-in Windows API functions to bypass access control and steal authentication tokens. Open source tools such as Bloodhound and Sharphound are used to enumerate the Active Directory, Mimikatz for obtaining credentials, and WinSCP and Mega.io for file exfiltration. Other methods used for initial access include the use of legitimate scanning tools such as Angry IP Scanner to search for vulnerable RDP ports, and then open source brute-forcing tools are used to guess weak passwords.

To improve defenses against Phobos ransomware attacks, businesses should follow the guidance in the recently published security alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), which includes latest Indicators of Compromise (IoCs) and TTPs observed in recent attacks. The guidance can be found in the #StopRansomware section of the CISA website.

Mitigations are concerned with improving defenses against the initial access vectors – phishing and remote access software. An email security solution is required to block phishing emails, consider disabling hyperlinks in emails, and adding banners to emails from external sources. An email security solution should be used that has both signature and behavioral threat detection capabilities to identify malicious files. End user training should be provided to improve resilience to phishing attempts, web filtering to block malicious file downloads, phishing-resistant multi-factor authentication to prevent the use of compromised credentials from granting access, strong password policies to improve resilience to brute force attacks, and strict controls on RDP and other remote desktop services. Robust backup processes are required, including maintaining offline backups of data, and an incident response policy for ransomware attacks should be developed and tested to ensure the fastest possible recovery in the event of an attack.

LockBit Ransomware Rebounds After Law Enforcement Takedown

A coordinated law enforcement operation – Operation Cronos – headed by the UK National Crime Agency (NCA) and coordinated by Europol seized the infrastructure of the notorious LockBit ransomware group earlier this month. 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, along with 200 cryptocurrency wallets, and the keys to decrypt the data of some of the group’s victims. Two LockBit actors were also arrested in Poland and Ukraine, and three arrest warrants and five indictments were issued by judicial authorities in France and the United States. The decryption keys allowed an automated decryptor to be developed, which was added to the No More Ransom website.

The group’s affiliate portal was seized along with its data leak sites and messages were uploaded for affiliates warning them that names and locations were known and they could receive a visit from law enforcement very soon. The NCA threatened to release the name of the group’s figurehead, LockBitSupp, and even added a countdown timer to the data leak site, as LockBit would do when adding victims to the leak site. However, the NCA did not disclose the details and instead added a statement confirming LockBitSupp’s real name, location, and financial worth were known. The NCA also added that LockBitSupp has engaged with law enforcement.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks using LockBit ransomware. As payment for those attacks, affiliates receive a percentage of any ransoms they generate. LockBit engaged in double extortion tactics, where sensitive data was stolen in addition to file encryption. Payments are required to prevent the release of the stolen data on the group’s data leak site and to obtain the keys to decrypt data. LockBit then moved to triple extortion, where in addition to data theft and file encryption, Distributed Denial-of-Service (DDoS) attacks are conducted on victims to pile on the pressure and get them to pay the ransom.

LockBit has been in operation since September 2019 and rapidly became a major player in the RaaS market. At the time of the takedown, LockBit was behind 25% of all ransomware attacks and had around 180 affiliates conducting attacks. The next biggest player is Blackcat with an 8.5% market share. The LockBit group has extorted more than $120 million from organizations around the world and its attacks have caused billions of dollars of damage.

The law enforcement operation was significant and a major embarrassment for the group, potentially causing significant damage to the group’s reputation. However, it did not take long for LockBit to respond. A few days after the announcement about the law enforcement action, LockBit created a new data leak site and populated it with the names of 12 recent victims. A note was also added explaining that the FBI most likely exploited an unpatched PHP bug, which hadn’t been addressed out of laziness, which allowed access to be gained to its servers. LockBit claimed the takedown was conducted when it was because data was going to be released from an attack on Fulton County in Georgia, where one of Donald Trump’s lawsuits is being heard, and the release of that data could affect the upcoming Presidential Election.

Typically after a successful law enforcement operation, ransomware gangs rebrand but LockBit appears to be defiant and looks set to continue under the same name. LockBitSupp claimed that the attacks could not stop as long as he was alive, and the group would be updating its infrastructure to make it harder for any future law enforcement operations to succeed. A little more than a week after the law enforcement announcement, the LockBit group appears to be conducting attacks again using new infrastructure, a new data leak site, a new negotiation site, and a new encryptor. It is unclear how many affiliates have been retained but the group has announced that it is recruiting again and is looking for new pen testers, indicating some have decided to leave the operation. What is clear is the group is back and remains a significant threat.

State Sponsored Hackers and Cybercriminal Groups Are Using AI to Improve Their Campaigns

There is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks, specifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place. There are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a blackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT but without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business email compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often found in these emails.

It is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how these tools can help them gain initial access to targeted networks. Recently published research from Microsoft and OpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their malicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for translation, finding coding errors, running basic coding tasks, and querying open-source information. While it does not appear that they are using LLMs to generate new methods of attack or write new malware variants, these tools are being used to improve and accelerate many aspects of their campaigns.

The threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to improve its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that the hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The North Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering campaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated in its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon and Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional geopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says it has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their activities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take action to prevent malicious uses of their tools.

It should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and the effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of concern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to combat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning capabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise attacks and better defend against AI-0assisted email campaigns.

With fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide their workforce with comprehensive training to help employees recognize email and web-based attacks. The SafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training and phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows susceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing simulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given the quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices are followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take action now and proactively improve your defenses, as malicious uses of AI are only likely to increase.

Phishing-as-a-Service Poses a Serious Threat to Businesses

Cybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled malware developers can concentrate on writing their malware and making it available for others to use for a fee, ransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware attacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services benefit all parties and allow even more attacks to be conducted.

Phishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers, who leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing email, not including the time it takes to set up all the necessary infrastructure to send the email and steal credentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.

With phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription and will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails, they just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting sophisticated attacks simple and significantly lowers the bar for conducting campaigns.

Take LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial institutions and banks in North America and Canada. Since this new functionality was included in the first half of 2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a turnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating phishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per month to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also target 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting credentials or a variety of other companies, including music streaming sites, delivery services, and telecommunications companies.

Important to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing kit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows adversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to usernames and passwords. That means the additional security processes on the online portals of banks can be circumvented. The platform also allows SMS-based attacks to be conducted.

PhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct. Further, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for humans and security solutions to detect, and even MFA and other security measures can be bypassed.

Defending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all attacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection. Cybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security solution with AI and machine learning capabilities for identifying novel phishing threats. In addition to blocking known malware through AV controls and unknown malware through sandboxing, SpamTitan is capable of identifying even machine-crafted phishing content.

End user training is also vital, as no email security solution will block all email threats without also blocking an unacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report phishing emails. The SafeTitan security awareness training platform makes security awareness training simple, and the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing simulations on the workforce to reinforce training and identify knowledge gaps.

Given the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA on accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor authentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to block adversary-in-the-middle attacks that can be conducted through PhaaS.

If you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a call to discuss your options.

Massive Spamming Campaign Uses Thousands of Hijacked Subdomains

A massive email spamming campaign has been detected that is generating up to 5 million emails per day that direct recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and domains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes. Companies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.

Email security solutions perform a range of checks on inbound emails, including reputation checks on the senders of emails. If a domain is trusted and has not previously been associated with spamming, these checks – using SPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use of these legitimate domains also makes it harder for end users to determine whether the messages are genuine. Security awareness training programs often teach end users to check the sender of the email and make sure that it matches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely to think that the communication is genuine. These emails include links to websites that generate fraudulent ad revenue, and often several redirects occur before the user lands on the destination scam or phishing site.

The ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains typically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for domains that use the ‘include’ configuration option that points to external domains that are no longer registered. Those domains are then registered by the threat actor and the SPF records are changed to authorize the use of their own email servers. When those servers are used to send emails, they appear to have been sent by the targeted brand, such as eBay.

With CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records that point to external domains that are no longer registered. The threat actor then registers those domains, SPF records are injected, and emails can be sent from their email servers to show that they have been sent by a legitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct massive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000 domains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique IPs. The researchers developed a tool to allow domain owners to check whether their own domains have been hijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set from these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for identifying spam emails.

Tips for Assessing the Effectiveness of Security Awareness Training

One of the fundamental security awareness training errors made by many businesses is failing to check the effectiveness of their training. A training course is purchased or developed internally, employees receive training, and the training is provided again each year, but there are no assessments performed to determine whether the training has actually worked. It is often only when there is a successful phishing attack that training is discovered to have failed, and many businesses then blame the employee for falling for the phishing attempt, when the fault may lie with the employer.

The aim of security awareness training is to change users’ behavior, and that is achieved by teaching security best practices, making employees aware of the threats they are likely to encounter, showing them what they should be doing to identify and avoid those threats, and teaching them to report those threats to the security team. The process should not end there, as it is also necessary to determine whether the training has worked. Many employees will take the training on board, will change their behavior, and will become security Titans. Others may struggle to grasp certain concepts and require further training or different training approaches. If there is no monitoring or assessments, weak points will not be identified and risk will not be reduced.

Tips for Assessing the Effectiveness of Security Awareness Training

Assessing the effectiveness of security awareness training can be challenging, as there is no single metric that can be measured that provides a complete picture. The best approach is to use multiple metrics for measuring the effectiveness of a security awareness training program.

First, you need to have a baseline against which you can measure progress. You need to know the level of security awareness before training starts and you can measure progress over time. Pre-training assessments are useful and can be conducted via a questionnaire covering all security topics you intend to cover during training. These questionnaires will also allow you to develop training courses appropriate to each individual to ensure that specific knowledge gaps are addressed.

It is important to monitor participation and completion rates to see how whether employees are engaging and taking training seriously. If participation is poor, the importance of training may not have been conveyed, or employees may not have the time to fit training into busy workflows, and these factors will need to be addressed. If training content is not being completed, the training may be too long, not engaging enough, and boring. If employees are not engaged, then the training will not be effective.

Quizzes should be conducted after each training module to see if employees have understood the topic. If questions are answered incorrectly, then the employees concerned have not understood the training and need more help. These quizzes allow targeted intervention to address issues with individual employees on specific topics. These quizzes should be repeated over time to test knowledge retention. A quiz directly after a training session may be passed but testing again in a few weeks or months will allow you to measure whether information has been retained.

One of the most important tools is a phishing simulation platform. These platforms are used to send realistic but fake phishing emails to the workforce to test whether training is being applied. Phishing simulation data is one of the most important metrics for measuring the effectiveness of a training campaign through open rates, click rates, and reporting rates. These simulations should be conducted before training to get a baseline and after training to determine the effectiveness of security awareness training over time. If the click rate is falling and the reporting rate is increasing, then the training is working. Phishing simulations also allow you to identify knowledge gaps and provide targeted training specific to the threat that was incorrectly identified. It gives employees practice at applying their new knowledge so that when a real threat is encountered, it is more likely to be correctly identified.

You should also seek feedback on the training from your employees. The best approach is to provide anonymous questionnaires and to encourage employees to provide honest feedback. These questionnaires should include security questions to gauge understanding of security best practices, questions to determine how the employees feel about the training, any problems they have, and if they feel the training has been effective and relevant to their role. While the questionnaire should be anonymous, it is useful to know which departments the employees work in to allow you to tailor your training course appropriately.

Security Awareness Training from TitanHQ

Monitoring the effectiveness of security awareness training is easy with the SafeTitan security awareness training and phishing simulation platform. The platform allows users to conduct pre-training assessments, assessments after each training module, and further assessments over time. The phishing simulation platform allows simulations to be automated and provides detailed metrics that demonstrate the effectiveness of the training and show the return on your investment. The phishing simulator will also trigger additional training in response to a failed test, which is delivered immediately to explain the error that has been made and provide the necessary training at the point when the training is most likely to be taken on board.

Through the use of the SafeTitan platform and phishing simulator, businesses can not only improve resilience to threats, they can get detailed metrics to show just how effective training has been. Data from users shows that resilience to phishing can be improved by up to 80%. Get in touch with the TitanHQ team today to find out more and to arrange a free trial of the platform to see for yourself how easy it is to create training campaigns, run phishing simulations, and measure the effectiveness of security awareness training.

Travel Companies Impersonated in Malware Distribution Campaign

Cybercriminals are constantly devising new email campaigns for distributing malware. These campaigns usually impersonate a trusted entity and advise the email recipient about a pressing issue that requires immediate attention. The emails often have an attached file that must be opened to find out further information about the issue detailed in the email.

One recently detected campaign impersonates travel service providers such as booking.com and advises the recipient about a problem with a recent booking. One of the intercepted emails explains that an error has occurred with a booking that has resulted in a double charge to the user’s credit card which requires immediate attention. The email has a PDF attachment which needs to be opened for further information. PDF files are increasingly being used in email campaigns for distributing malware. The PDF files often contain a script that generates an error message when the file is opened that tells the user that the content of the file cannot be displayed, and they are provided with an option to download the file.

In this campaign, the PDF file contains a script that generates a fake popup message. If clicked, a connection is made to a malicious URL and a download of an obfuscated JavaScript file is initiated. The script downloads the next stage PowerShell payload, and on execution, drops a malicious DLL file on the device. The DLL file searches for certain critical system processes and attempts to forcibly stop them, makes changes to the registry that affect the Windows Antimalware Scan Interface (AMSI) and ensures that the malware is executed without being detected by security solutions. An analysis of the DLL file by researchers at Forcepoint shows the file is from the Agent Tesla malware family. Agent Tesla is a remote access trojan (RAT) that first appeared in 2014 and grew in popularity during the COVID-19 pandemic. Agent Tesla is provided under the malware-as-a-service model and is popular with initial access brokers, who specialize in gaining access to devices and accounts and then sell that access to other cybercriminals such as ransomware gangs.

Agent Tesla allows commands to be run on compromised systems and is capable of stealing sensitive information, such as login credentials stored in browsers. The malware can also take screenshots, log keystrokes, and perform other malicious actions. The malware uses multiple layers of obfuscation to ensure it is not detected by antivirus solutions. The malware is commonly used to gain initial access to business networks, primarily through phishing campaigns. In this campaign, by impersonating a popular travel service company there is a reasonable chance that the user may have used the service in the past or have a current booking and will therefore open the email. However, since the emails reference a charge to a credit card, that may be sufficient to get the user to open the attachment.

To protect against this and other malware distribution campaigns, businesses should ensure that they protect all endpoints with email security and antivirus solutions that are capable of behavioral analysis of files, as Agent Tesla and many other popular malware variants use obfuscation to bypass signature-based security solutions. Web filtering solutions provide added protection as they block connections to the malicious URLs that host malware and they can be configured to block downloads of executable files from the Internet. It is also important to provide security awareness training to the workforce to raise awareness of cyber threats and conduct phishing simulations to test the effectiveness of training.

TitanHQ offers a range of cybersecurity solutions for businesses and managed service providers to help them defend against cyber threats delivered via email and the Internet, including email security, web filtering, and security awareness training. Give the team a call today to find out more about improving your defenses against phishing and malware. All TitanHQ solutions are available on a free trial to allow you to test the products and see for yourself the difference they make.

Businesses Targeted with Phishing Emails Sent Via SendGrid

Small- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service provider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer communication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain access to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming, and scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to send phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security solutions, especially as the compromised accounts will have been used to send communications in the past. SendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are also likely to be trusted by end users.

In this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor authentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access. The users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if credentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and evaded email security solutions because the SendGrid was trusted.

SendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid directly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid detected the malicious activity linked to customer accounts that were being used for phishing, and its fraud, compliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users are advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from granting access to user accounts.

The campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies provide security awareness training to their employees that teaches cybersecurity best practices and trains employees on how to recognize and avoid phishing. It is important to include these types of emails in training material, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run through an ESP.

With SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is easy. The training content is regularly updated with new phishing templates based on real-world attacks and the latest phishing trends, and phishing simulations can be conducted on employees to test how they respond to phishing attempts outside of the training environment. SafeTitan is the only security awareness training platform that delivers targeted training automatically in response to bad security practices by employees, ensuring training is provided at the moment when it is most likely to be taken on board.

Massive Phishing Campaign Leverages Google Cloud Run to Deliver Banking Trojans

A massive malware distribution campaign has been detected that uses phishing emails for initial contact with businesses and Google Cloud Run for hosting the malware. A variety of banking trojans are being distributed including Astaroth, Mekotio, and Ousaban. The campaign primarily targets countries in Latin America, and as such the majority of the phishing emails are in Spanish, but Italian versions have also been detected and there are indications that the campaign is spreading to other regions including Europe and North America.

The phishing emails used in this campaign appear to be legitimate invoices, statements, and communications from government and tax agencies and include a link that the recipient must click to view the attached invoice, statement, or demand. The link directs the user to services on Google Cloud Run, which is a popular service for hosting frontend and backend services and deploying websites and applications without having to manage infrastructure. Google Cloud Run has been used for hosting malware throughout 2023 but there was a massive spike in activity that started in September 2023 and has continued through January and February.

Over the past few months, Google’s service has been proving popular with cybercriminals for hosting malware as it is both cost-effective and is generally not blocked by security solutions. If a user clicks the email link, an MSI file is downloaded onto their device. MSI files are executable files, which in this case include embedded JavaScript that downloads additional files and delivers one or more banking trojans.

The banking trojans achieve persistence through LNK files in the startup folder that execute a PowerShell command on boot that runs the infection script. The banking trojans are capable of keylogging, clipboard monitoring, screenshots, credential theft, and traffic manipulation to direct users to cloned websites of financial institutions to capture banking credentials. The Astaroth banking trojan alone targets more than 300 financial institutions as well as cryptocurrency exchanges.

To protect against this and other malware distribution campaigns, businesses need to adopt a defense in-depth approach and should implement multiple layers of protection. The first line of defense is a spam filter or email security solution to block the initial phishing emails. SpamTitan Plus is a leading-edge email security solution that provides maximum protection against malicious emails. The solution has better coverage, faster phishing link detections, and the lowest false positive rate of any product. In addition to including all leading phishing feeds to ensure the fastest possible detection of new phishing threats, SpamTitan Plus uses predictive analysis to identify suspicious URLs that have not yet been detected as malicious.

A web filter, such as WebTitan, can be used to control access to the Internet. For example, blocks can be placed on websites and certain categories of websites down to the user level, the solution prevents access to all known malicious URLs, and can be configured to block file downloads from the Internet, such as MSI files and other executable files that are often used for malware delivery.

Cybercriminals often host malware on legitimate hosting platforms which are usually trusted by security solutions, which means malicious emails may be delivered to end users. It is therefore important to provide security awareness training for the workforce. Security awareness training raises awareness of the threats that employees are likely to encounter and teaches them security best practices to help them identify, avoid, and report cyber threats. Combined with phishing simulations, it is possible to greatly reduce susceptibility to phishing and malspam emails. Data from companies that use the SafeTitan security awareness training platform and phishing simulator shows susceptibility to phishing threats can be reduced by up to 80%.

If you are looking to improve your defenses against phishing and malware, give the TitanHQ team a call to find out more about these products and to help get you set up for a free trial to put these solutions to the test in your own environment.

Spear Phishing is the Most Common Method of Initial Access in the EU

A recent report from the Computer Emergency Response Team (CERT-EU) has provided insights into how EU organizations are being targeted by nation-state-sponsored actors and cybercriminal groups. The majority of nation-state activity has been linked to hacking groups in the Russian Federation and the People’s Republic of China, and while it is not always possible to determine the motives behind cyberattacks and intrusions, the majority of nation-state hacking activity is believed to be conducted to achieve cyberespionage objectives. The aim of these campaigns is to gain access to accounts/emails or servers where sensitive data is stored. Around 73% of all attacks within the EU are believed to be conducted for espionage purposes, with 16% of attacks conducted by hacktivists. Some of the hacktivism incidents are thought to be a front for nation-state activity.

In contrast to the United States, cybercriminal activity accounts for a low percentage of all malicious activity, with only 7% of intrusions attributed to cybercrime. CERT-EU reports that only a very limited number of cybercrime actors are conducting attacks within the EU, and the majority of that activity comes from ransomware groups. These groups gain access to internal networks, steal sensitive data, and encrypt files then demand payment to prevent the publication of the stolen data and for the keys to decrypt data.

In 2023, CERT-EU identified 55 ransomware operations that were active within the EU, and 906 victims were identified from data leak sites and open sources. It should be noted that not all ransomware attacks are reported and many companies quietly pay the ransom, so the true total could be substantially higher. Many of these attacks appeared to be opportunistic in nature rather than targeted. While there are many different ransomware groups, the most active in the EU were LockBit, Play, and BlackBasta, although in Q4, 2023 there was a large increase in attacks by the 8Base group, with NoEscape also highly active in the second half of the year. Ransomware groups attacked a wide range of sectors, with manufacturing the worst affected with 24% of attacks, followed by legal/professional services (14%), and construction/engineering (12%).

A variety of methods were used to gain access to targeted networks. 104 software products were targeted with these attacks often exploiting vulnerabilities in internet-facing products, involving trojanized software, fake software, and abuse of public repositories used for programming languages. Some of the most significant attacks of the year involved networking products, such Fortinet, Cisco, and Citrix products, as well as password managers such as 1Password or LastPass, content management and collaboration tools such as WordPress and Altassian Confluence, and cloud services. While many attacks used these methods for initial access, by far the most common method was spear phishing for both cybercriminal and nation-state threat actors.

Spear phishing attacks include malicious links to websites where credentials are harvested or malicious attachments. There was a significant increase in spear phishing attacks that used lures related to EU affairs, with it common to include decoy PDF files that were originally internal or publicly available documents related to EU policies, for example, documents relating to the Swedish Presidency of the Council of the European Union,  EU – Community of Latin American and Caribbean States (CELAC) Summit, and the Working Party of Foreign Relations Counsellors (RELEX). These campaigns were directed at individuals and organizations involved in EU policies, and the emails often impersonated staff members of union entities or the public administration of EU countries to add credibility. Public administration entities were the most targeted, followed by entities in diplomacy, defense, transport, finance, health, energy, and technologies. While spear phishing is usually performed via email, CERT-EU notes some diversification of communications, with attacks also conducted via social media networks, instant messaging services, and SMS messages.

Entities in the EU should implement layered defenses against the most common initial access vectors. An advanced email security solution should be implemented that is capable of signature and behavioral analysis of emailed files, with extensive threat intelligence feeds, and AI/machine learning capabilities. The SpamTitan suite of products has all of these features and more and will protect your business from all types of email-based attacks. A web filter such as WebTitan will protect against the internet-based component of cyberattacks by blocking access to malicious sites, and security awareness training and phishing simulations should be conducted on the workforce using a solution such as SafeTitan. To protect against unauthorized account access, multi-factor authentication should be implemented and software should be kept up to date with the latest updates and patches applied promptly.

Malware Increasingly Distributed via Emailed PDF Files

There has been a marked increase in email campaigns using malicious PDF files to distribute malware, rather than the typical uses of PDF files for obtaining sensitive information such as login credentials.

Increased security measures implemented by Microsoft have made it harder for cybercriminals to use macros in Office documents in their email campaigns, with PDF files a good alternative. Malicious links can be embedded in PDF files that drive victims to web pages where credentials are harvested. By using PDF files to house the links, they are less likely to be blocked by email security solutions.

Over the past few months, PDF files have been increasingly used to distribute malware. One of the currently active campaigns uses malicious emailed PDF files to infect users with DarkGate malware. DarkGate malware is offered under the malware-as-a-service model and provides cybercriminals with backdoor access to infected devices. In this campaign, emails are sent to targets that contain a PDF attachment that displays a fake image from Microsoft OneDrive that suggests there was a problem connecting which has prevented the content from being displayed. The user is given the option to download the PDF file; however, the downloaded files will install DarkGate malware.

In this campaign, clicking the link does not directly lead to the malware download, instead, the click routes through an ad network, so the final destination cannot be identified by checking the link of the download button. Further, since the ad network uses CAPTCHAs, the threat actors can make sure that the destination URL is not revealed to email security solutions. If the CAPTCHA is passed, the user will be redirected to the malicious URL where they can download the file.  This is often a compressed file that contains a text file and a URL file, with the latter downloading and running JavaScript code which executes a PowerShell command that downloads and executes the malicious payload.

PDF files have been used in many other malware campaigns, including those that distribute the Ursnif banking Trojan and WikiLoader malware. Recent campaigns distributing these malware variants have used parcel delivery lures with PDF file attachments that contain a link that prompts the user to download a fake invoice. Instead of the invoice, a zip file is downloaded that contains a JavaScript file. If executed, the JavaScript file downloads an archive, extracts the contents, and executes the malware payload. Another campaign uses PDF files to install the Agent Tesla remote access trojan using Booking.com-related lures.

Not only do PDF files have a greater chance of evading email security solutions, they are also more trusted by end users than Office file attachments. Security awareness campaigns are often focused on training employees about the risks of phishing, such as clicking links in unsolicited emails and the risks of opening unsolicited office files. Malicious email campaigns using PDF files arouse less suspicion and end users are more likely to be tricked by these campaigns.

It is important for businesses to incorporate PDF files into their security awareness training and phishing simulation campaigns to better prepare employees for this growing threat. With SafeTitan, adding new content in response to the changing tactics, techniques, and procedures of threat actors is a quick and easy process. Get in touch with the TitanHQ team today to find out more about the SafeTitan security awareness training and phishing simulation platform and discover the difference the solution can make to your organization’s security posture.

Bumblebee Malware Returns With a Large-Scale Phishing Campaign

A large-scale phishing campaign has been identified that has already targeted many thousands of organizations in the United States and could be expanded geographically. The purpose of the campaign is to distribute Bumblebee malware, a malware loader that was first identified in 2022 and is thought to be a replacement for the widely used BazarLoader malware loader. Bumblebee malware is used for gaining initial access to networks and has been used in many successful cyberattacks. The malware is rented out to cybercriminals or access to compromised networks is sold to cybercriminal groups such as ransomware gangs. The malware has been linked to several high-profile threat actors and notorious ransomware gangs, including the now-defunct Conti ransomware group.

Over the past four months, Bumblebee malware has not been detected but it has now returned with a massive campaign. A variety of lures are used in phishing emails, which incorporate social engineering techniques to trick the recipients into downloading and executing the malware. For instance, the latest campaign included thousands of emails using the subject Voicemail February, with messages indicating the user had missed a voice call. The emails instructed the recipient to download the recording, the opening of which triggered the infection process. Other emails used in the campaign have used Word documents with malicious macros with the emails spoofing trusted companies, such as the electronics firm Humane. Rather than include the document attached to the email, a OneDrive link was provided in the email from which the document could be downloaded. This was an effort to prevent detection by email security solutions, as OneDrive is a legitimate and trusted service. Previous campaigns have used DocuSign branded emails that trick users into downloading a zipped ISO file from OneDrive.The group is known to hijack email threads to make it appear that the emails are responses to previous conversations with contacts.

Multiple threat actors are believed to rent out the malware, including the initial access brokers who work with ransomware gangs. Bumblebee malware infections are often accompanied by other payloads, including Cobalt Strike, Meterpreter, Sliver, and shellcode, and often lead to ransomware attacks. To combat Bumblebee malware infections, businesses should implement robust defenses against phishing. An advanced email security solution is required with AI and machine learning capabilities that can detect novel phishing attempts. SpamTitan Plus uses a machine learning algorithm that can identify emails that deviate from those typically received by a business, links are rewritten and followed and the destination URL is assessed. All emails are subjected to antivirus scans and suspicious attachments are sent to a Bitdefender-powered sandbox for behavioral analysis.

Security awareness training should be provided to the workforce to improve resilience to phishing attempts by teaching security best practices and how to identify phishing attempts. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is updated with new content regularly in response to changing phishing tactics, including those used in Bumblebee campaigns. It is also recommended to implement multi-factor authentication on accounts, perform daily backups and store them offline, implement next-generation antivirus technology on endpoints, and implement network hierarchy protocols and network segmentation to prevent lateral movement.

Should Businesses Pay a Ransom After a Ransomware Attack?

If disaster strikes and you discover your network has been encrypted with ransomware and sensitive data has been stolen, you are faced with two choices. Pay the ransom and hope that the attackers are true to their word and will delete the stolen data and provide the decryption keys to allow you to recover your data or attempt to recover from the attack on your own.

There will be several factors that will influence that decision. One of the first questions that must be answered is whether a viable backup exists of your encrypted data, and ideally, one that allows you to recover individual files rather than restoring systems to the date of the most recent backup. Backups are often created but are not tested, and it is only when they are needed that an organization discovers that the backups cannot be used to restore data. Restoring data from backups may result in significant data loss.

If files can be recovered, then it may not be necessary to pay the ransom; however, this is why many ransomware gangs steal data in addition to encrypting files. The exposure of data – publication on a data leak site – or the sale of that data is often far more damaging to a company than the losses due to file encryption. Data leaks can cause significant reputational damage and put organizations at risk of costly lawsuits and regulatory penalties. Determining what data has been stolen is critical to the decision about whether or not to pay the ransom.

For many companies, especially critical infrastructure entities, the ransom demand is far lower than the cost of downtime during the incident response and recovery phase. Backups may allow files to be recovered but that does not mean a quick recovery and extended downtime can be hugely expensive. Paying the ransom may be the most cost-effective option as recovery will often be far quicker.

Companies with cyber insurance policies may be able to claim the ransom payment; however, many insurers now exclude ransomware attacks so it is important to determine, as far as possible, whether the insurance company will pay out and how much will be paid. Some insurers have restrictions in their policies and paying the ransom may invalidate the insurance policy. Cyber insurance is expensive and if a claim against a policy is successful, it is likely that future premiums will increase.

The threat actor that conducted the attack may be on a sanction list, which means that payment may not be permitted. In the United States, the Office of Foreign Asset Control (OFAC) has sanctioned several individuals who have conducted ransomware attacks, and OFAC prohibits payments to sanctioned individuals. If a company makes a ransom payment to a sanctioned individual it is a serious criminal offence, punishable with a severe financial penalty and custodial sentences.

Law enforcement agencies generally advise against paying a ransom for several reasons. If ransoms are paid it encourages ransomware gangs to conduct more attacks and gives them the funds they need to continue and expand their malicious activities. There is also no guarantee that the ransomware group will provide the decryption keys, which means payment may be made and data will remain encrypted. Around 90% of all companies that pay a ransom following a ransomware attack are unable to recover all of their data, and less than a third are able to recover half of their data. Data is often corrupted and decryption keys often do not work.

Paying a ransom to prevent the publication of stolen data may result in your company being removed from a publicly accessible data leak site but it does not mean that the data will be deleted. It may still be sold or misused. There is also a risk that after paying the ransom, another ransom demand will be issued. Any company that is willing to make a payment could face further extortion attempts and multiple ransomware attacks. A study by Cybereason found that 78% of companies that paid a ransom went on to suffer a second attack, with 36% of those attacked by the same threat actor and 42% attacked by a different threat actor.

The decision about whether to pay a ransom is not straightforward, and all factors must be carefully evaluated, but paying a ransom is a gamble and it is one that may not pay off. It should therefore only be considered as the last resort when all other options have been explored and ruled out.

The best approach as far as ransomware is concerned is to take proactive steps and prepare for an attack. You must ensure that you have robust data backup systems in place, with backups stored securely where they cannot be encrypted. Those backups must be tested to make sure file recovery is possible in the event of an attack to keep all options on the table.

Given the number of attacks that are now being conducted, it is important to make sure you have robust defenses in place to protect against all initial access vectors, and that is an area where TitanHQ can help. TitanHQ has a suite of cybersecurity solutions that can improve your security posture and help you recover from an attack should disaster strike. Give the team a call today for advice on how you can improve your defenses against ransomware attacks.

Business Microsoft 365 Accounts Attacks Using Greatness Phishing Kit

Phishing has long been the most common way that cybercriminals gain initial access to business networks. A successful attack allows a threat actor to steal credentials and gain a foothold in the network, providing access to sensitive data and giving them the access they need to conduct a range of nefarious actions. Phishers must develop campaigns that are capable of bypassing email security solutions and use lures that are likely to fool end users into disclosing their credentials or opening malicious email attachments. In recent years, the entry barrier for conducting phishing campaigns has been significantly lowered through phishing-as-a-service (PhaaS), which has proven popular with would-be cybercriminals.

Phishing kits are offered that provide everything needed to launch successful phishing campaigns, without having to spend hours setting up the infrastructure, creating convincing emails, and incorporating anti-detection measures to ensure emails land in inboxes. A relatively new phishing kit is proving to be particularly popular. The Greatness phishing kit has been available since mid-2022 and lowers the bar for starting phishing campaigns, requiring a payment of just $120 a month to use the kit. The Greatness phishing kit allows emails to be customized to suit the hacker’s needs and add attachments, links, or QR codes to the emails. The kit makes it easy to generate and send emails and create obfuscated messages that can bypass many cybersecurity solutions and land in inboxes. The kit also supports multi-factor authentication (MFA) bypass by performing a man-in-the-middle attack to steal authentication codes and can be integrated with Telegram bots.

The kit has an attachment and link builder that creates convincing login pages for harvesting Microsoft 365 credentials and even pre-fills the victim’s email address into the login box, only requiring them to enter their password. The kit also adds the targeted company’s logo to the phishing page along with a background image that is extracted from the targeted organization’s M365 login page. As such, the Greatness phishing kit is aimed at individuals looking to target businesses and can be easily purchased through the developer’s Telegram channel. There were several spikes in Greatness phishing kit activity in 2023, with the latest detected in December 2023 and the increased activity has continued into 2024. Phishing kits such as Greatness significantly lower the barrier for entry to cybercrime and make it as easy as possible to start phishing, and the low cost of the kit has made it an attractive option for would-be cybercriminals. This phishing kit is used to target Microsoft 365 users, and the emails can be convincing and are likely to fool many end users.

The key to defending against phishing attacks is to implement layered defenses to ensure that a failure of one defensive measure does not leave the business unprotected. TitanHQ has developed a suite of cybersecurity solutions for businesses and the MSPs that serve them to improve their defenses against phishing, including AI-generated phishing emails and sophisticated phishing kits capable of stealing passwords and MFA codes.

TitanHQ’s PhishTitan provides advanced phishing protection and remediation for Microsoft 365. TitanHQ’s proprietary machine-learning algorithm integrates directly with Microsoft 365 and catches and remediates sophisticated phishing including AI-generated phishing emails, business email compromise, spear phishing, and phishing attacks that bypass MFA. The solution augments rather than replaces EOP and Defender and catches the phishing attempts that those defensive measures often miss.

PhishTitan uses AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing solution on the market, and will scan attachments for malicious links and malware, rewrite URLs, apply banner notifications, and block malicious links. PhishTitna also provides time-of-click protection to combat the weaponization of links after delivery. The solution uses machine learning algorithms to scan the message body to assess email content and identify words, phrasing, and formatting of emails indicating a phishing attempt, and will learn over time and become even more effective.

PhishTitan is suitable for businesses of all types and sizes and has been developed from the ground up to meet the needs of MSPs. The solution can be set up in less than 10 minutes, and MSPs can add new clients in less than 6 minutes and start protecting them from highly sophisticated phishing attacks. For maximum protection, TitanHQ also offers WebTitan DNS filter to protect against web-based attacks, ArcTitan email archiving for security and compliance, EncryptTitan for email encryption, SafeTitan for security awareness training and phishing simulations, and the SpamTitan Suite of email security solutions. All products are available on a no-obligation, 100% free trial and product demonstrations are available on request. For more information on PhishTitan and other TitanHQ solutions, give the TitanHQ team a call today.

Microsoft Teams Used to Push DarkGate Malware

Phishing is most commonly associated with email; however, there are a variety of ways that cybercriminals can make contact with end users and other forms of phishing are becoming much more common. Smishing is the use of SMS messages for phishing which targets users via their smartphones, which tend to have far weaker security controls than laptops and PCs. Voice phishing is also common, where malicious actors trick people into disclosing sensitive information or installing malware over the phone. Phishing can also take place via social media networks and video conferencing platforms such as Microsoft Teams.

A campaign has recently been identified that uses Microsoft Teams group chat requests for phishing. A threat actor appears to be using a compromised account to send Teams group chat invites to thousands of individuals. The compromised User’s Teams account is likely to have been compromised in a phishing, credential stuffing, or brute force attack. This campaign aims to install malware on users’ systems – a malware variant called DarkGate. DarkGate malware was first identified in 2018 and is a remote access Trojan that can install a hidden virtual network computing (hVNC) module to provide remote access to a victim’s device. The malware has keylogging and information-stealing capabilities and can steal cookies and information stored in browsers, Discord tokens, and cryptocurrency wallets. The malware can also download other payloads such as ransomware.

In this campaign, if a user accepts the group chat request, the threat actor uses social engineering techniques to trick them into downloading a file to their device. The user is tricked into thinking that they are downloading a PDF file, but they download an executable file. The file – Navigating Future Changes October 2023.pdf.msi – has a double extension. On Windows systems, which are typically configured to hide known file extensions, the file will be displayed as Navigating Future Changes October 2023.pdf. If the user double-clicks on the file, the malware will be installed and will connect to its command-and-control server, giving the treat actor control over the user’s device.

Microsoft Teams has become a popular target for threat actors for malware distribution. There are around 280 million monthly users, and the default settings allow Microsoft Teams users to receive chat requests from external Microsoft Teams users. While most users will have antivirus software on their devices for detecting malware, DarkGate malware is stealthy and often evades antivirus software. There are several steps that businesses can take to combat these attacks. The most important of which is to disable External Access in Microsoft Teams unless it is absolutely necessary for day-to-day business use. This will ensure that users can only receive chat requests internally, which will greatly reduce risk.

Another important measure is to provide regular security awareness training to the workforce. Employees should be taught cybersecurity basics such as how to recognize a phishing attempt and should be made aware of the latest tactics used by cybercriminals in attacks on employees. Training should be provided continuously, with short training sessions conducted every month. When new phishing techniques are identified, short training modules can be pushed out to employees to make them aware of the threat. With the SafeTitan security awareness training platform this is easy. The platform has a wide range of CBT content, with training modules lasting no more than 10 minutes so they are easy to fit in to workflows.

If you do not currently provide regular security awareness training to your workforce, contact TitanHQ about SafeTitan. Product demonstrations can be arranged on request, and you can test the product for yourself in a free trial.

Advanced Phishing Protection for Managed Service Providers

Alarmingly, 71% of Microsoft business users report that they suffer at least one compromised account each month. The biggest cause of account compromises is phishing. Phishing is the fraudulent practice of making contact with an individual and tricking them into taking an action that the attacker wants, which is usually to disclose their credentials to allow an attacker to remotely access their account. Phishing attacks usually involve impersonation, where the attacker claims they are an authority figure, such as the CEO of the company, a friend or colleague, or a representative of a reputable company.

The capturing of credentials usually occurs on a website with initial contact with the individual usually occurring via email, although phishing attacks are also conducted via SMS messages (smishing), telephone (vishing), social media networks, and instant messaging services.

Phishing targets members of the workforce, including employees and board members, and it is the responsibility of security teams and managed service providers to block as many phishing attempts as possible and ensure that if phishing attempts do bypass defenses, end users have been trained to recognize phishing attempts and report them. Security teams naturally concentrate on the former, as phishing will only succeed if an attacker can make contact. The problem is that cybercriminals are developing highly sophisticated phishing campaigns that are difficult for traditional email security solutions to identify and block.

Cybercriminals target Microsoft 365 credentials as they provide access to a wealth of sensitive data and to email accounts which can be used to conduct further phishing attacks internally and on the company’s customers and vendors. Once credentials have been obtained, they can be used for a much more extensive attack on a company. TitanHQ has received feedback from its managed service provider (MSP) customers that Microsoft 365 phishing is the number one problem to solve in the email security community.

TitanHQ already has products that can protect against phishing. There is the SpamTitan suite of products for email security, WebTitan for protecting against web-based attacks, including blocking access to the websites where credentials are obtained, and the SafeTitan security awareness and phishing simulation platform for educating the workforce on cybersecurity threats and testing resilience through simulated phishing emails.

What was needed, however, was a new solution that is specifically focused on phishing. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists,” said TitanHQ CEO, Ronan Kavanagh. “We are pleased to be able to meet the market’s needs with a product that delivers.”

PhishTitan has been developed to help MSPs and businesses improve their phishing defenses for Microsoft 365, as Microsoft’s defensive measures – EOP and Defender – are failing to identify and block many phishing attempts. PhishTitan is a next-generation phishing protection and remediation solution for Microsoft 365, which integrates TitanHQ’s proprietary machine-learning algorithm directly with Microsoft 365 to augment EOP and Defender and catch and remediate the sophisticated phishing attacks that EOP and Defender miss.

PhishTitan has been developed from the ground up to meet the needs of MSPs and allow them to block more phishing attempts on their clients and remediate phishing attempts rapidly, without having to commit extensive resources to managing email security for each client.

PhishTitan is functionally rich, offering multiple integration options, and has granular policy controls, a full reporting suite, and provides comprehensive protection. Businesses can set up the solution themselves in around 10 minutes, and MSPs can add new clients in just 6 minutes.

PhishTitan Features

  • AI-driven solution that is capable of identifying and blocking zero-day threats
  • Scans and blocks malicious links
  • Scans and neutralizes malware
  • Detects unique and sophisticated phishing and BEC attacks over and above those detected by EOP and Defender
  • Rewrites URLs and applies banner notifications
  • Time of click protection to combat links that are weaponized after delivery
  • Protection against data leakage of sensitive company information
  • Instant remediation across an entire tenant
  • Real-time visibility and reporting suite on emerging threats
  • Phishing intelligence data that is unmatched in visibility, coverage, and accuracy.

If you are struggling to block phishing attacks on your M365 accounts or are a managed service provider who wants to improve phishing protection for your customers, give the TitanHQ team a call to find out more about how PhishTitan works and how it can improve your defenses against phishing. Product demonstrations can be arranged on request and PhishTitan is available on a free trial.

PikaBot Malware Now Distributed via Fake Ads for AnyDesk

There has been a change in the distribution method of PikaBot malware, which is now being pushed in a malvertising campaign. Previously PikaBot was only distributed via phishing emails. PikaBot malware was first identified in early 2023 and is a modular malware Trojan that consists of two components: a loader and a core module. The malware allows the operator to gain remote access to compromised systems and execute a range of commands, including shell commands and fetching and running EXE or DLL files. The malware also allows downloads of additional malware payloads and post-compromise tools. The malware is known to be used by a prolific threat actor tracked as TA577, with infection leading to the deployment of Cobalt Strike.

The malvertising campaign uses Google Ads for AnyDesk, a remote desktop application popular with businesses. Google has security checks in place to prevent malicious adverts from being displayed and these are being bypassed by using a tracking URL with a legitimate marketing platform, with the custom domain for the redirect protected by Cloudflare. The malicious adverts are displayed when users search for popular software such as Zoom, Advanced IP Scanner, and WinSCP.

If the Ad is clicked by a user, they are directed to a spoofed AnyDesk download site that will deliver an MSI installer hosted on Dropbox. Checks are also performed before redirection to the malicious site, with redirection not occurring if fingerprinting checks determine the request is originating from a virtual machine. Before the MSI download is initiated, another check is performed to test whether the request is coming from a virtual environment. On download, Pikabot uses an injector to run anti-analysis tests and will only decrypt and inject the core module payload if these checks are passed, otherwise, execution is aborted.

The use of malvertising in malware campaigns is increasing and this initial access vector is often successful as most security awareness training programs concentrate on phishing. It is important to ensure that malvertising is covered in security awareness training sessions and that employees are told about the risks of downloading software and are made aware of the checks they should perform to make sure the source of the software is legitimate.

Businesses can further protect themselves against malware distribution via the internet with a DNS filter. The WebTitan DNS filter can be used to control the web pages that can be accessed by employees. Access can be restricted to whitelisted sites, and websites can be easily blocked by category. WebTitan is constantly updated by multiple threat intelligence feeds and will block access to all URLs known to be used for malware distribution. While this malvertising campaign involves many checks to determine if a web filter is accessing the content, which may result in the content being accessible, WebTitan can be configured to block the downloading of certain files from the Internet, including executable files such as MSI files. Not only will this help to prevent malware downloads, it will also allow IT teams to curb shadow IT – unauthorized software downloads by employees – which are a security risk.

The WebTitan DNS Filter and the SafeTitan Security Awareness Training Platform are both available on a free trial and product demonstrations can be arranged on request. For further information give the TitanHQ team a call.

AI will Fuel Rise in Ransomware and Phishing Attacks

Ransomware attacks hit record levels in 2023 and are set to increase further along with the phishing attacks that provide ransomware groups with initial access to business networks.

The ransomware remediation firm Coveware reports that ransomware groups are now much less likely to receive ransom payments, with only 29% of victims choosing to pay up to obtain the keys to decrypt their data and prevent their data from being added to data leak sites. At the start of 2019, 85% of victims of ransomware attacks paid the ransom.

There are several reasons for the fall in payments. First, businesses are better prepared and have incident response plans for attacks that minimize disruption and more effective backup strategies that allow them to restore data themselves. While they are unable to prevent the leaking of sensitive data if they choose not to pay the ransom, there is widespread mistrust that paying the ransom will actually prevent data from being leaked or sold.

Falling revenues from attacks mean ransomware actors need to increase the number of attacks they conduct in order to maintain their incomes. NCC Group reports an 84% increase in attacks between 2022 and 2023, and 2024 is likely to continue to see high numbers of attacks and the UK’s National Cyber Security Centre (NCSC) has warned that ransomware attacks are likely to increase.

The NCSC predicts that by 2025, and perhaps sooner, generative AI and large language models will be extensively used by cybercriminals and will allow them to craft phishing and spear phishing emails and develop new social engineering tactics to conduct more effective phishing campaigns. Since phishing is one of the most common initial access vectors in ransomware attacks, the NCSC predicts that AI will contribute to the global ransomware threat in the near term and other types of cybercrime that rely on phishing and social engineering.

The use of AI will make it more difficult for security professionals to identify and block phishing emails and social engineering attempts and it will be much harder for end users to differentiate between genuine emails and AI-generated phishing attempts. Generative AI tools also lower the barrier for would-be cybercriminals looking to conduct phishing and ransomware attacks, allowing novice and less skilled threat actors to conduct attacks successfully. This has already been the case with ransomware-as-a-service (RaaS), and generative AI-as-a-service may also start to be offered. Generative AI tools are also allowing threat actors to process and analyze the data stolen in these attacks more efficiently.

“Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing, and coding,” explained NCSC. “Enhanced access will likely contribute to the global ransomware threat over the next two years.”

The NCSC paints a bleak picture but while AI tools can be used for offensive purposes, they can also be used by network defenders. TitanHQ’s cybersecurity solutions already use AI and machine learning tools for identifying phishing and other email threats. These tools are able to identify novel phishing threats, including those that are created using generative AI tools.

If you want to improve your defenses against malicious use of AI, speak with TitanHQ about how you can add advanced AI-driven detection capabilities to your cybersecurity arsenal and better defend your networks and data from increasingly sophisticated cyberattacks.

Important Information About Quishing – Phishing Attacks Using QR Codes

QR codes are a convenient way of transmitting information, especially URLs. They can be scanned with a smartphone and direct the user to a website. They are on flyers, posters, and other marketing material to quickly direct users to a website to find out more information, greatly improving the response to marketing campaigns. Use of these codes has grown and they are now found everywhere, even in restaurants to direct diners to menus. Unfortunately, QR codes are also perfect for scammers for stealing sensitive information and distributing malware, and QR codes are now being extensively used in phishing campaigns (quishing) in place of embedded URLs. The advantage of this is that they make it hard for users to check the destination of the URL before clicking and email security solutions are now designed to follow QR codes. According to Check Point, there was a 587% increase in QR code phishing attacks between August and September 2023 and recently detected 20,000 instances of QR code-based attacks over a 2-week period.

Campaigns have recently been detected that incorporate conditional redirection based on the user’s device, browser, screen size, and many other parameters, tailoring each attack to the individual via the same QR code. In one of these campaigns, users were directed to a credential harvesting page, with the redirection chain adjusted based on the fingerprinting of the user’s device. Similar campaigns are conducted to direct users to malware distribution sites. QR codes have also been used to direct users to deep fake YouTube videos, where celebrities appear to be endorsing investment schemes, usually related to cryptocurrency, where people are tricked into investing with a promise that they can rapidly double their money or get even better returns.

Email security solutions are designed to assess messages for phishing content, check embedded URLs to determine if they link to malicious websites, and scan email attachments to check for malware, but they are not suited to checking QR codes to determine where the user will be directed. Further, QR codes move the threat to a different device. QR code phishing emails are likely to be received on a company-owned laptop or PC, but the user is then required to switch to their mobile phone to scan the QR code, and mobile devices typically lack the same level of protection making it more likely that the attack will go undetected.

The best defense against these attacks is user education. Security awareness training should cover quishing to make employees aware of this increasingly popular tactic and the threat that QR codes pose. With SafeTitan it is easy to add new training content to your security awareness training programs and push out these training modules to all users. When any new threat is detected, you can add educational content to your training program and push that content out to all users, user groups, or individuals. All training modules last a maximum of 10 minutes, so they are easy to fit into busy workflows.  SafeTitan also includes a phishing simulator that allows you to send out fake quishing emails to the workforce to see who opens the emails and responds.

For further information on security awareness training with SafeTitan and how you can improve your defenses against all types of cyberattacks, give the TitanHQ team a call.

Callback Phishing Campaign Warns of Imminent Charge for Antivirus Subscription

Phishing is the fraudulent practice of sending messages, typically emails, that trick the recipient into doing something that they normally would not do, such as disclosing sensitive information or installing malware on their device. Phishers often include a link to a website that spoofs a well-known brand and victims are tricked into disclosing sensitive data or malicious files are attached to emails. Email security solutions are now much better at detecting malicious hyperlinks, and advanced email security solutions such as SpamTitan Plus can detect all known malware and have email sandboxing for behavioral analysis of suspicious emails to identify and block zero-day malware threats.

Cybercriminals Turn to Callback Phishing to Evade Cybersecurity Solutions

The first goal of a phishing attack is to get a message, be that an email, SMS, or instant message to an end user, and one of the ways that this is achieved is by sending emails with no malicious content – no hyperlinks or email attachments. Instead, the messages have a realistic call to action that requires immediate attention, and a phone number is provided in the email that the recipient must call to address the pressing problem that is outlined in the email. The phone line is manned by the threat actor who then talks the user through performing certain actions that provide remote access to their device.

Callback phishing typically involves an email warning the recipient about a charge for a product that is about to be taken, such as the expiry of a free trial or the end of a subscription term. The charge is excessive and the number provided in the email must be called to stop the charge. One such campaign that has recently been uncovered involves a fictitious charge for an antivirus subscription. In one of these attacks, the threat actor spoofs the antivirus software provider Norton. The email advises the recipient that the subscription period has come to an end and a charge for the next subscription period will be applied – $349.95. Naturally, such a high charge for a product would prompt many people to call the number to block it.

As with other callback phishing campaigns, the attacker tricks the recipient into downloading a program to their device that they are told is necessary to prevent the renewal of the subscription. The program gives the attacker remote access to the user’s device. Once access has been gained, the attacker can conduct a variety of nefarious activities.

Victim Transferred $34,000 to Attacker’s Account

In one of these scams, after access was gained to a victim’s device, the attacker transferred $34,000 from the user’s account. After providing the attacker with remote access to their laptop, the victim was instructed to perform other actions, one of which was entering their credentials into a phishing page. The victim was told that the payment for the antivirus software had already been taken, so a refund needed to be processed. The attacker then told the victim that an error had been made and a refund of $34,000 had been deposited in his account and immediate action was required to correct the error to avoid legal trouble.

The attacker remained on the phone while the victim called his bank, and while the victim was on the phone, the attacker transferred $34,000 from the victim’s Money Market account to his checking account. When the victim saw the $34,000 deposit, he assumed it to be the refund from Norton, and arranged the transfer to the bank account provided by the attacker. The attacker told the victim that in order not to arouse suspicion at the bank, he should inform the bank that the payment was for a vehicle. The victim was unable to see the malicious activity as the attacker had overlayed a blue screen on his laptop.

In this case, suspicions were raised and the funds were put into a suspense account at the recipient bank. U.S. Secret Service Special Agent Iris Joliff was able to obtain a seizure warrant from a judge allowing the money to be recovered; however, scams such as these are often only detected when the transferred funds have been withdrawn from the attacker-controlled account.

Improve Resilience to Callback Phishing with SafeTitan

Email security solutions may be effective at blocking malicious attachments and hyperlinks in emails, but they can rarely identify callback phishing scams as it is difficult to determine if a phone number is malicious. The most effective way that businesses can combat callback phishing is through security awareness training. Callback phishing should be covered in security awareness training sessions and also added to phishing simulation campaigns, to test whether the training has been understood and is being applied. SafeTitan from TitanHQ makes this easy, as callback phishing modules can easily be added to training courses and SafeTitan also includes a phishing simulator with phishing templates to test resilience to callback phishing and identify individuals who require further training in this area.

For further information on the SafeTitan platform and advice on how to further improve your defenses against phishing, give the TitanHQ team a call.

TitanHQ Launches PhishTitan – AI-Driven Phishing Protection for M365

TitanHQ is proud to announce the addition of a new solution to its cybersecurity portfolio that helps businesses combat the growing threat of phishing. PhishTitan provides powerful phishing protection for Microsoft 365 that is capable of catching and remediating sophisticated phishing attempts, including spear phishing attacks, business email compromise, phishing emails generated by artificial intelligence tools, and zero-day phishing threats that Microsoft’s native defenses for M365 fail to detect and block. It is these threats that pose the biggest threat since they are missed by Microsoft’s email security defenses and are difficult for employees to identify as malicious since they lack many of the red flags that employees are taught to look out for in security awareness training programs.

PhishTitan incorporates TitanHQ’s proprietary machine-learning algorithm, which integrates directly with M365. PhishTitan performs an AI-driven analysis of inbound emails (internal and external) which includes textual analysis, link analysis, and attachment scanning. Links are analyzed via multiple curated feeds that constantly update the solution to allow malicious websites linked to phishing and malware distribution to be identified and blocked. Phishing emails often include links that have been masked to hide the true destination URL. PhishTitan rewrites URLs to show the true destination. One tactic used by phishers to bypass email security solutions is to only weaponize links in emails after delivery. To protect against this tactic, PhishTitan checks inbound emails before delivery to inboxes and also offers time-of-click protection against malicious links in emails.

Attachments are scanned with twin antivirus engines, and suspicious email attachments are sent to the sandbox for behavioral analysis. Machine learning detection models scour the body of emails looking for tell-tale signs of phishing and adapt to constantly changing phishing tactics.  The machine learning algorithms also learn from reports of phishing attempts by end users, which they can report with a single click using a TitanHQ-supplied Outlook add-in. PhishTitan can also be configured to apply banner notifications to external emails and protect against the leakage of sensitive company information.

The solution has been designed to meet the needs of businesses of all types and sizes and has been developed from the ground up to meet the needs of managed service providers (MSPs) to allow them to easily add advanced phishing protection to their service stacks. It takes around 10 minutes to set up the solution, and around 6 minutes for MSPs to onboard new clients.

The solution was trialed across the TitanHQ user database of more 12,000 customers and 3,000 MSPs in Q4, 2023, with TitanHQ customers reporting that the solution outperforms their existing anti-phishing solutions. TitanHQ is now pleased to start offering the new product to new customers. For more information on PhishTitan phishing protection Microsoft 365 contact TitanHQ today. PhishTitan is available on a 14-day free trial and product demonstrations can be arranged on request to show you how easy the product is to use and exactly what it can do.

“A staggering 71% of MS business users suffer at least one compromised account monthly. With this in mind, the overwhelming feedback from our customer base has been that phishing is the number one problem to solve in the email security community,” said TitanHQ CEO, Ronan Kavanagh. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists. We are pleased to be able to meet the market’s needs with a product that delivers.”

Malicious File Deliveries Increased in 2023

The cyber threat landscape is constantly changing, with cybercriminals and nation-state actors developing new tactics, techniques, and procedures for use in attacks on businesses to steal intellectual property and sensitive customer data, and for extortion. Threat actors gain access to internal networks by exploiting human weaknesses through social engineering and phishing, exploiting vulnerabilities such as unpatched and misconfigured software, and using malware for remote access.

The latter has seen an increase in 2023, with Kaspersky reporting in its end-of-the-year statistics report that malicious file detections have increased by 3% from 2022, with an average of 411,000 malicious files detected each day. The biggest increase was malicious desktop files such as Word documents, Excel spreadsheets, and PDF files, which are used for distributing malware. More than 125 million malicious desktop files were detected in 2023, with documents such as Word files and PDF files seeing the biggest increase, up 53% from 2022.

The company attributed the large increase to the number of email phishing attacks using malicious PDF files. PDF files have become more popular due to the steps Microsoft has taken to block email attacks using Office documents and spreadsheets. In the summer of 2022, Microsoft started blocking Visual Basic Applications (VBA) macros in Office apps by default to stop malicious actors from using them to deliver malware. Macros are now blocked by default in all Office documents that are delivered via the Internet. Threat actors responded by switching to other file formats for delivering malware such as LNK, ISO, RAR, ZIP, and PDF files, with the latter commonly used to hide links to malicious websites from email security solutions. These links direct users to malicious websites where drive-by malware downloads occur and also to phishing sites that steal credentials. The most common malware types in 2023 were Trojans such as Magniber, WannaCry, and Stop/Djvu, with a notable increase in backdoors, which provide threat actors with remote access to victims’ devices and allow them to steal, alter, and delete sensitive data and download other malware variants such as ransomware.

These email-based attacks usually require some user interaction to succeed, such as opening a malicious file or clicking a link. Threat actors are adept at social engineering and trick users into taking the action they need but the availability of artificial intelligence tools has made social engineering even easier. AI has significantly lowered the entry barrier into cybercrime and can be used by anyone to create convincing phishing lures and social engineering tricks. Artificial intelligence tools are also being leveraged to develop new malware variants faster than before, which allows threat actors to defeat signature-based antivirus and antimalware solutions.

With cyberattacks increasing in both number and sophistication, businesses need to ensure they have appropriate defenses in place. To defend against attacks, businesses need to take a defense-in-depth approach to security and implement multiple overlapping layers of protection. Should one single component fail to detect a threat, others will be in place to provide protection. Endpoint detection solutions such as antivirus software are essential. These solutions work after malware has been delivered and can detect and neutralize the threat; however, multiple layers of security should be in place to make sure threats are not delivered, especially due to the increase in zero-day malware threats – novel malware variants that have yet to have their signatures added to the malware definition lists used by these solutions.

TitanHQ offers three layers of protection through SpamTitan Email Security, Web Titan Web Filtering, and SafeTitan Security Awareness Training. SpamTitan is an advanced email security solution that protects against all email threats, including known and zero-day threats. SpamTitan offers protection against malicious links in emails, and features dual antivirus engines and email sandboxing to protect against malware threats, with the latter used to detect previously unseen malware variants. SpamTitan also uses artificial intelligence and machine learning to predict new attacks.

WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks. The solution blocks access to known malicious websites, and high-risk websites, and can be configured to block the file types that are commonly used for malware delivery, such as executable files. SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience to the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, with training sessions triggered immediately when bad behaviors are detected. This ensures that training is delivered when it is likely to have the biggest impact.

To improve protection against the full range of cyber threats, give the TitanHQ team a call today. You can discuss your needs and explain the current security solutions you have, and the TitanHQ team will be more than happy to talk about the TitanHQ solutions that can plug the security gaps. All solutions are competitively priced and are available on a free trial to allow you to test them thoroughly before making a purchase decision.

New Callback Phishing Campaign uses Google Forms for Initial Contact

A new callback phishing campaign has been detected that uses Google Forms to add credibility to the campaign. Callback phishing involves sending an email and tricking the recipient into calling a customer service helpline, where they are convinced to download software that provides the attacker with remote access to their device. Since the emails contain no malicious content, only a phone number, these emails are usually delivered to inboxes.

A typical campaign involves an email about an impending charge for a subscription for software or a service, payment for which is about to be taken shortly. The user is told that they must respond within 24 hours if they have any dispute and that the subscription will auto-renew if no action is taken. Companies typically impersonated in these attacks include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.

The impending charge is excessive, typically $50 to $500, and the only way to prevent the payment is to call the customer service number included in the email. Subscriptions for software, streaming platforms, and other services are often set to auto-renew by default, and many people end up paying for another term even if they have discontinued using that service. The lure is therefore plausible, and since the charge is excessive, the recipient is likely to make the call.

The phone number is manned by the threat actor who pretends to be customer support and helps the user block the charge; however, in order to do so, software must be downloaded onto the user’s device. The user is convinced to install the software, the threat actor appears to remove the offending software, and the payment issue is resolved; however, the threat actor has installed malware that provides access to the user’s device.

In late 2020/ early 2021, this method was used in BazarCall attacks, so named because they were conducted to deliver BazarLoader malware. The malware is used to download additional malware payloads to the user’s device, such as ransomware. A new version of this campaign has recently been detected that employs Google Forms to add legitimacy to the campaign. Google Forms is free to use and allows forms to be easily created for surveys and quizzes, which can be integrated with websites or shared. In the latest BazarCall campaign, Google Forms is used to create details of a fake transaction, complete with invoice number, payment method, payment date, and information about the product or service.

Google Forms includes the option for a response receipt in the settings, so when a form is completed, it is submitted to the entered email address – that of the target. Google sends the completed form from its own servers, which adds legitimacy to the campaign and increases the probability of the form reaching an inbox. Email security solutions trust the sender (noreply@google.com) and the messages contain no malware or phishing links, the email is guaranteed to be delivered. The form instructs the recipient to call the number within 24 hours if they have any dispute about the charge.

Google is aware of the campaign and is taking steps to improve detection and said that the campaign has so far been used for a small number of users; however, it is worthwhile updating your security awareness training to include this new method of attack. That is quick and easy to do and roll out with the SafeTitan security awareness training platform. SafeTitan also allows you to easily add this method of phishing to the phishing simulator, to see if your employees are likely to fall for callback phishing scams.

QakBot Malware Returns with Phishing Campaign Targeting Hospitality Sector

In the summer of 2023, a multinational law enforcement operation caused major disruption to the botnet and malware known as QakBot, aka Qbot & pinkslipbot. Now the malware is back and being used in a campaign targeting the hospitality industry.

QakBot was first detected in 2008 and was primarily a banking Trojan which was used to steal financial information from infected devices; however, the malware has evolved over the years and its capabilities have been significantly enhanced. Check Point researchers have described the malware as “a Swiss army knife” due to its extensive capabilities. QakBot can steal financial information, browser data, and has keylogging capabilities, allowing it to steal credentials and other sensitive information. Infected devices are added to a botnet that can be used for a range of nefarious activities, and the malware also serves as a downloader and can deliver other malicious payloads, including ransomware. QakBot has previously partnered with major ransomware groups including Egregor, REvil, Conti, and ALPHV/BlackCat.

At the time of the takedown, QakBot had been installed on more than 700,000 computers worldwide. According to the U.S. Department of Justice, the August takedown was “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.” The law enforcement operation resulted in access being gained to the botnet’s encryption keys that were used for malware communication The botnet was hijacked and a custom Windows DLL was pushed out to all infected devices, which terminated the malware and disabled the botnet. These takedowns are, unfortunately, only temporary. As was the case with the takedown of the Emotet botnet, the threat actors simply rebuild their infrastructure.

QakBot malware is primarily distributed via phishing emails and the first QakBot malware campaign since the takedown was detected on Monday. The latest campaign uses an Internal Revenue Service (IRS) themed lure, where an IRS employee is impersonated. As is common in these campaigns, there is little body text in the emails, apart from the IRS logo and contact information. The emails contain a PDF attachment called GuestListVegas.pdf, and the subject line is “clients information”.

The recipient is told that they cannot preview the PDF file and must download it; however, the file they download is an MSI installer that will launch QakBot in the memory. Microsoft confirmed that this version of QakBot has not been seen before. While this appears to only be a relatively small campaign, distribution is expected to be significantly ramped up. In addition to this method of distribution, the QakBot operators have previously used OneNote files, Office files with malicious macros, Windows shortcut files, ISO attachments, and other executables, some of which have been known to exploit unpatched vulnerabilities.

Defending against attacks requires a combination of measures to block the initial access vector, the most important of which are an advanced spam filter – such as SpamTitan – security awareness training, and phishing simulations. A spam filter will block the majority of malicious emails to reduce the number of threats that are delivered to inboxes. By providing ongoing security awareness training to the workforce, employees will learn how to recognize, avoid, and report potential threats. Phishing simulations are an important part of the training process and allow employees to be tested to determine whether they are applying their training. When a phishing simulation is failed it can be turned into a training opportunity. With the SafeTitan platform, training is automated and delivered in real-time in response to failed phishing simulations.

For more information on advanced spam filtering and workforce cybersecurity training, give the TitanHQ team a call.

TitanHQ Wins 4 “Top Solution” Expert Insights Awards

TitanHQ products have received four “Top Solution Awards” from Expert Insights in Q4, 2023 in the Email Security, Web Filtering, Security Awareness Training, and Email Archiving categories.

Expert Insights is a leading business software review website that is used by IT decision-makers for researching the best business software solutions. The platform has more than 1 million readers a year and helps more than 85,000 businesses each month with their software purchase decisions. The website includes honest and impartial technical reviews and helpful guides to allow IT decision-makers to purchase with confidence.

Each Quarter, Expert Insights recognizes the world’s best B2B technology solutions through its awards program. The awards are based on Expert Insights’ independent technical analysts and editorial team, customer feedback, and industry recognition. In Q4, 2023, Expert Insights issued awards in over 40 categories, from authentication to zero trust security.

“We are thrilled to unveil our list of the ‘Top Solutions’ for Winter 2023, highlighting the extraordinary innovation in the B2B technology landscape,” said Craig MacAlpine, CEO and Founder of Expert Insights. “These awards celebrate leading solutions across more than 40 product categories, based on our own technical analysis and the engagement of thousands of enterprise tech professionals that use Expert Insights to research solutions each month.”

TitanHQ’s cybersecurity solutions were recognized and were named top solution in four categories:

  • Email Security – SpamTitan
  • Web Filtering -WebTitan
  • Security Awareness Training – SafeTitan
  • Email Archiving – ArcTitan

SpamTitan is a cutting-edge email security solution for blocking spam and protecting against email threats. The solution has artificial intelligence and machine learning capabilities and can block all known malware, zero-day malware threats, and phishing, spear phishing, and business email compromise attacks.

WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks and allows businesses to restrict access to certain websites to improve productivity, reduce legal risk, and protect against phishing, malware, ransomware, and other online threats.

SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience against the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, which are triggered immediately when those behaviors are detected to ensure that training is delivered when it is likely to have the biggest impact.

ArcTitan is an easy-to-implement “set-and-forget” email archiving solution that helps businesses meet their legal responsibilities for data retention and ensures that no email is ever lost, with lightning-fast search and retrieval.

“Our team is truly honored by Expert Insights’ acknowledgment of TitanHQ as the ‘Top Solution’ Provider in their Q4 2023 Awards.,” said TitanHQ CEO, Ronan Kavanagh. “This recognition across multiple categories underscores our commitment to empowering our partners and MSPs with cutting-edge technology, enabling them to deliver advanced network security solutions to their clients.”

DarkGate/PikaBot Malware Phishing Campaign the Work of Qakbot Operators?

A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.

DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.

Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.

The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.

The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.

With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.

An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.

Watch Out for Black Friday Phishing and Cyber Monday Scams!

You may be able to grab a bargain on Black Friday and Cyber Monday but you need to be extra vigilant for Black Friday phishing attacks and Cyber Monday scams. Cybercriminals are waiting to take advantage of unwary online shoppers on Black Friday and scams are rife throughout the holiday season.

Black Friday and Cyber Monday are two of the busiest shopping days of the year. Many people take advantage of the deals on offer and delay major purchases to try to get a Black Friday or Cyber Monday bargain, and savvy shoppers get started on their Christmas shopping early and try to grab the best gifts while they are available, often at a sizeable discount. On Black Friday, Cyber Monday, and throughout the holiday season, cybercriminals are hard at work. It is the perfect time for them to fill their pockets before the Christmas break. There are huge numbers of people looking to make purchases online, and cybercriminals are more than happy to offer the bargains and special deals that they seek.

During this shopping frenzy, people who delay making a purchase often miss out due to limited product availability. That means it is the perfect time to conduct a phishing attack offering a high-value product at a rock-bottom price, as it is exactly what consumers are expecting and hoping to find. The whole retail event plays into cybercriminals’ hands. People are made to think that they need to act fast and make a quick purchase when what they need to do is stop and think about whether the offer being presented is really what it seems.

Last year, UK residents lost more than £10 million to cybercriminals over the festive shopping period, according to the UK National Cyber Security Centre, with each victim losing an average of £639 to scams between November 2022 and January 2023. This year, the outlook looks even bleaker due to the ease at which artificial intelligence can be used to create convincing scams. While phishing attempts, scam emails, and malicious websites often contain red flags that indicate all is not what it seems, those red flaws are often missing from AI-generated content. Cybercriminals are leveraging large language models, such as ChatGPT, to create convincing emails, scams, fake adverts, and fraudulent websites. The aim of these attacks is to get unsuspecting consumers to disclose their usernames and passwords, provide their credit card and bank details, make purchases for non-existent products, or download malware. AI allows cybercriminals to conduct these scams on an increasingly large scale.

Tips for Avoiding Black Friday Phishing Scams and Online Fraud

AI tools allow cybercriminals to generate phishing emails with perfect grammar and no spelling mistakes and even generate convincing lures targeted at specific groups of people, but the same social engineering techniques are used in these phishing attempts as human-generated phishing emails. With phishing attempts, there is a sense of urgency. Phishing emails have a call to action and only a limited time to respond and there will usually be a threat of negative consequences if prompt action is not taken. With Black Friday phishing scams, product scarcity or a special offer expiring are often how cybercriminals get urgent action to be taken, or there may be a threat of pending costs, charges, or account closures if the email is ignored. Another common ploy is to generate a security alert about unauthorized account access or a potentially fraudulent purchase that has been made, with immediate action required to block the charge or protect the account. Everyone needs to be extra vigilant during the holiday season and should carefully check the sender of the email and stop and think before taking any action suggested in an email.

With so many purchases being made at this time of year, it is the perfect time for phishing lures warning about unsuccessful deliveries. Most people will be expecting packages to be delivered over the next few days and weeks. If you are notified about a failed delivery attempt, make sure that the message has been sent from the domain of the company that claims not to be able to deliver the package. If the email claims to have been sent by FedEx, UPS, DPD, Yodel, or Evri, check it has been sent from the official domain used by that company and watch out for hyphenated domain names, spelling mistakes, and transposed letters.

While email scams are common, so are scams on social media platforms. Malicious advertisements are posted offering products that are never dispatched. According to the Federal Trade Commission, $2.7 billion has been lost in the United States to social media scams over the past 2 years. While there may be genuine offers on social media sites, any vendor should be carefully vetted before making a purchase through an advert and checked to make sure they are who they claim to be and that they are a reputable retailer. It is also far better to use a credit card for any purchases, as credit card companies offer much greater protection against fraud than banks do for debit cards.

While non-delivery scams are common, and credit card theft is rife, many Black Friday and Cyber Monday scams try to obtain access to accounts. In addition to being extra vigilant, it is important to ensure that accounts are properly protected, which means setting a strong, unique password for each account and ensuring multifactor authentication is enabled. If passwords are reused across multiple sites, if that password is obtained, all accounts that use the same password will be put at risk. Multifactor authentication will provide greater protection for accounts should passwords be guessed or otherwise obtained. A password alone is not sufficient to gain access to an account, as an additional form of authentication must be provided.

What is Malware Sandboxing for Email?

Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.

Email-based Cyberattacks are Increasing

Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).

The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.

Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.

To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.

Malware Sandboxing for Email

Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.

SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.

With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Sandboxing Technology for Email

Implementing your own sandboxing technology for email can be complex and costly. SpamTitan Email Security has an inbuilt sandbox, so all the hard work is done for you. You get the full cybersecurity benefits of a sandbox at a very low cost.

What are the Benefits of an Email Sandbox?

Email sandboxing is no longer a ’want’ it is now a ‘must-have.’ Cybercriminal groups are conducting huge numbers of attacks, nation-state actors are targeting businesses to steal their proprietary data, and these attacks are getting far more sophisticated and can easily evade standard security solutions. The consequences of a successful cyberattack are severe. IBM’s 2023 Cost of a Data Breach Report indicates that the average cost of a successful attack and data breach has risen to $4.45 million in the United States. It is no surprise that many small to medium-sized businesses fold within 6 months of a successful attack.

As has been the case for many years, one of the easiest ways to gain initial access to a company’s network is via email. Employees are targeted as they can be tricked into disclosing their credentials or installing malware. Email security solutions such as spam filters and secure email gateways are capable of blocking many threats, but they are failing to block zero-day malware threats. Traditional email security solutions are reliant on signature-based detection methods for blocking malware. When a malware threat is detected and analyzed by security researchers, the signature for that malware variant is added to the definition list. Email security solutions use signature-based detection methods to block 100% of known malware.

The problem comes with new malware, for which no signature has been defined. Without a signature, malware will not be identified as malicious if it is encountered. If a novel malware variant is attached to an email, the email will most likely be delivered and can be opened by an end user and new malware variants are now being released at an incredible rate. While signature-based detection has served businesses well, additional protection is now required – email sandboxing.

With an email security solution that has an email sandbox, inbound messages will first be subjected to standard checks. An email sandbox is then used to safely analyze the behavior of files in an environment where no harm can be caused. If malware is executed, it will be detected based on its behavior rather than a signature. The threat will then be blocked, and no harm will be caused.

SpamTitan Email Sandboxing Technology for Email

With SpamTitan, the initial checks include AI-based and machine-learning detection, which is capable of detecting previously unseen phishing threats.  All attachments are scanned with two antivirus engines to ensure 100% of known malware threats are detected and blocked. The sandbox provides an extra layer of protection. When initial checks are passed, suspicious messages are sent to the sandbox for deep analysis. File attachments are safely detonated, their behavior is analyzed, and the results are checked against an extensive array of online repositories. The process usually takes just a few minutes, or in some cases, a maximum of 20 minutes.

If a threat is detected it is reported to the Bitdefender Global Protective Network – Bitdefender’s cloud threat intelligence service. If that threat is detected again by SpamTitan or any device connected to the network, it will not need to be sent to the sandbox again and all devices will be protected against that threat. The latest malware variants often include code that checks for running security solutions and whether it has landed on a real endpoint. If a virtual environment is detected and the malware determines it is in a sandbox, it will not perform its malicious actions and may delete itself to prevent analysis. To get around this, the email sandbox emulates a real endpoint and analyzes files by leveraging purpose-built, advanced machine-learning algorithms. The sandbox incorporates anti-evasion and anti-exploit techniques and performs aggressive behavior analysis. Every evasion attempt by malware is properly marked and the files are flagged.

The sandbox analyzes a broad range of targets, including documents, spreadsheets, and executable files, and is capable of identifying and blocking polymorphic malware and other threats that have been developed for undetectable attacks. With email-based cyberattacks increasing in number and sophistication, businesses need to ensure they have advanced defenses. With SpamTitan sandboxing technology for email you get advanced threat protection at an affordable price. To find out more, call the TitanHQ team today or take advantage of a free 14-day free trial of SpamTitan.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandboxing in Cybersecurity?

What is Sandboxing in Cybersecurity?

Sandboxing in cybersecurity terms refers to an isolated virtual machine that is used for testing code and analyzing files. Since the sandbox is isolated from other systems and networks, unverified code, untested programs, email attachments, and files downloaded from the Internet can be executed or detonated safely. Code is executed and files are opened and their behavior is analyzed to determine if they are safe or if they may cause damage to data or systems. In the sandbox, the activities that can be performed are restricted so they can’t cause any real damage. If code is executed in the sandbox and it is determined to be malicious, it will be deleted or quarantined for further analysis. Sandboxing is also used for checking URLs. For instance, some web browsers will first open a URL in a sandbox where permissions are set to the lowest privilege levels. If any attempt is made to perform an action that is not permitted, access to the URL will either be blocked or the user will receive a warning.

Why is Sandboxing Important?

In software development, new code may have unintended consequences, such as causing other systems to malfunction, which in a production environment could cause unacceptable and costly downtime. A sandbox allows code to be fully tested to ensure it is safe. A security sandbox protects against malicious code that has been deliberately written to cause damage and/or provide access to systems and data. For example, ransomware is malicious code that encrypts files to prevent them from being accessed. A threat actor then demands payment for the keys to decrypt files. If that code was allowed to execute on the network, data could be permanently lost, or a ransom would need to be paid to recover files.

Cyberattacks on businesses have been increasing and are now being conducted more frequently than ever before. The average ransom demand in data theft and ransomware attacks is now more than $1.5 million, and data from Rapid7 suggests more than 1,500 organizations fell victim to ransomware attacks in the first half of 2023, with more than 20 new ransom groups emerging. Cybercriminals also still use backdoors, keyloggers, banking trojans, and information stealers to gain access to networks and steal sensitive data. To make matters worse, new malware and ransomware variants are constantly being released and these evade security solutions that rely on signature-based detection. It is vital that all files and applications are thoroughly tested before being allowed anywhere near the network and sandboxing allows even previously unseen malicious files to be identified and neutralized.

Email Sandboxing

Email security solutions often use sandboxing for attachments and URLs. With email attachments, they will first be scanned using standard anti-virus engines to determine if they contain known malware or malicious code. These AV checks will only detect known malware. New malware variants that have not been encountered before cannot be detected, as standard AV solutions search for signatures of known malware. Email sandboxing is used to detect new malware, often referred to as zero-day threats. Files that are determined to be clean after AV scanning are sent to the sandbox for behavioral analysis. Email security solutions may also use a sandbox for testing embedded URLs in messages and will follow the links and check the destination and assess whether it contains any threats.

Email Sandboxing from TitanHQ

SpamTitan is a multi-award-winning email security solution from TitanHQ that offers advanced threat protection at an affordable price. SpamTitan blocks phishing, malware, spam, viruses, and other malicious email threats and includes a Bitdefender-powered email sandbox. Emails that pass the initial barrage of checks, including antivirus scans, are sent to the sandbox where they are safely detonated, and their behavior is analyzed. The SpamTitan sandbox combines the latest threat analysis with powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, ensuring businesses are protected against zero-day threats. For more information on SpamTitan Email Security, give the TitanHQ team a call today.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Advantages and Disadvantages of Email Sandboxing

Sandboxing is the use of a virtual environment for testing code and safely opening untrusted files. The sandbox is an isolated and secure environment that emulates a legitimate endpoint; however, there are no connections to the business network, the sandbox environment contains no real data, and if dangerous code is executed, no harm will be caused.

Advantages of Email Sandboxing

Sandboxing is important because of the sheer number and complexity of threats faced by businesses. Cybercriminal groups are conducting increasing numbers of attacks, new groups are constantly being formed, and their attacks are becoming much more sophisticated. The cost of these attacks and the resultant data breaches are also spiraling. According to the 2023 Cost of a Data Breach Report from IBM, on average, data breaches cost $4.45 million to resolve in the United States and $10.93 million for a healthcare data breach.

Many of these threats come from email. Emails are used to send attachments containing malicious code that downloads malware that provides a cyber actor with access to the network. Links to malicious websites are also distributed via email where malware is downloaded. While businesses have a degree of protection if they have anti-virus software installed, most anti-virus solutions can only detect known malware variants – Malware that has previously been analyzed and had its signature added to the solution’s malware definition list. Antivirus solutions will not detect new malware variants nor fileless malware, which is executed in the memory with no files downloaded to the disk.

Sandboxing provides an additional layer of protection against zero-day malware and ransomware attacks and will allow malicious files to be identified, detected, and quarantined before they can do any harm, even if they have not previously been encountered. In the sandbox, malware is identified by the actions it tries to perform, not by any signature.

Disadvantages of Email Sandboxing

While there are clear benefits, there are some disadvantages of email sandboxing. Businesses may want to add email sandboxing to their cybersecurity arsenal, but email sandboxes can be complicated to set up and run, and they can require a considerable amount of resources and can be expensive to run. Another of the disadvantages of email sandboxing is analyzing file attachments takes time and messages cannot be delivered until all checks have been performed. It is therefore inevitable that there will be email delivery delays.

As with any cybersecurity solution, there is the potential for false positives. An email attachment may be determined to be malicious when it is actually harmless. In such cases, important business emails may be blocked or deleted. The last main disadvantage is malware often contains code that determines if it has landed on the targeted endpoint or if it is in a virtual environment. If the latter is detected, the malware may delete itself or not perform any of its programmed malicious actions. Considering the cost of a successful cyberattack, the advantages of email sandboxing outweigh the disadvantages, provided the right sandboxing solution is chosen.

SpamTitan Email Security with Sandboxing

SpamTitan is an award-winning email security solution from TitanHQ that provides advanced threat protection at an affordable price. The solution is easy to implement and use and protects thousands of SMBs and managed service providers (MSPs) by blocking spam, viruses, malware, ransomware, and links to malicious websites from your emails. SpamTitan’s ATP defense uses inbuilt Bayesian auto-learning and heuristics to defend against advanced threats and evolving cyberattack techniques and features an integrated email sandbox tool that is part of Bitdefender’s Global Protective Network.

SpamTitan uses advanced intelligent technologies, such as AI, to predict and prevent advanced threats and the sandbox accurately mimics a real endpoint to trick malware into determining it has reached its intended target. As with any sandbox, there are delays in delivering emails but this is kept to a minimum. SpamTitan has multiple layers of security and sophisticated sandbox technology, which means only specific and dangerous emails will be sandboxed. Even if a legitimate email lands in a sandbox, the delivery delay will be, at most, twenty minutes. While there may be false positives on occasion, no emails are deleted. They are quarantined to allow administrators to check the validity of the results.

If you want to improve security and get the advantages of email sandboxes while eliminating the disadvantages, give the TitanHQ team a call today. SpamTitan is also available on a free 14-day trial to allow you to test the product and sandbox in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Malicious File Sandbox for Email

Multiple layers of security are required to protect against increasingly sophisticated email attacks. A malicious file sandbox for email should be one of those layers to ensure your business is protected against zero-day and stealthy malware threats.

Email: The Most Common Initial Access Vector Used by Cybercriminals

There are many ways that cybercriminals can attack businesses, but email is the most common initial access vector. Most employees have email accounts which means they can be easily reached, and social engineering techniques are used to trick employees into opening malicious attachments or visiting links in emails. Cybercriminals have become adept at exploiting human weaknesses in defenses.

One of the main aims of email campaigns is to deliver malware to provide persistent access to victims’ networks. Executable files may be attached to emails and hidden using double file extensions to make the files appear to be legitimate documents, PDF files, or spreadsheets. Office files may be attached that have malicious macros which, if allowed to run, trigger the download of a first-stage malware payload. The problem for businesses is these campaigns are becoming much more sophisticated, they often bypass standard email security defenses, and they land in inboxes where they can be opened by employees.

Defending against sophisticated email attacks requires a defense-in-depth approach, which should include a spam filter/secure email gateway, a web filter, multifactor authentication, an endpoint detection and response solution, and security awareness training for employees. To improve protection further and defend against new and stealthy malware threats, it is important to have a malicious file sandbox for email.

What is a Malicious File Sandbox?

A malicious file sandbox is an isolated virtual environment where untrusted, suspicious files can be detonated securely without risking network or data security. The sandbox is used for analyzing emails, documents, application files, and other executable files to determine their true nature. When an email is received, it must first pass through a spam filter which looks for the common signatures of spam and phishing emails, performs reputation checks on the sender, analyzes the message content, and scans email attachments using antivirus software. The spam filter will filter out the majority of spam and phishing emails and all known malware variants using the antivirus software.

The problem is many email attacks are stealthy and have been developed to be undetectable, and cyber actors are skilled at getting their emails past email defenses and into inboxes. One way this is achieved is by using polymorphic malware, which cannot be detected by standard email security solutions and antivirus software. A malicious file sandbox is needed to protect against these novel threats.

When suspicious files are received that pass the front-end checks, they are sent to the sandbox for in-depth analysis of their behavior. The malicious file sandbox is configured to look like a real target environment to ensure that when an email is sent to the sandbox any malware acts as it would in the wild and is tricked into determining that it has landed on the endpoint of its intended target. No harm can be caused in the sandbox as the environment is isolated and not set up locally. If malware is detected, a report is generated of any malicious intent or unexpected actions, and actionable insights are provided to allow the threat to be blocked.

The SpamTitan Malicious File Sandboxing Service

SpamTitan is an award-winning anti-spam and anti-phishing solution from TitanHQ that is used by thousands of businesses and managed service providers to protect against email-based attacks. The solution leverages artificial intelligence and machine learning algorithms to detect novel threats and predict new attacks, reputation checks are conducted using SPF, DKIM, and DMARC, users are protected from malicious links in emails, and the solution has dual antivirus engines that scan for known malware.

SpamTitan also includes a Bitdefender-powered malicious file sandbox for blocking zero-day malware threats. The sandbox analyzes a broad range of targets, including emails, documents, application files, and other executable files, and leverages purpose-built, advanced machine-learning algorithms, aggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect sophisticated threats and delivers advanced threat protection and zero-day exploit detection. The sandbox also extracts, analyzes, and validates URLs within files.

The sandbox is not located on the endpoint so there are no performance implications, and strong machine learning and behavior detection technologies ensure that only files that require further analysis are sent to the Sandbox. If a malicious file is detected, the sandbox informs Bitdefender’s cloud threat intelligence service to ensure the threat is instantly blocked globally and will not need to be set to the sandbox for analysis again. The sandbox allows businesses to identify and block malicious files such as polymorphic malware and other threats that have been developed for use in undetectable attacks.

The SpamTitan malicious file sandbox delivers best-in-class detection, advanced anti-evasion technologies, innovative pre-filtering, and MITRE ATT&CK framework support. If you want the best protection from dangerous malware, you need a malicious file sandbox for email, and with SpamTitan you get that and more at a very affordable price. For more information on the capabilities of SpamTitan and details of pricing, give the TitanHQ team a call. SpamTitan is also available on a free 14-day trial to allow you to test the product in your own environment before making a purchasing decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Quishing: The Fast-Growing Phishing Trend

What is Quishing?

Quishing is a fast-growing phishing trend involving QR codes, which are now used in more than one-fifth of phishing attacks. QR Codes, or Quick Response codes to give them their full name, have become a popular way of communicating information, most commonly URLs for websites and PDF files. QR codes were originally developed and used for tracking parts in manufacturing, but their uses have grown considerably and QR codes are now everywhere.

They are also used by restaurants for directing diners to their menus – something that became more common during the COVID-19 pandemic as a way of reducing the risk of virus transmission as well as reducing costs by not having to print menus. They are used by advertisers at bus stops and train stations, in magazines and printed pamphlets, and even TV commercials. They allow advertisers to get smartphone users to quickly and easily visit a website to find out more about products and services and make a purchase.

The ubiquity of QR codes and how they have been embraced by consumers, coupled with the difficulty of distinguishing between a benign and useful QR code and a malicious one has made them perfect for malicious actors for driving traffic to their malicious websites. QR codes are sent via emails, instant messaging services, and on social media sites and direct users to a malicious website where credentials are harvested or malware is downloaded. Another key benefit of QR codes is they are read by smartphones, rather than laptops or desktop computers. Smartphones are far less likely to have security software installed that can detect either the phishing message or the malicious URL that users are directed to.

Malicious actors have embraced QR codes and commonly use them in phishing campaigns. One analysis of phishing emails revealed 22% of phishing emails intercepted in October 2023 used QR codes, many of which used standard phishing lures to get users to scan the QR code, such as a security alert requiring immediate action. Other types of quishing attacks have exploited the “login with QR Code” feature that is now used by apps and websites as a secure way of logging in. In this type of attack, termed QRLJacking, the attacker initiates a client-side QR session of the targeted app or website, and clones the login QR code to display a fake but realistic clone of the targeted app. Social engineering techniques are used to send a user to that page, the user scans the malicious QRL using the mobile application the QRL code was created for, and the attacker gains access to the victim’s account. The app is unaware this is fraudulent access and provides the user’s data to the attacker.

Protecting against these attacks is much harder than protecting against standard phishing attempts since security solutions struggle to detect these malicious QR codes. That said, protecting against QRLJacking is simple. Don’t ever use QRLs for logging in. Avoiding other quishing attacks involves similar advice. Avoid using QR codes entirely, or at least avoid using QR codes from untrusted sources. If a QR code is received via email, the source of the email needs to be verified, and even then it is best to avoid using it and just visit the website of the company that claims to have sent it.

Companies should also consider adding quishing to their security awareness training programs given how commonly QR codes are being used in phishing. That’s easy to do with the SafeTitan Security Awareness Training Platform – just choose the Quishing content and add it to your training program and incorporate the quishing templates into your phishing simulations.

Has AI Surpassed Humans at Writing Phishing Emails?

Has AI surpassed humans at writing phishing emails? A team of researchers at IBM decided to put that to the test and the results are now in. Humans still have the edge, but AI is not far behind and will soon overtake humans.

There has been a lot of press coverage recently about the capabilities of AI and significant concern has been voiced about the threat AI-based systems pose. While there are legitimate concerns that AI systems could turn against humans, one of the most pressing immediate cybersecurity concerns is that cybercriminals could use generative AI tools to devastating effect in their cyberattacks.

Many security researchers have demonstrated that generative AI chatbots such as ChatGPT can write perfect phishing emails, free of spelling mistakes and grammatical errors, and can also create convincing lures to trick humans into opening a malicious email attachment or visiting a malicious website. ChatGPT and other generative AI tools can also be used to write malware code, and there have been demonstrations of AI tools being used to create functional polymorphic malware and ransomware code. One of the key advantages of AI tools such as ChatGPT is the speed at which phishing emails, social engineering lures, and malware code can be generated, which could greatly improve the efficiency and even the quality of a range of malicious campaigns.

Tools such as ChatGPT have guardrails in place to prevent them from being used for malicious purposes such as writing malware or phishing emails. If you ask ChatGPT to write ransomware code or a phishing email, it will refuse to do so as it violates OpenAI’s terms and conditions of use. Those controls can, however, be easily bypassed, plus there are generative AI tools that have been developed specifically for cybercriminal use, such as WormGPT and FraudGPT.

Are Cybercriminals Using AI in Their Campaigns?

Security researchers have shown that it is possible to use generative AI tools for offensive cybersecurity purposes, but are cybercriminals actually using these tools? While there is limited evidence on the extent to which these tools have been used, it is clear that they are being put to use. An August 2023 report by the U.S. cyber defense and threat intelligence firm Mandiant explored this and found threat actors are certainly interested in generative AI but use remains limited. The main area where these AI tools are being used is in information operations, specifically to efficiently scale their activity beyond their inherent means and to produce more realistic content.

Financially motivated threat actors have been using generative AI such as deepfake technology to increase the effectiveness of their social engineering, fraud, and extortion operations, including the use of face swap tools. The main focus currently is on social engineering, such as phishing attacks, for generating convincing lures for phishing emails and greatly reducing the time spent researching potential targets.

Are Generative AI Tools Better than Humans at Phishing?

An IBM X-Force team of social engineering experts recently went head-to-head with a generative AI chatbot to see which was better at creating phishing emails. The researchers would typically take around two days to construct a phishing campaign, with most of the time taken on researching targets to identify potential social engineering lures, such as topics for targeting specific industries, the persons to impersonate, and for creating convincing emails.

They developed 5 simple prompts to get a generative AI chatbot to do this, and the entire campaign was created in just 5 minutes, thus saving a cybercriminal around 2 days of their time. The good news is that the security researchers’ email performed better in terms of a higher click rate and a lower reporting rate, but the margins were very small. Humans still have the edge when it comes to emotional manipulation in social engineering, but AI is not very far behind and is likely to overtake humans at some point.

How to Combat AI-generated Phishing

Generative AI can save cybercriminals a great amount of time and the content generated is almost as good as human-generated content, and certainly good enough to fool many users. The best defense is to provide more extensive and regular security awareness training to employees to improve resilience to phishing attempts and to put cybersecurity solutions in place that incorporate AI and machine learning tools.

TitanHQ’s Email Security solution, SpamTitan, has AI and machine learning capabilities that are used to detect previously unseen phishing threats, such as those generated by AI tools. These capabilities also apply to email attachments, which are sent to an email sandbox for deep analysis of their behavior, allowing SpamTitan to detect and block zero-day malware threats. TitanHQ can also help with security awareness training. SafeTitan is an easy-to-use security awareness training and phishing simulation platform that has been shown to reduce susceptibility to phishing by up to 80%. Combined with multifactor authentication and endpoint detection tools, these solutions can help organizations improve their defenses against cyberattacks that leverage generative AI.

What is Message Sandboxing?

Message sandboxing is a security feature of spam filters, secure email gateways, and other email security solutions where inbound messages are sent to a secure and isolated environment where the messages are subjected to behavioral analysis. File attachments are detonated and analyzed for malicious properties and actions, such as attempted file downloads from the Internet, command-and-control center callbacks, and attempts to write code to the memory.

What is a Sandbox?

In the technology sense, a sandbox is a contained virtual environment that is separate and isolated from other applications, operating systems, data, and internal networks. Sandboxes have several uses. In software development, a sandbox is used for testing new code, where it can be observed for unexpected compatibility issues, allowing software developers to troubleshoot the code without causing any harm to live systems and data.

In cybersecurity, a sandbox is used to open untrusted files, follow potentially malicious links, and analyze suspicious code and malware. If malware was installed and executed on a standard machine, the threat actor would be given remote access, malware may exfiltrate sensitive data, or in the case of ransomware, encrypt files. Since the sandbox is a secure environment, any malicious action has no consequences, and files can be studied in safety.

A sandbox is a virtual environment that is often configured to mimic a genuine endpoint. One of the first actions taken by malware is to explore the environment it is in to check whether it is on a genuine device. If not, it is likely not to run any malicious routines and may self-delete to prevent analysis. By configuring the sandbox to mirror a genuine endpoint, the malware can be tricked into performing its malicious routines, which are detected and logged. The intelligence gathered is fed into the email security solution, and all users of that solution, locally and globally, will be protected from that malware sample in the future.

Why is Message Sandboxing Necessary?

Traditional email security solutions check message headers, perform reputation checks of senders, scan email attachments with antivirus engines, follow embedded hyperlinks, and examine the content of the message for known spam and phishing signatures. For many years, these checks alone have been sufficient and ensure that more than 99% of spam and phishing emails are detected and blocked along with all known malware.

Email attacks have been getting much more sophisticated in recent years and new malware variants are being released at never-before-seen rates. A malware phishing campaign, for instance, will not just use one iteration of malware, but many, with each sample differing sufficiently to defeat signature-based detection mechanisms. Cybercriminals are using automation to spin up masses of samples and AI is being used to develop novel phishing methods.

AI and machine learning capabilities are now required in email security for blocking these zero-day threats, and email message sandboxing is necessary for detecting novel malware threats. Advanced email security solutions leverage AI, machine learning, and email sandboxing and protect against the rapidly evolving threat landscape. Without these features, many malicious messages will be delivered.

How to Set Up Message Sandboxing

The easiest way to get started and set up message sandboxing is to use SpamTitan Email Security. SpamTitan has been developed to be easy to set up and use by businesses of all sizes, from small offices and coffee shops to small and medium-sized businesses and large enterprises.  Being cloud-based, there is no software to install, just a small configuration change to your MX record (information on how to do this is provided). The solution can be accessed through a web-based interface, and the solution can be configured in just a few minutes.

Users benefit from spam and phishing detection rates of more than 99.99%, a very low false positive rate and a Bitdefender-powered email sandbox. The email sandbox leverages advanced machine learning algorithms, aggressive behavior analysis, anti-evasion techniques, and memory snapshot comparison to detect zero-day threats.

Without an email sandbox, you are likely to be exposed to many malicious messages. With sandbox email protection, you have much better control of the content that reaches user inboxes.

U.S. Federal Agencies Offer Guidance on Combating Phishing

Phishing is the most common way that malicious actors gain access to the networks of their victims. A single response to a phishing email by an employee is all it takes for a threat actor to get the foothold they need in the network to conduct a devastating attack. Once initial access has been gained, threat actors escalate privileges, move laterally, and conduct a range of malicious activities. What starts with a phishing email, often ends up with ransomware being deployed, with vast amounts of sensitive data stolen in between. This month, as part of Cybersecurity Awareness Week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued joint guidance on combatting phishing.

Phishing is a term that covers social engineering techniques used by malicious actors to trick people into revealing sensitive information such as login credentials or installing malware. The federal agencies explained that it is all too common for IT security teams to put the blame on employees for clicking links in emails, opening malicious attachments, and disclosing their credentials, but this blame game doesn’t solve the problem. Organizations need to create, implement, and maintain phishing defenses that account for human error, as it is inevitable and impossible to avoid.

Various tactics, techniques, and procedures (TTPs) are used by cyber actors in these campaigns, and different mitigations are required for each type of attack. Credential phishing attacks are usually conducted via email, so one of the most important defenses in an email security solution. Email security solutions will reduce the volume of spam and phishing emails reaching inboxes. SpamTitan, for example, blocks more than 99.99% of spam and phishing emails. The federal agencies recommend using DMARC, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) for verifying the sending server of received emails by checking published rules and DMARC, SPF, and DKIM, are all incorporated into SpamTitan.

An email security solution that relies on signature-based detection methods such as anti-virus engines will block all known malware but cannot block novel malware threats that have not yet been identified, and more novel malware variants are now being released than ever before. To improve defenses against malware-based phishing, email security solutions should incorporate machine-learning and AI-based detection, which look for the actions performed by emailed files rather than malware signatures. This is usually implemented through email sandboxing. Emails are sent to a safe and secure isolated environment where they are detonated, and their actions are analyzed for malicious actions.

No email security solution will block all malicious emails without also blocking an unacceptable number of genuine messages, and as the federal agencies point out, email security solutions cannot detect and block phishing attempts via SMS, instant messaging services, and voice phishing. It is therefore important to provide security awareness training to all members of the workforce. The purpose of security awareness training is to reduce susceptibility to phishing attempts by teaching employees about the threat of phishing, providing examples to help them recognize phishing attempts, and conditioning employees to stop and think and report any suspicious emails, SMS messages, and voice calls to their security teams.

Over time, employees will improve and get better at identifying phishing attempts, especially when training is combined with phishing simulations. Phishing simulations are a safe way to give employees practice at putting their training to the test, and these internal campaigns allow security teams to identify individuals who have not taken the training on board, as well as types of phishing emails that are proving effective, both of which can be addressed through further training. Security awareness training using SafeTitan has been shown to reduce susceptibility to phishing attempts by up to 80%; however, training will not totally eliminate employee mistakes. Employees are, after all, humans and not machines.

In addition to email security solutions and training, it is vital to add multi-factor authentication (MFA) to accounts. In the event that a phishing email bypasses technical defenses and fools an employee, MFA should prevent the obtained credentials from being used to access accounts. While any form of MFA is better than none, phishing-resistant MFA is recommended – FIDO or PKI-based MFA.

To increase protection against malware execution, denylists should be used to block malicious domains, URLs, and IP addresses, and rules should be implemented to prevent downloads of common executable files from the internet such as scr, .exe, .pif, .bat, .js, and .cpl files. This is easiest to implement with a web filtering solution such as WebTitan. WebTitan will also block all attempted visits to known malicious websites and can restrict access to only trusted, white-listed domains or URLs, or URLs and domains can be blocked by category.

Further information on improving phishing defenses can be found on the CISA website, and TitanHQ’s friendly sales team will be happy to discuss email security, web security, and security awareness training solutions with you and will help get you set up for a free trial of SpamTitan, WebTitan, and/or SafeTitan. The important thing is not to ignore the threat of phishing and to start taking steps to improve your defenses.

How to Sandbox Email Attachments

Do you know how to sandbox email attachments? If you have yet to start using a sandbox for email, you will be exposed to advanced malware and phishing threats. The good news is it is quick and easy to improve protection with a sandbox, and it requires no advanced techniques or skills, but before presenting an easy email sandboxing solution, we should explain why email sandboxing is now a vital part of email security

Email Sandboxing Detects Advanced and Sophisticated Threats

A hacker writes the code for a new malware variant or generates the code using an AI tool, and then sends that malware via email. A traditional email security solution will not block that malware, as it has not detected it before and it doesn’t have the malware signature in its definition list. The email would most likely be delivered, and the intended recipient could open it and infect their device with malware. From there, the entire network could be compromised and ransomware could be deployed.

How could a new, previously unseen threat be blocked? The answer is email sandboxing. When a file passes initial checks, such as AV scans, the attachment is sent to an email sandbox where its behavior is analyzed. It doesn’t matter if the malware has not been seen before. If the file performs any malicious actions, they will be detected, the threat will be blocked, and if that threat is encountered again, it will be immediately neutralized.

Email sandboxing is now an essential part of email security due to the sheer number of novel malware variants now being released. That includes brand new malware samples, malware with obfuscated code, polymorphic malware, and known malware samples that differ just enough to avoid signature-based detection mechanisms. Without behavioral analysis in a sandbox, these threats will be delivered.

The Easy Way to Sandbox Email Attachments

Setting up an email sandbox need not be complicated and time-consuming. All you need to do is sign up for an advanced cloud-based email security solution such as SpamTitan Email Security. SpamTitan is a 100% cloud-based email security solution that requires no software downloads or complex configurations. Just point your MX record to the SpamTitan Cloud and use your login credentials to access the web-based interface. You can adjust the settings to suit your needs, and the setup process is quick, easy, and intuitive, and generally takes around 20-30 minutes.

The solution is fed threat intelligence from a global network of more than 500 million endpoints, ensuring it is kept up to date and can block all known and emerging threats. You will be immediately protected from known malware and ransomware threats, phishing emails, spam, BEC attacks, and spear phishing, and you will benefit from email sandboxing, where suspicious emails are sent for deep analysis to identify zero-day phishing and malware threats.

The SpamTitan email sandbox is powered by Bitdefender and has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. If a file is analyzed in the sandbox and found to be malicious, SpamTitan updates Bitdefender’s Global Protective Network, ensuring that the new threat is blocked globally.

Email sandboxing doesn’t need to be complicated. Just use SpamTitan from TitanHQ. SpamTitan is available on a free trial, with customer support provided throughout the 14-day trial to help you get the most out of the solution. We are sure you will love it for the level of protection provided and how easy it is to use.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

TitanHQ’s Email Sandbox Service

Businesses are now targeted by advanced persistent threat actors looking for proprietary data, financially motivated threat actors looking to steal sensitive data and conduct extortion attacks, and hacktivist groups that aim to disrupt business operations.

Many of these attacks see initial access to internal networks and accounts gained via email. Credential phishing and malware phishing attempts serve a similar purpose and allow threat actors to obtain initial access to allow them to achieve their objectives, whether that is to gain persistent access for espionage purposes, to steal data, use ransomware, or wipe devices.

Email techniques such as phishing and spear phishing for credential theft or the use of malspam emails for delivering malware can be sophisticated and difficult for end users to detect. Further, advances in artificial intelligence have led to generative AI solutions that are capable of producing flawless phishing emails and generating novel social engineering techniques to trick users into taking the required actions – following a link, disclosing sensitive data, or downloading and executing malware.

Spam filters and secure email gateways have long protected businesses against these threats, but increasingly sophisticated techniques are now used that can bypass the protections of traditional email security solutions and reach end users. To combat these threats email security solutions have had to adapt. Cutting-edge email security solutions such as SpamTitan Email Security have AI and machine learning capabilities that are capable of detecting advanced and sophisticated attacks, in addition to DMARC, SPK, and DKIM reputation checks, and blacklists of known malicious IP addresses and domains.

One of the biggest threats comes from malware, either attached to emails or downloaded from URLs that are linked in email messages. For many years, antivirus engines have been effective at detecting and blocking malware threats, and while they still provide a degree of protection, AV engines are signature-based. When a new malware sample is detected, a unique signature is detected and added to a malware definition list. When a new file is received, it will be checked against all known signatures. If that signature is detected, the file will be quarantined or deleted.

New malware samples, which are being released at an incredible rate, will not be detected as malicious, as their signature has yet to be created and added to the list. These files will therefore not be detected as malicious and will be delivered to inboxes. To protect against this, advanced email security solutions use email sandboxing.

Email sandboxing involves creating an isolated, protected environment for analyzing suspicious emails. If front-end checks are passed, the email is sent to the sandbox for deep analysis. The sandbox is a protected environment where no harm can be caused, and files can be safely analyzed for malicious behavior.

TitanHQ’s Email Sandbox Service

In response to growing threats, TitanHQ added a next-generation email sandbox to its SpamTitan Email Security solution in 2019 to better protect users against malware, spear-phishing, advanced persistent threats (APTs), and to provide security teams with insights into new threats.

TitanHQ’s email sandbox service incorporates award-winning machine learning and behavioral analysis technologies, allowing security teams to safely detonate suspicious files in a secure environment that mirrors production endpoints. Malicious actors are tricked into thinking their malicious payloads have reached their intended target, and the malicious activities are detected. The sandbox analyzes documents, spreadsheets, application files, and executable files, and can detect malware, including polymorphic malware, and other sophisticated threats that have been developed for use in undetectable targeted attacks.

The TitanHQ email sandbox service leverages purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis, and all results are checked against an extensive array of online repositories. The analysis takes from a few seconds to a few minutes, and if a malicious file is detected, the results will be uploaded to a cloud threat intelligence service and all users will be protected. If that threat is detected on any device globally, it will not need to be sent to the sandbox again and will be instantly neutralized.

SpamTitan email sandbox service greatly increases the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, and ransomware, allows security teams to quickly integrate advanced emulation-based malware analysis, and protects against a rapidly evolving threat landscape.

You can put the SpamTitan email sandbox service to the test today by signing up for a 100% free trial and instantly start protecting your business with sandbox technology.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

How Does a Sandbox Work?

Sandboxing is a security feature that protects against malicious code. Rather than execute potentially unsafe code in a standard environment, it is sent to the sandbox – an isolated environment where no harm can be caused.

How Does a Sandbox Work?

A sandbox is an important cybersecurity tool for protecting host devices, operating systems, and data from being exposed to potential threats. The sandbox is a highly controlled system that is used to analyze untrusted applications, files, or code. The sandbox is isolated from the network and real data, and there are only essential resources that are authorized for use. It is not possible for a sandboxed file to access other parts of the network, resources, or the file system, only those specifically set up for the sandbox.

Sandboxes can have different environments. One of the most common implementations uses virtualization. A virtual machine (VM) is set up specifically to examine suspicious programs and code. Some sandboxes include emulation of operating systems to mimic a standard endpoint. Some malware samples perform checks of their environment before executing malicious routines to make sure they are not in a VM. If a VM is detected, the malware will not execute malicious routes and may self-delete to prevent analysis. By emulating a standard endpoint, these checks can be passed to allow analysis. Some sandboxes have full system emulation, which includes the host machine’s physical hardware as well as its operating system and software. These sandboxes provide deeper visibility into the behavior and impact of a program.

In email security, files, attachments, URLs, and programs are sent to the sandbox to check whether they are benign or malicious. The analyses can take between a few seconds to a few minutes, and if any malicious activity is detected, the file will be either quarantined and made available for further study or it will be deleted. Any other instances of that file will be removed from the email system, and any future encounters will see the file, attachment, URL, or program deleted.

SpamTitan Email Sandboxing

SpamTitan Email Security includes a Bitdefender-powered email sandbox to ensure users are protected against zero-day threats. All emails are subjected to a barrage of checks and tests, including scans using two different antivirus engines. SpamTitan features strong machine learning, static analysis, and behavior detection technologies to ensure that only files that require deep analysis get sent to the sandbox. This is important, as deeper analysis may take several minutes, so verified clean and safe messages will not be unduly delayed.

Files that are sent to the sandbox for deep analysis are executed and monitored for signs of malicious activity, with self-protection mechanisms in place to ensure every evasion attempt by a piece of malware is properly marked. The sandbox has purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. All results are checked across known threats in an extensive array of online repositories. If a malicious file is detected, the sandbox updates the Bitdefender’s cloud threat intelligence service – the Bitdefender Global Protective Network – and the sandbox will never have to analyze that threat again as it will be blocked globally.

If you want to improve protection against zero-day threats, give the TitanHQ team a call to find out more about SpamTitan. SpamTitan is available on a free trial to allow you to test it out in your own environment before making a purchase decision.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

What is Sandbox Security?

What is sandbox security? In an IT sense, sandbox security refers to the use of an isolated environment for testing potentially malicious or unsafe code. The sandbox is an environment that resembles the organization’s real environment. The sandbox is made to look like it is a legitimate rather than a virtual environment; however, the sandbox is totally isolated from other systems and contains no real data.

A sandbox is used for malware analysis, testing potentially unsafe code, or as a guest environment with a tightly controlled set of resources, with no ability to inspect the host system or gain access to the networks, therefore not exposing any threats to real systems or data. For example, if a file needs to be opened and it is unclear whether it contains malicious code, it is opened in a sandbox. Security teams can assess the behavior of the file to determine if it is benign or malicious, and if it is the latter, no harm will be caused.

Sandboxes are commonly used for testing new code to determine whether it is safe and compatible with other systems, without actually putting those systems at risk. The sandbox is used to perform troubleshooting to identify any problematic parts of the code. One of the main benefits of sandbox security is blocking cyberattacks, and sandboxing has become indispensable for email security.

Email Sandboxing

Email sandboxing is the use of a sandbox environment for inbound email, which can be used to protect against phishing and malware threats. When an email is received that contains an attachment or a hyperlink, these can be evaluated in the sandbox before the message is released for delivery to the end user’s inbox. Phishing is one of the most common ways that malicious actors gain initial access to internal networks.  Emails are often sent that contain hyperlinks to URLs that host phishing kits that steal credentials or sites hosting malware. These emails can be sent to a sandbox where the links can be followed, and the content of the URLs assessed. If a file download is triggered, the file can be analyzed to determine its behavior.

The same applies to email attachments. An email attachment such as a Word document or Excel spreadsheet may contain a malicious macro or other malicious code, which could provide a threat actor with remote access to the device and network. By opening the attachment in the sandbox, the behavior of the file can be analyzed safely. If found to be malicious, all other instances of that malware can be removed and if the file is received again, it will be automatically deleted. Security teams can also safely study malware to determine the nature of the threat and learn important information about the adversary and their intentions.

Why Is Email Sandboxing So Important?

Traditional email security solutions are effective at detecting and blocking known malware threats. They use one or more antivirus engines for scanning email attachments for known signatures of viruses and malware. If these signatures are detected, the threat will be blocked. The problem with signature-based detection is the signature must be known. While virus definition lists are updated on a daily or even hourly basis, new malware threats are constantly being released. If a new malware variant is received for which there is no signature, it will not be detected as malicious and will be delivered to an inbox where it can be executed.

Sandbox security plugs this security gap. If an attachment passes AV checks, it is sent to the sandbox for deep analysis of its behavior, allowing zero-day malware threats to be detected and blocked. Cybercriminals do not just use one version of a malware sample, they use many different versions, each differing sufficiently to evade AV checks. Without sandbox security, organizations are at risk of infection with these malware variants.

TitanHQ’s SpamTitan Email Security solution features dual antivirus engines for detecting known malware threats, and a Bitdefender-powered email sandbox for detecting zero day malware and phishing threats and provides security teams with valuable insights into new threats to help them mitigate risks. Give the TitanHQ team a call to find out more about how SpamTitan with sandbox security can improve your security posture. SpamTitan is also available on a free trial to allow you to put the product to the test and see for yourself the difference it makes.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing is the Key to Blocking More Malware Threats

https://www.spamtitan.com/blog/email-sandboxing-key-blocking-malware-threats/Email security solutions with email sandboxing block more malware threats than traditional spam filters, even novel malware variants that have yet to be identified as malicious. Without this important feature, emails with malicious attachments will likely be delivered to inboxes where they can be opened by employees. All it takes is for one employee to open a malicious file for malware to be installed that gives a threat actor the foothold they need for a comprehensive attack on the network.

What is an Email Sandbox?

In cybersecurity terms, a sandbox is an isolated, virtual machine where potentially unsafe code can be executed in safety, files can be subjected to deep analysis, and URLs can be visited without risk. In the sandbox, the behavior of files, code, and URLs is inspected, and since the sandbox is not networked and there is no access to real data or applications, there is no risk of causing any damage. Email sandboxing is used to identify malicious code and URLs in emails. The email sandbox mirrors standard endpoints to trick malicious actors into thinking that they have reached their intended target. Emails may pass front-end tests that look at the reputation of the sender, email headers, the content of the messages, and subject attachments to signature-based anti-virus tests, but there is no guarantee that the emails are safe without sandbox-based behavioral analysis.

Why is Email Sandboxing Important?

Cyber threat actors have been developing techniques for bypassing standard email security solutions such as embedding malicious URLs in PDF attachments, hiding malicious content in compressed files, using multiple redirects on hyperlinks, and including links to legitimate cloud-based platforms such as SharePoint for distributing malware. Traditional email security solutions can filter out spam and phishing emails, but they often fail to block more sophisticated threats, especially zero-day malware threats. Email sandboxing provides an extra layer of protection against sophisticated threats such as spear-phishing emails, advanced persistent threats (APTs), and novel malware variants.

A few years ago, new malware variants were released at a fairly slow pace; however, threat actors are now using automation and artificial intelligence to generate new malware variants at an alarming rate. Malware samples are used that deviate sufficiently from a known threat to be able to bypass signature-based detection mechanisms, ensuring they reach their intended targets. Rather than just using one version of malware in their email campaigns, dozens of versions are created on a daily basis. While security awareness training will help employees identify and avoid suspicious emails, threat actors have become adept at social engineering and often hoodwink employees.

The SpamTitan Email Sandbox

The SpamTitan email sandbox is a powerful next-generation security feature with award-winning machine-learning and behavioral analysis technologies. Powered by Bitdefender, the SpamTitan sandbox for email allows files to be safely detonated where they can do no harm. Email attachments that pass the barrage of checks performed by SpamTitan are sent to the sandbox for deep analysis. The sandbox is a virtual environment that is configured to appear to be a typical endpoint and incorporates purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis. Files are also subjected to checks across an extensive array of online repositories, with the sandbox checks taking just a few minutes. That ensures that genuine emails are not unduly delayed. If malicious properties are detected in the sandbox, the threat intelligence is passed to Bitdefender’s Global Protective Network (cloud threat intelligence service). If the threat is encountered again, it will be detected and blocked without having to be analyzed again in the sandbox.

The SpamTitan sandbox is used for a wide range of attachments, including office documents to check for malicious URLs, macros, and scripts, and all executable and application files. The sandbox allows SpamTitan to detect polymorphic malware and other threats that have been designed for use in undetectable targeted attacks. If a malicious file is detected, the email is not sent to a spam folder where it could be opened by an end user, it is quarantined in a directory on the local email server which only an administrator can access. Administrators may wish to conduct further investigations to gain insights into how their organization is being targeted.

Threat actors are conducting increasingly sophisticated attacks, so email security solutions need to be deployed that are capable of detecting these advanced threats. With zero-day threats on the rise, now is the ideal time to improve your email defenses with SpamTitan. Why not sign up for a free trial of SpamTitan today to put the solution to the test to see the difference the advanced threat detection capabilities make to your security posture? Product demonstrations can also be requested by contacting TitanHQ, and our friendly sales team will be more than happy to discuss SpamTitan with you and the best deployment options to meet the needs of your business.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Commonly Asked Questions About Email Sandboxing

Commonly asked questions about email sandboxing so you know what to expect from an email security solution with a sandbox, and why this advanced feature is vital for email security.

What is an Email Sandbox?

One of the commonly asked questions about email sandboxing is what is an email sandbox? Like the children’s equivalent, it is a safe space for building, destroying, and experimenting. In cybersecurity terms, it is an isolated environment where harm cannot be caused to anything outside of that environment. An email sandbox is an isolated virtual machine that is used for performing risky actions, such as opening unknown attachments and analyzing files and URLs in depth, rather than using a real machine where there is a risk of harm being caused such as file encryption by ransomware, theft of sensitive information, or wiping of data.

Why is an Email Sandbox Important?

Email is the most common vector used in cyberattacks. Through emails, cyber threat actors can gain initial access to a protected network from where they can steal sensitive data or move laterally for a more comprehensive attack. One of the most common ways of gaining remote access is through malware. Once malware is downloaded, an attacker can remotely perform commands and gain full control of an infected device. While businesses use antivirus software to detect and remove malware, these solutions are signature-based. In order to detect malware, the signature of the malware must be in the definition list used by the anti-virus solution, which means the malware must have previously been encountered. Novel malware variants that have not yet been determined to be malicious will not be identified as such and will therefore be delivered to inboxes where they can be executed by employees. An email sandbox is used to safely detonate suspicious files and inspect their behaviors. The behavioral analysis allows previously unknown malware samples can be identified and blocked. This is important due to the volume of new malware samples that are now being released.

How Does an Email Sandbox Protect Against Malware?

Email security solutions with sandboxing perform the same front-end checks as traditional email security solutions and will identify and block many malicious messages. If the initial checks are passed, and the messages are determined to potentially pose a risk, they will be sent to the sandbox for behavioral analysis. Once inside the safety of the sandbox, the attachments will be opened and subjected to various tests. The sandbox is configured to appear to be a normal endpoint, so any malware will be tricked into running malicious commands as it would if it had reached its intended target. The actions of the file are assessed, and if they are determined to be malicious they will be sent to a quarantine folder. By performing these checks, new malware variants can be identified and blocked before any harm is caused.

Will Sandboxing Delay Message Delivery?

Performing standard checks of messages is a quick process, often causing imperceptible delays in mail delivery. Performing in-depth analysis takes longer, so there will be a delay in message delivery. Many emails will not need to be sent to the sandbox and will be delivered immediately, but if sandboxing is required, there will be a delay while the behaviors of the email and attachments are analyzed. Some malware has built-in anti-analysis capabilities and will delay any malicious processes to combat sandboxing. Time is therefore required to ensure full analysis. With SpamTitan, the delay will be no longer than 20 minutes.

How Can I Avoid Message Delivery Delays?

SpamTitan incorporates artificial intelligence and machine learning capabilities which minimize the number of emails that are sent to the sandbox, and SpamTitan will check every 15 seconds to ensure that emails are delivered as soon as the sandbox analysis is complete. SpamTitan’s sandbox is part of Bitdefender’s Global Protective Network, which ensures rapid checks of suspicious messages. To avoid delays, certain email addresses and domains can be added to a whitelist, which means they will not be sent to the sandbox for analysis, ensuring rapid delivery.

What are the Benefits of Email Sandboxing?

The sandbox provides an important extra layer of protection against malware threats and malicious links. It will detect advanced attacks early and prevent breaches, reduce incident response costs and efforts, reduce the threat-hunting burden, and increase the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, ransomware.

How Does the SpamTitan Sandbox Work?

SpamTitan will subject all inbound emails to a battery of front-end tests, and if these are passed but the email is still suspicious, the message and attachment will be sent to the sandbox and the user will be informed that the message is in the sandbox for review. The email and attachments will then be opened in an isolated cloud platform or a secure customer virtual environment. If malware is detected, the email is blocked and assigned ATP.Sandbox and will be listed under “Viruses” in the relevant quarantine report and the intelligence gathered will be used to protect all users from that threat in the future. After twenty minutes of interrogation, if no malicious actions are identified, the file is marked clean and the email is passed onto the recipient.

How Can I Find Out More About Email Security and Sandboxing?

If you have unacceptable numbers of spam and malicious messages being delivered to inboxes, are receiving large numbers of queries about suspicious emails from your employees, or if you have experienced a malware infection via email recently, you should speak with TitanHQ about improving email security with SpamTitan.

SpamTitan has artificial intelligence and machine learning capabilities, a next-gen email sandbox, and a 99.99% detection rate with a very low false positive rate. Further, SpamTitan is very competitively priced, easy to use, and requires little maintenance. The solution is also available on a 100% free trial, with full product support provided for the duration of the trial.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

DarkGate Malware Infections Increase via Microsoft Teams Phishing and Malvertising Campaigns

Infections with DarkGate malware have been increasing in recent weeks. DarkGate malware was first identified in 2017 but was only used in limited attacks as the developer chose to use the malware privately against highly specific targets; however, over the summer the malware started being advertised on Russian-language cybercriminal forums and the developer has recruited a limited number of affiliates under the malware-as-a-service model. Reportedly, the developer offered the malware for sale to 10 people for an annual cost of $100,000.

DarkGate malware is written in Delphi and primarily serves as a malware loader, capable of downloading and executing other malware payloads. Typically, the malware payloads are executed in the memory which makes them hard to detect, since no files are written to the disk. The malware can also steal browser histories and Discord tokens and has a Windows Defender exclusion, reverse shell, hidden VNC, and keylogging capabilities.

The malware uses a variety of mechanisms to evade detection, including conducting checks for identifiers used by virtual machines, sandboxes, and anti-virus solutions and will alter its behavior based on the results of the checks, and has persistence mechanisms to ensure it is reloaded on reboot.

The advertising campaign appears to have been successful as distribution of the malware has increased significantly through spamming and phishing campaigns. One of those phishing campaigns uses compromised Office 365 accounts to send phishing messages that deliver DarkGate malware via Microsoft Teams messages.

Researchers at TrueSec identified messages that tricked recipients into clicking a link in the message that directs the or a SharePoint-hosted file called “Changes to the vacation schedule.zip” with the message advising employees that due to circumstances out of the company’s control, vacation time for certain employees has been canceled. The Zip file contains a malicious LNK file which masquerades as a PDF file with the same name as the zip file. Clicking the file will launch a VBScript file that will ultimately lead to the downloading and execution of DarkGate malware. Microsoft has security features to block attacks such as this – Safe Attachments and Safe Links – but neither of these features identified the file or link as malicious.

Other distribution campaigns have been detected in recent months, including a malvertising campaign that uses Google Ads to direct web users to a malicious site where the malware is hosted. The web page used in this campaign offered a legitimate network scanning tool, and while that tool was provided, extra files were bundled with the installation file that executed DarkGate malware.

Businesses are encouraged to defend against attacks through a defense-in-depth approach, involving multiple layers of protection such as an advanced AI-driven spam filtering solution, web filter, and endpoint protection software. Web filters will protect against malvertising campaigns, redirects to malicious websites, and malicious file downloads from the web. The increases in the use of SMS, Teams, and instant messaging services for distributing malicious links means these methods of link distribution should be incorporated into your security awareness training programs.

If you are interested in improving email security, web security, and security awareness training, contact TitanHQ today for more information on SpamTitan, WebTitan, and SafeTitan.

TitanHQ Announces New Partnership with India’s Leading Managed Service Provider

TitanHQ has recently announced a new partnership with one of India’s leading managed service providers, Tata Tele Business Services (TTBS). TTBS is the leading provider of business connectivity and communications solutions in India and has the largest portfolio of ICT services for businesses in the country.

Like many countries, India is facing a major increase in cybercrime. 78% of Indian organizations experienced a ransomware attack in 2021, web-based attacks have jumped sharply, and a 2022 Group-IB study placed India third globally for phishing attacks in 2021 with more attacks than any other country in the Asia-Pacific region. Indian businesses need to ensure that they have the necessary defenses in place to combat increasingly sophisticated cyberattacks, especially attacks that target employees.

Businesses often turn to their managed service providers for cybersecurity and seek solutions that can protect them against malware and phishing. TTBS provides cybersecurity solutions to SMBs and its cybersecurity packages have now been improved with the addition of SpamTitan email security and the WebTitan DNS-based web filter. Both solutions are 100% cloud-based, easy for MSPs to add to their service stacks, and easy to manage.

TTBS provides advanced email security with phishing protection through the Tata Tele Email Security Plus Program, which delivers advanced threat protection for email through TitanHQ’s AI-driven SpamTitan anti-phishing solution. Protection against Internet-based threats is provided through the Tata Tele Smart Internet Program, which includes web filtering provided by WebTitan. WebTitan is fed threat intelligence from a network of 650 million endpoints, ensuring malicious websites are blocked before threats are encountered.

“We are delighted to partner TitanHQ to offer Tata Tele Email Security- an advanced email security solution that is in line with Zero Trust security agenda of enterprises,” said Vishal Rally, Sr. VP & Head – Product, Marketing and Commercial, Tata Teleservices Ltd. “As a leading technology enabler TTBS is committed to simplifying and democratizing email security for businesses of any size. This partnership will ensure the protection of enterprise sensitive data efficiently and cost effectively”.

“We are excited to partner with Tata Teleservices to offer their growing customer base our advanced threat protection layer for email and web security,” said TitanHQ CEO, Ronan Kavanagh. “Over several years Tata Teleservices has excelled in the areas of customer service and security, our partnership further cements this commitment”.

If you are an MSP that has yet to start offering cybersecurity packages to your clients, or if you are keen to improve protection through AI-driven cybersecurity solutions, give the TitanHQ channel team a call to find out more about how TitanHQ can help you better protect your clients and improve your profits.

Email Sandboxing and Message Delivery Delays

Email sandboxing is important for security, as it will block threats that traditional email filters fail to detect. While sandboxing is now considered to be an essential element of email security, one disadvantage is that it will delay the delivery of emails. In this post, we will explain why that is and how email delivery delays can be minimized or avoided altogether.

What Does Queued for Sandbox Mean?

If you use SpamTitan or another email security solution with email sandboxing, you may see the message “email queued for sandbox” from time to time. The queued for sandbox meaning is the message has been determined to warrant further inspection and it has been sent to the sandbox for deeper analysis. This is most likely because the email includes an attachment that is determined to be risky, even though it has passed the initial antivirus scans.

While email sandboxing is important for security, there is a downside, and that is processing messages in a sandbox and conducting behavioral inspection takes a little time. That means there will be a delay in delivering messages that have been sandboxed while behavioral checks are performed. Messages will only be delivered once all sandbox checks have been passed. If a large volume of suspicious emails are received at the same time, messages will be queued for analysis, hence the queued for sandbox message being displayed.

Sandbox Delays for Inbound Emails

The processing of messages in a sandbox can take a little time. Cyber threat actors do not want their malware and malicious code analyzed in a sandbox, as it will allow their malware to be identified. Further, once a malware sample has been identified, details will be shared with all other users of that security solution, which means no user will have that malicious file delivered to their inbox. SpamTitan’s email sandbox is powered by Bitdefender, so all members of the Bitdefender network who subscribe to its feeds will also be protected.

Many malware samples now have anti-sandbox technologies to prevent this. When the malware is dropped on a device it will analyze the environment it is in before launching any malicious actions. If it senses it is in a sandbox it will terminate and may attempt to self-delete to prevent analysis. One technique often seen is delaying any malicious processes for a set time after the payload is delivered. Many sandboxes will only analyze files for a short period, and the delay may be sufficient to trick the sandbox into releasing the file. It is therefore necessary to give the sandbox sufficient time for a full analysis.

Are Your Sandbox Delays Too Long?

Conducting analyses of emails in a sandbox is resource-intensive and can take several minutes and there may be delays to email delivery that are too long for some businesses. There are ways to avoid this, which we will discuss next, but it may be due to the email security solution you are using. The SpamTitan email sandbox is part of Bitdefender’s Global Protective Network, which was chosen not only for cutting-edge threat detection but also the speed of analysis. If you are experiencing long delays receiving emails, you should take advantage of the free trial of SpamTitan to see the difference the solution makes to the speed of email delivery for emails that require sandbox analysis.

How the SpamTitan Sandbox for Email Minimizes Delays

SpamTitan does not send all messages to the sandbox to avoid unnecessary email delays. If a message is suspicious and the decision is taken to send it to the sandbox for analysis, SpamTitan will check to see if the analysis has been completed every 15 seconds to ensure it is released in the shortest possible time frame. Employees will be aware that they have received a message that has been sent to the sandbox as the message delivery status is displayed in their history. Provided all sandbox checks are passed, the email will be delivered. This process will take no longer than 20 minutes. If a file is determined to be legitimate, details are retained by SpamTitan so if the attachment or message is encountered again, it will not be subjected to further analysis in the sandbox.

How to Avoid Sandbox Delays to Message Delivery

There are ways to avoid messages being placed in the queue for sandbox inspection. While it is not always advisable for security reasons, it is possible to whitelist specific email addresses and domains. This will ensure that emails from important clients that need a rapid response will be delivered without delay and will not be sent to the sandbox. The problem with this approach is that if a whitelisted email address or a domain is compromised and used to send malicious messages, they will be delivered.

What Happens if a Message is Misclassified as Malicious?

False positives do occur with spam and phishing emails as email filtering is not an exact science. While this is rare with SpamTitan, any misclassified emails will not be deleted as they will be sent to a quarantine folder. That folder can be configured to be accessible only by an administrator. The administrator can then check the validity of the quarantined messages and release any false positives. Since SpamTitan has artificial intelligence and machine learning capabilities, it will learn from any false positives, thus reducing the false positive rate in the future.

Talk with TitanHQ About Improving Email Security

If you are not currently using an email security solution with sandboxing or if your current email security solution is not AI-driven, contact TitanHQ to find out more about how SpamTitan can improve protection against sophisticated email threats. SpamTitan is available on a free trial to allow you to put the product to the test before deciding on a purchase, and product demonstrations can be arranged on request. If you proceed with a purchase, you will also benefit from TitanHQ’s industry-leading customer service. If you ever have a problem or a query, help is rapidly at hand.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

How Does an Email Sandbox Block Malware?

You may have heard that email sandboxing is an important security feature, but how does an email sandbox block malware and why is this security feature necessary? In this post, we explain what an email sandbox is, why it is now an important element of email security, and how email sandboxes work.

An email sandbox is a secure and isolated environment where emails and their attachments are subjected to behavioral analysis. In the sandbox, malicious files and code can be safely detonated where no harm can be caused. Say an email is received that contains malicious code that is used to drop and execute ransomware on a device. Executing that code on a standard machine would initiate the process that ends with file encryption. Execute that code in an email sandbox and the malicious behavior would be detected and no harm would be caused. The email and code will then be eradicated from the email system, and the threat intelligence gathered will be sent to a global network to ensure that if the email or code is encountered again it will be immediately blocked.

Many Email Security Solutions Fail to Detect the Most Serious Threats

Traditional email security solutions perform many tests on emails to determine the likelihood of them being spam or malicious. DMARC and SPF are used to check the legitimacy of the sender, checks are performed on the reputation of an IP address/domain, and the subject, title, and body of a message are analyzed for signs of phishing and spam. Email attachments are also subject to anti-virus checks, which will identify and block all known malware variants. The result? Filtered emails contain no known spam, no known malicious hyperlinks, and no known malware.

The problem with traditional email security solutions is they are unable to detect unknown spam, phishing attempts, and malware. If a threat actor uses a previously unseen phishing email, which includes either a link to a fresh URL or a site with a good reputation, that email will most likely be delivered. If a new malware variant is sent via email, its signature will not be present in any virus or malware definition list and will similarly be delivered to an end user’s inbox. Threat intelligence is shared with email security solutions and they are constantly updated as new threats are found but there is a lag, during which time these threats will be delivered to inboxes. That is why an email sandbox is needed.

How an Email Sandbox Works

Antivirus scans will block the majority of malware, but not novel (zero-day) malware threats. When an email security solution has email sandboxing, the same checks are initially performed, and if they are passed, emails are sent to the sandbox for further analysis. The email sandbox is an isolated environment on a virtual machine that is configured to look like a genuine endpoint. As far as the threat actor is concerned, their email will have reached their intended target and the file should execute as it would on a standard machine.

In the sandbox, emails and attachments are opened and links are followed and behavior is analyzed in detail to determine if any malicious or suspicious actions occur such as a command-and-control center callbacks, attempted file encryption, or scans for running processes. If a Word document is opened that contains no hyperlinks, no macros, and no malicious scripts, and nothing suspicious occurs in the time it is present in the sandbox, the file will be determined as benign and the email will then be delivered to the intended recipient. If any malicious actions are detected, the file will be sent to a local quarantine directory where it can only be accessed by the administrator. The intelligence gathered will be sent to the global network and all users will be protected almost instantly. All copies of that message and the attachment will also be removed from the entire mail system.

Email Sandboxing and AI-Driven Threat Detection are Now Vital

Email sandboxing is now vital for email security as new malware variants are being released at an incredible rate and signature-based detection methods cannot detect new malware threats. In addition to email sandboxing, artificial intelligence must be leveraged to look for novel phishing messages, as phishing attempts are also increasing in sophistication. These AI-based checks look for messages that deviate from the typical messages received by a company, and greatly reduce the volume of spam and phishing emails that reach inboxes.

The threat landscape is constantly changing so advanced email defenses are now essential. If you are still using an email security solution without email sandboxing and AI-driven threat detection, your company is at risk. Speak to the team at TitanHQ to find out more about SpamTitan and how the award-winning email security solution can enhance your company’s security posture.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Email Sandboxing, Pattern Filtering, and Other Much-Loved SpamTitan Features

SpamTitan is a next-generation anti-spam, anti-phishing, and anti-malware solution for businesses that incorporates AI-based threat detection, email sandboxing, and many other advanced email security features. Some of the most important and best-loved features of SpamTitan are explained below:

Email Sandboxing in SpamTitan

Email sandboxing is a vital element of email security, yet many email security solutions lack this feature. An email sandbox is a secure, virtual machine where links can be followed and attachments opened where they cannot cause any harm. A malicious link that leads to an automatic malware download can be followed in safety, and even the nastiest piece of malware can be executed without risk as the sandbox is isolated, not connected to any network, and contains no real data.

The sandbox is configured to appear to be a genuine endpoint in order to trick malicious actors into thinking malware has reached its intended target. When a file is opened in the sandbox it is subject to deep analysis, and any malicious or suspicious actions are detected. Emails are subject to a battery of front-end checks, including scans using two anti-virus engines, and any emails that pass these checks but are determined to potentially pose a risk are sent to the sandbox for behavioral analysis. That includes emails along with any attached documents, spreadsheets, and executable files.

Sandboxing for email is important because of the speed at which novel malware samples are used in attacks. Rather than just use one version of a keylogger in a campaign, a threat actor will use dozens of versions of that keylogger, each differing slightly to evade signature-based detection mechanisms. AI and automation are used by threat actors to churn out new malware variants rapidly, and signature-based detection alone is no longer good enough. With sandboxing, email protection is greatly improved against these zero-day threats which would otherwise be delivered to end users’ inboxes.

Pattern Filtering in SpamTitan

One of the most loved features of SpamTitan is Pattern Filtering. It saves IT security teams a considerable amount of their precious time by ensuring spammy and phishy emails are not delivered. The Pattern Filtering feature allows administrators to use their own terminology to block inbound emails. Simply set a word or phrase through Pattern Filtering, and SpamTitan will search the subject line and message body and can be configured to generate a warning or quarantine the email if the word or phrase is found.

An example of where this can be useful is combating the Nigerian scam/419 fraud, a type of advanced fee fraud. The 419 comes from Section 419 of the Nigerian Criminal Code which prohibits this kind of scam. While the scam is common with Nigerian cybercriminals, cybercriminal groups in many different countries also conduct this type of scam. While the themes of the emails vary, they all have the same aim. An example would be a prominent person who has substantial funds in their account has been unable to transfer the funds out of the country due to unfair restrictions. They offer to transfer these funds to the user’s account to get the money out of the country in exchange for a percentage of those funds as payment, which may be as high as 20%, which is a life-changing amount of money. The catch? In order to proceed, charges need to be covered and they must be paid in advance. The Pattern Filtering option can be used to block these emails by incorporating phrases commonly used in these emails.

Geo-Filtering in SpamTitan

SpamTitan also incorporates geo-filtering, which allows users to block emails from specific countries. If you never do business with countries in Africa, for example, you can simply block all emails coming from African IP addresses with a few clicks of a mouse, rather than manually blocking IP addresses from which you get a lot of spam emails. This feature saves IT teams a considerable amount of time. One user who has benefited greatly from this feature is Benjamin Jeffrey, IT manager at M&M Golf Cars. His company was receiving many requests from countries that the company does not do business with and was getting flooded with spam emails from a specific IP subnet in a country. He configured the geo-filtering and instantly blocked all those messages. When he checked 6 months after configuring that feature, around 12,000 emails had been blocked. Geo-blocking is also useful for blocking malware quickly. Malware distribution campaigns are often launched from a handful of countries, and geo-filtering can be used to block those messages with ease.

AI and Machine Learning in SpamTitan

SpamTitan has AI and machine learning capabilities to improve the detection of spam and phishing emails. These technologies learn about the emails that are typically received by a company and create a baseline against which new emails can be measured. When emails deviate from the norms, they are flagged as risky and are subjected to more stringent security checks or are quarantined for manual inspection. These technologies greatly improve spam and phishing email catch rates and allow SpamTitan to improve day-by-day. These technologies are a vital defense against zero-day phishing threats – new threats that have not been encountered on the 500+ million endpoints from which threat intelligence is gathered.

Find out More About SpamTitan

These are just some of the most loved and most beneficial features of SpamTitan. In addition to having a high catch-rate and low false positive rate, SpamTitan is one of the most affordable email security solutions on the market, it’s quick and easy to set up, and requires little maintenance. The features, price, and ease of use are why it is loved by thousands of small- and medium-sized businesses, enterprises, and managed service providers. To find out more, give the TitanHQ team a call. The product is available on a 100% free trial if you want to put it to the test, and product demonstrations can be arranged on request.

Additional Articles Related to Email Sandboxing

Email Sandboxing

Email Sandboxing Service

Sandboxing Blocking Malware Threats

Email Sandboxing Pattern Filtering

How does an email sandbox block malware?

Email Sandboxing and Message Delivery Delays

Commonly Asked Questions about Email Sandboxing

What is sandbox security?

How does a sandbox work?

How to sandbox email attachments

What is message sandboxing?

What is malware sandboxing for email?

What is sandboxing in cybersecurity?

What are the advantages and disadvantages of email sandboxing?

Sandboxing Technology for Email

What is a malicious file sandbox for email?

Phishing-as-a-Service Platforms Used to Bypass Multi-Factor Authentication Controls

Phishing attacks are often conducted to obtain credentials in order to gain initial access to business networks; however, many businesses have implemented multi-factor authentication which prevents stolen credentials from being used to access accounts. With multi-factor authentication implemented, credentials alone are not sufficient as access will only be granted if one or more additional authentication mechanisms are navigated. Multifactor authentication can significantly improve protection against phishing attacks, but it does not guarantee protection against unauthorized account access, and multi-factor authentication bypass attacks are increasing.

To bypass multifactor authentication, threat actors typically use adversary-in-the-middle (AitM) techniques using a phishing-as-a-service (PhaaS) platform. PhaaS platforms such as EvilGinx, Muraena, and Modlishka use reverse proxy servers to steal session cookies that allow multi-factor authentication to be bypassed. In these attacks, the user is directed to the phishing site hosting the phishing kit and when they enter their credentials the site proxies them to the actual website that is targeted in real time. The website returns the MFA screen, which is proxied to the user, and when the user enters the additional authentication, it is proxied to the actual website. The MFA is successfully completed and a session cookie is returned, which is used by the attacker to access the targeted account as the genuine user. The phishing site redirects the user to another page, unaware that their account has been compromised. The attacker will be able to access the account for as long as the session cookie is active.

An alternative method of bypassing MFA is to use synchronous relay servers. This method is used by the Storm-1295 threat group, which provides the Greatness PhaaS platform. This PhaaS platform presents the user with a copy of the sign-in page for the website, similar to standard phishing attacks that only steal credentials. This method uses a phishing kit server that dynamically loads the phishing page and MFA request page and communicates with the PhaaS platform relay server through an API. The PhaaS platform provides a synchronous relay server to relay captured credentials and MFA codes to the sign-in service but does not proxy network traffic.

According to Microsoft, there has been a marked increase in AitM attacks this year which are being conducted through already established MFA-bypassing PhaaS platforms and there has also been an increase in phishing services incorporating AitM capabilities. Businesses need to ensure that they are properly protected against these phishing attacks. The first line of defense is still a spam filter, which will block the majority of phishing emails to ensure they do not land in inboxes where they can be clicked. SpamTitan Plus provides the best protection against phishing attacks. SpamTitan Plus has 100% coverage of ALL current market-leading anti-phishing feeds, which ensures 1.6x faster detection of phishing than all current market leaders.

End-user training is also important for improving resilience against phishing attacks. By providing ongoing training and phishing simulations, employees will learn how to recognize and avoid phishing attempts that are able to circumvent spam filters. SafeTitan is a comprehensive security awareness training and phishing simulation platform that user data shows can improve resilience to phishing by up to 80%.

The increase in the use of MFA-bypassing PhaaS platforms means businesses can no longer rely on standard MFA controls to protect their accounts. While any form of MFA is better than none, businesses should transition to the most secure MFA methods that are resistant to these phishing attacks, such as FIDO2 security keys and certificate-based authentication.

Sophisticated Ransomware Campaign Uses Business Email Compromise Tactics

Companies in Spain are being targeted by a ransomware group that uses phishing emails to distribute LockBit Locker ransomware. According to a recent warning issued by the Central Cybercrime Unit of the Policía Nacional, the campaign has a very high level of sophistication and has so far targeted architecture companies; however, the campaign may be expanded to target other sectors.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct ransomware attacks in exchange for a cut of any ransoms they generate. LockBit is one of the most active ransomware groups and was the most deployed ransomware variant in 2022. The LockBit Locker group conducting this campaign claims to be affiliated with the notorious LockBit group; however, those claims have yet to be verified. What is known is that this is a highly capable group that conducts sophisticated attacks targeting specific industry sectors. The lures and communications used in these attacks are very difficult to distinguish from genuine communications from legitimate companies.

The group appears to have adopted tactics used by business email compromise (BEC) threat actors who build trust with the victim over several emails. An initial communication is sent to a company and the threat actor then engages in conversations over several emails to make it appear that the firm is engaging with a legitimate company that is seeking their services.

The Policía Nacional described one of the attacks, which saw the initial email sent from the non-existent domain, fotoprix.eu. The threat actor claimed to be a photography company looking for a quote from architecture firms for a renovation of their premises. The targeted company responded to the initial email, then the threat actor exchanged several more messages before proposing a date to hold a meeting to finalize the budget. As a prerequisite, documents were sent via email that contained specifications for the proposed renovation to allow the architecture form to provide an accurate quote. The archive file attached to the email contained a shortcut file that executes a malicious Python script, which establishes persistence and executes the LockBit Locker payload to encrypt files. A ransom demand is then dropped on the encrypted device, payment of which is required to recover files.

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) which is why it is so important to provide ongoing security awareness training to the workforce. This campaign is especially concerning because of the effort the threat actor is putting into the impersonation of a potential customer. Ransomware groups often copy each other’s tactics, and if this campaign proves to be successful, the same TTPs are likely to be used by other groups.

It is therefore recommended to incorporate these TTPs into your security awareness training and make sure that employees are made aware of this new method of attack. Companies that use TitanHQ’s SpamTitan solution can easily provide training to the workforce on specific tactics through short training modules and incorporate new tactics in their phishing simulations. Phishing simulations can be quickly and easily spun up through the platform in response to changing TTPs and administrators will be able to get instant feedback on the likelihood of employees falling for a campaign. A phishing simulation failure will immediately trigger a training module specific to the threat, ensuring employees are provided with the additional training they need to avoid similar threats in the future.

Call TitanHQ today for more information on the SafeTitan security awareness training and phishing simulation platform and find out how it can significantly improve your company’s security posture.

Chinese Hackers Compromising Patched Barracuda Email Security Appliances

The Federal Bureau of Investigation (FBI) has issued a warning that Chinese hackers are continuing to gain access to Barracuda email security appliances, even those that have been patched against a recently disclosed zero day vulnerability, and has urged organizations to immediately remove the appliances.

The vulnerability, tracked as CVE-2023-2868, affects Barracuda Network’s Email Security Gateway (ESG) appliances and occurs when the appliance screens email attachments. The vulnerability is a remote command injection vulnerability that allows the unauthorized execution of system commands with administrator privileges on the ESG appliance. Barracuda issued a patch to fix the flaw on May 20, 2023, after identifying hacks on May 19.

The vulnerability can be exploited via maliciously formatted TAR file attachments that are sent to an email address affiliated with a domain that has an ESG appliance connected to it. When the attachments are scanned it results in a command injection into the ESG, and system commands are executed with the privileges of the ESG. No user interaction is required to exploit the vulnerability.

According to the FBI, Chinese hackers have been exploiting the vulnerability since October 2022 as part of a state-run cyberespionage operation and have compromised hundreds of appliances. Mandiant assisted with investigating the hacks and said this is the broadest cyber espionage campaign conducted by Chinese state-sponsored hackers since the mass exploitation of a Microsoft Exchange vulnerability in 2021.

In a Flash Alert issued on Wednesday, the FBI recommended all affected devices be immediately replaced. “The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately,” and said the patches released by Barracuda to address the flaw were ineffective.

The advice follows that of Barracuda, which said in June that all hacked Email Security Gateway appliances should be immediately replaced, regardless of whether patches had been applied. Even after the patches had been applied, continued malicious activity was observed on the previously compromised devices. A new form of malware, dubbed Submarine, was deployed on compromised appliances, which resides in a structured query language (SQL) database on the appliance and is a backdoor that provides persistent access.

Vulnerabilities can exist in any software solution, even those that are meant to provide protection. This is why it is important to have multiple layers of protection. If one layer fails, others are there to detect and block threats. Many threats start with a malicious email, which is why email security is so important. Having SpamTitan Plus in place will provide a high degree of protection and will stop malware from reaching its intended recipient. SpamTitan Plus is a leading-edge, AI-driven anti-phishing and anti-malware solution with the newest “zero-day” threat protection and intelligence. The solution includes 100% coverage of all current market-leading anti-phishing feeds and provides 1.6x faster detection of threats than the current market leaders. SpamTitan Plus provides unrivaled protection against malicious links in emails and includes signature-based malware detection and behavioral detection through sandboxing. For more information on SpamTitan Plus, give the TiotanHQ team a call.

Simple, Yet Effective Phishing Campaign Targets Zimbra Collaboration Credentials

Phishing campaigns do not need to be especially sophisticated to be effective, as a recently identified campaign that targets Zimbra Collaboration credentials clearly demonstrates. Zimbra Collaboration, previously known as Zimbra Collaboration Suite, is a software suite that includes an email server and web client. Zimbra Collaboration email servers are targeted by a range of different threat actors, including state-sponsored hackers and cybercriminals for espionage, conducting phishing attacks, and gaining a foothold that can be used for a more extensive compromise of an organization.

This global campaign targets users’ credentials and does not appear to be targeted on any specific sector and the threat actor behind the campaign and their motives are not known. The highest number of attacks have occurred in Poland, Ecuador, and Italy. Like many phishing campaigns, the emails warn users about a security update, security issue, or pending account deactivation, and the emails appear to have been sent from an email server administrator.

The emails include an HTML attachment, which is opened as a locally hosted page in the user’s browser. The HTML file displays a Zimbra login prompt that is tailored for each organization and includes their logo and name, and the targeted user’s username is prefilled. If the user enters their password, the credentials are transmitted to the attacker’s server via an HTTPS POST request.

The campaign was identified by security researchers at ESET, who observed waves of phishing emails being sent from companies that had previously been targeted, which suggests that some of the attacks have allowed the threat actor to compromise administrator credentials and set up new mailboxes to target other organizations.

Despite the simplicity of the campaign, it has proven to be very effective, even though the login prompt in the HTTP file differs considerably from the genuine Zimbra login prompt, and the page is opened locally, which suggests a lack of security awareness training due to the failure to identify the red flags in the emails. The emails are also likely to have a low detection rate by email security solutions, as the only malicious element is a single link to a malicious host, which is within the HTML file rather than the email body,

Phishing remains one of the most effective ways for hackers to gain initial access to networks. Combatting phishing attacks requires a combination of measures. A spam filter such as SpamTitan should be used to block the emails and prevent them from reaching their intended targets. SpamTitan incorporates signature-based and behavioral detection mechanisms for identifying malware, link scanning, and reputational checks to ensure a high catch rate and low false positive rate.

No spam filtering solution will be able to block all malicious emails without also having an unacceptably high false positive rate, so it is important to also provide regular security awareness training to employees to teach them how to recognize and avoid malicious emails. Security awareness training should also incorporate phishing simulations to give employees practice at identifying threats. If a threat is not detected, it can be turned into a training opportunity. TitanHQ’s security awareness training platform – SafeTitan – delivers instant training in response to a failed phishing simulation, and also delivers training in response to other security mistakes, ensuring training is provided when it has the greatest impact. Training data shows that SafeTitan reduces employee susceptibility to phishing attacks by up to 80%, and combined with SpamTitan email security, ensures that businesses are well protected from phishing attacks and other cyber threats.

SpamTitan and SafeTitan, like all TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

New Backdoor Malware Variants Deployed on Barracuda ESG Appliances

A zero-day vulnerability in Barracuda email security gateway (ESG) appliances was exploited to deliver three malware variants onto the devices. These previously unknown malware variants have been dubbed SeaSide, Saltwater, and Seaspy, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reporting that an additional malware backdoor dubbed Submarine was also deployed. In the attacks.

Initially, Saltwater malware – a trojanized Barracuda SMTP daemon – was used and allowed the threat actor to perform several actions such as steal files, run shell commands remotely, and proxy traffic to evade intrusion detection systems. SeaSpy malware was deployed to provide persistence and monitor SMTP traffic, and SeaSide malware was used to establish reverse shells and connect with the attacker’s command-and-control server, which allowed remote code execution via SMTP HELO/EHLO messages and provided the attacker with complete control of the appliances, allowing additional malware payloads to be delivered.

According to CISA, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”

The zero-day vulnerability in the Barracuda ESG is tracked as CVE-2023-2868 and is a remote command injection vulnerability, a patch for which has now been released. The vulnerability could be exploited remotely by a threat actor with a malicious email message – an email with a specially crafted .tar file attachment that masqueraded as a harmless .jpeg or .dat file. The attachment was used to exploit the vulnerability and gain access to ESG appliances.

The exploits of the vulnerability have been linked with a pro-China hacking group tracked as UNC4841, which was discovered to have conducted a series of attacks in May, although CISA reports that the threat actor may have been exploiting the vulnerability undetected since as early as October 2022 to gain access to ESG appliances and steal data.

With access to ESG appliances, the threat actor was free to remotely execute code for months. The ESG appliances are used across the public and private sectors, including government organizations, so the compromising of the appliances since October 2022 is of particular concern, as the threat actor may have been able to steal sensitive data for several months undetected. Many large companies also use Barracuda’s ESG appliances including Delta Airlines, Kraft Heinz, Samsung, and Mitsubishi, all of which were affected.

While the vulnerability has been patched, UNC4841 has proven to be very persistent, switching its persistence mechanisms when the attacks were detected. Indicators of Compromise and MD5 hashes were issued by Barracuda to help clients determine if their ESG devices had been compromised and Barracuda even offered its customers a new appliance, regardless of their patch status.

These attacks involved the discovery and exploitation of a previously unknown vulnerability in the ESG appliances and were the work of highly skilled hackers, although, like many attacks, the vulnerability was exploited via a malicious email. An extra layer of protection can be provided by SpamTitan Plus, which specifically combats phishing emails and incorporates signature-based and AI-based behavioral detection mechanisms to improve protection against zero-day threats, including novel malware variants.  Using SpamTitan Plus in addition to other security solutions will greatly improve the probability of detecting and blocking malicious emails and zero-day threats. These attacks demonstrate why it is important to have multiple layers of security, and not to rely on a single cybersecurity solution.

LokiBot Malware Distributed Email Campaign Exploiting Known Vulnerabilities

Cybercriminals are exploiting unpatched remote code execution vulnerabilities to distribute an information-stealing malware called LokiBot. LokiBot, also known as LokiPWS, primarily targets Windows systems and collects sensitive information from infected devices including usernames and passwords. The malware can also log keystrokes, capture screenshots, steal information from web browsers, and empty cryptocurrency wallets. LokiBot was discovered in 2016 and has been active since at least 2015, and is primarily spread via email, most commonly through malicious email attachments.

One of the latest campaigns exploits the Microsoft Office vulnerability, CVE-2021-40444, and the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability, CVE-2022-30190, to embed malicious macros in Office documents that deliver LokiBot. The campaign was detected by security researchers at FortiGuard Labs in May 2023, and the campaign is still active.

The infection process is different depending on which vulnerability is exploited. The Word document that exploits the CVE-2021-40444 vulnerability includes a GoFile link embedded in an XML file, which will download an HTML file that exploits the CVE-2022-30190 vulnerability, which will deliver a Visual Basic payload that delivers LokiBot. Alternatively, a Word file is used that contains a VBA macro that drops an INF file, through which a connection will be made to the command-and-control server and LokiBot will be loaded.

LokiBot may be an old malware variant, but it is regularly updated, and the methods used to distribute the malware regularly change. This campaign takes advantage of businesses that are slow to implement patches. Ensuring patches for known vulnerabilities or workarounds are implemented quickly is vital. Email anti-spam services will also protect against attacks such as these. It is important to use an email security solution that does not rely on signature-based detection methods. Malware variants are constantly updated and changed to evade signature-based detection methods, so AI-based solutions should be used that can detect novel malware variants by their behavior.

SpamTitan includes both detection methods and will scan for known malware variants and subject attachments to in-depth analysis in a sandbox to identify malicious actions, such as command-and-control center callbacks. SpamTitan also performs a barrage of front-end and advanced checks on all emails, including machine-based detection methods that can identify emails that deviate from those typically received by a business, ensuring security teams are rapidly alerted about potential threats. Security awareness training is also strongly recommended to educate end users about email-based threats and teach security best practices, such as always exercising caution with emails, email attachments, and messages containing external links.

If you want to improve your defenses against malware and other cyber threats, give the TitanHQ team a call. SpamTitan, along with other TitanHQ cybersecurity solutions, is available on a free trial to allow you to test the product in your own environment before deciding if it is right for your business.

TitanHQ Feature Updates Announced for SafeTitan, WebTitan, and SpamTitan

TitanHQ has made several enhancements to its suite of cybersecurity solutions this month, including an update to the SafeTitan security awareness training and phishing simulation platform to better meet the needs of Managed Service Providers (MSPs) and the release of a new version of the WebTitan DNS-based web filtering solution – Version 5.03, which is now being rolled out for all customers. SpamTitan spam-filter users are also due to get an upgrade, with version 9.01 of the platform due to be released.

The SafeTitan update added a new Auto Campaigns feature for MSPs to better meet the needs of their SMB clients and protect them against increasingly sophisticated phishing threats. While it is vital to have an email security solution such as SpamTitan in place to block email-based threats, workforces also need to be provided with security awareness training to ensure they have the skills to recognize and avoid the full range of cyber threats.

The SafeTitan platform can be used by SMBs for training their workforces and giving them practice at identifying threats and also by MSPs to meet the training needs of their clients. The new Auto Campaigns feature is an automation tool that allows MSPs to reduce the time spent planning and managing security awareness and phishing simulation campaigns for their SMB clients. The AI-driven feature helps MSPs streamline the security training process and improve efficiency while saving time and resources. The Auto Campaigns feature allows MSPs to create an annual set of phishing simulation campaigns for all clients within minutes.

WebTitan is an award-winning web filtering solution that is used by thousands of SMBs, enterprises, and MSPs for controlling access to the Internet and blocking web-based cyber threats. The latest version of the platform includes several new features and bug fixes.

Users now benefit from a new summary report page, the custom block page has a new layout, and several new features have been added. These include support for the customization of the global default policy on the MSP level, which allows the application of a custom default policy on the creation of a customer account. Support has been added for the customization of the default policy on the customer level, it is now possible to inherit the allowed & blocked domains from the customer default policy, and support has been added for allowing/blocking a top-level domain (TLD) on a customer policy and global domains.

SpamTitan is due for an imminent upgrade which will include several new, advanced MSP features. Version 9.01 will have a new history/quarantine feature for MSPs, that will allow them to quickly act on customer emails at the MSP level. Link Lock inheritance has been added at the MSP level to avoid having to drill down to individual domains to make changes, and a new pattern filtering feature has been added which simplifies SpamTitan administration for MSPs and allows them to secure all customers from one place. There is also a simplified mail view, which improves the user experience and makes email analysis simpler.

MSPs also have an Other Products option, which allows them to easily offer other products in the TitanSecure bundle to customers – ArcTitan email archiving, WebTitan web filtering, and SafeTitan security awareness training – and provide a comprehensive, multi-layered security defense system to customers.

New Mystic Stealer Malware Proves Popular with Cybercriminal Community

A new information stealing malware variant called Mystic Stealer is proving extremely popular with hackers. The malware is currently being promoted on hacking forums and darknet marketplaces under the malware-as-a-service model, where hackers can rent access to the malware by paying a subscription fee, which ranges from $150 for a month to $390 for three months.

Adverts for the malware first started appearing on hacking sites in April 2023 and the combination of low pricing, advanced capabilities, and regular updates to the malware to incorporate requested features has seen it grow in popularity and become a firm favorite with cybercriminals. The team selling access to the malware operates a Telegram channel and seeks feedback from users on new features they would like to be added, shares development news, and discusses various related topics.

Mystic Stealer has many capabilities with more expected to be added. The first update to the malware occurred just a month after the initial release, demonstrating it is under active development and indicating the developers are trying to make Mystic Stealer the malware of choice for a wide range of malicious actors. Mystic Stealer targets 40 different web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications (including LastPass Free, Dashlane, Roboform, and NortPass), and 55 cryptocurrency browser extensions. The malware can also inject ads into browser sessions, redirect searches to malicious websites, and steal Steam and Telegram credentials and other sensitive data. The most recent version is also able to download additional payloads from its command-and-control server. The malware targets all Windows versions, does not need any dependencies, and operates in the memory, allowing it to evade antivirus solutions. The malware is believed to be of Russian origin since it cannot be used in the Commonwealth of Independent States.

Mystic Stealer has recently been analyzed by researchers at InQuest, ZScaler, and Cyfirma, who report that the malware communicates with its C2 server via a custom binary protocol over TCP, and currently has at least 50 C2 servers. When the malware identifies data of interest, it compresses it, encrypts it, then transmits it to its C2 server, where users can access the data through their control panel.

The main methods of distribution have yet to be determined, but as more threat actors start using the malware, distribution methods are likely to become more diverse. The best protection is to follow cybersecurity best practices and adopt a defense-in-depth approach, with multiple overlapping layers of security to protect against all of the main attack vectors: email delivery (phishing), web delivery (pirated software, drive-by downloads, malvertising), and the exploitation of vulnerabilities.

Email security solutions should be used that have signature and behavioral-based detection capabilities and machine learning techniques for detecting phishing emails (SpamTitan). Antivirus software should be used, ideally, a solution that can scan the memory, along with advanced intrusion detection systems. To protect against web-based attacks, a web filter (WebTitan) should be used to block malicious file downloads and prevent access to the websites where malware is often downloaded (known malicious sites/warez/torrent). IT teams should ensure that software updates and patches are applied promptly, prioritizing critical vulnerabilities and known exploited vulnerabilities. In the event of infection, damage can be severely limited by having a tested incident response plan in place.

Finally, it is important to train the workforce on the most common threats and how to avoid them. Employees should be trained on how to identify phishing attempts, be told never to download unauthorized software from the Internet, and be taught security best practices. The SafeTitan security awareness training and phishing simulation platform provides comprehensive training and testing to improve human defenses against malware infections and other cyber threats.

Free OnlyFans Content Used as a Lure in DcRAT Malware Campaign

Malicious actors are distributing malware under the guise of free access to paywall-protected OnlyFans content. OnlyFans is a popular Internet content subscription platform, where visitors can pay to receive premium content from a range of different content creators such as social media personalities, musicians, and celebrities, although the 18+ subscription platform is most commonly associated with X-rated content. The malware campaign targets individuals looking to access the latter for free.

The campaign uses fake OnlyFans content and X-rated lures promising access to private photos, videos, and posts without having to pay for the content. Users are tricked into downloading an executable file, that installs a remote access Trojan. A VBScript loader is contained in a ZIP file, and if executed, will deliver a variant of the AsynchRAT called DCRAT (aka DarkCrystal) -– a remote access Trojan that provides access to the user’s device. DcRAT allows remote access, but can also access the webcam, log keystrokes, manipulate files, steal credentials, cookies, and Discord tokens, and encrypt files for extortion.

Researchers at eSentire identified the campaign after a user attempted to execute the VBscript loader, although it is currently unclear how the ZIP file containing the VBScript loader is being distributed. As such, a defense-in-depth approach is recommended to block the most likely attack vectors. Phishing emails are commonly used for distributing malware. Any email that claims to offer free access to OnlyFans is a major red flag since the site requires paid subscriptions to access content. SEO poisoning may be used to get malicious websites to appear high in the search engine results for key search terms, and malvertising – malicious adverts – may be displayed on legitimate websites through third-party ad networks that direct users to URLs where free content is offered. Compromised social media accounts may be used to post offers of free access to OnlyFans content, and SMS and instant messaging service messages may advertise the offers and include links to malicious websites.

All of these ways of making contact with users can be combatted through phishing and security awareness training using the SafeTitan platform. SafeTitan includes an extensive library of training content for creating security awareness training programs to improve awareness of threats, teach security best practices, and train users how to identify phishing attempts. The platform also includes a phishing simulator for testing responses to phishing attacks, including phishing attempts with OnlyFans-related lures.

Email security solutions should be implemented to block any phishing attempts. SpamTitan incorporates signature and behavior-based detection mechanisms for identifying malicious attachments, link scanning, and machine learning capabilities to identify zero-day phishing attacks. WebTitan Cloud can be used to improve protection against web-based attacks, such as malicious file downloads from malicious and compromised websites and to prevent access to risky categories of websites and websites that serve no work purpose. IT admins should also consider implementing restrictions for script files, such as blocking VBScript and JavaScript from launching downloaded executable content or using Group Policy Management Console to create open with parameters for script files to ensure they are opened with notepad.exe. These measures will not only be effective at blocking this OnlyFans campaign but also for blocking attempts by other malicious actors to install malware and ransomware.

New SafeTitan Release Includes New Automated Campaign Feature for MSPs

TitanHQ has updated its SafeTitan security awareness training platform to better meet the needs of Managed Service Providers (MSPs) by adding a new feature – Automatic Security Campaigns. The new feature allows MSPs to create an annual set of phishing simulations for their clients to streamline security campaign planning.

All companies should be providing security awareness training to the workforce to improve awareness of the types of threats each employee is likely to face, and security awareness training programs should incorporate ongoing phishing simulations to give employees practice at identifying potential threats outside of a training setting. While the percentage of businesses providing security awareness training is increasing, many have yet to create a program, and those that have often find it is not as effective as they expected. This is an area where MSPs can help and ensure companies get the maximum return on their investment in training.

By signing up with TitanHQ, MSPs can provide security awareness training through the SafeTitan platform. SafeTitan includes an extensive library of training content that allows MSPs to create training programs to meet the needs of each company and tailor the training for different employee groups within the company to ensure it is relevant. The training content is proven to improve understanding of threats and reduce susceptibility to phishing and other social engineering attacks. Training courses can be created quickly and the provision of training automated, with employee progress tracked and client reports scheduled to keep them up to date on how training is progressing.

Conducting phishing simulations is also straightforward, but thanks to the new Automatic Security Campaigns feature, MSPs can create and run phishing simulations more efficiently, spend less time managing the campaigns, and boost the profitability of their security awareness and phishing simulation service. MSPs can use this feature to schedule phishing simulations using messages of varying types, at the desired required frequency, over the course of the year – a process that takes just a few minutes.

“By introducing automated campaign scheduling to SafeTitan, we are empowering our MSP partners to optimize their security training efforts, boost productivity, and deliver exceptional results to their clients,” said Ronan Kavanagh, CEO, TitanHQ. “This new feature aligns perfectly with our MSP First Strategy and provides innovative solutions that simplify the complexities of managing a client’s security awareness training.”

Phishing Remains the Most Common Method Used in Cyberattacks on Businesses

Phishing is still the most common method used by cybercriminals in attacks on businesses, as has been confirmed by a new survey of IT security and identity professionals. The Identity Defined Security Alliance recently conducted a survey on 529 IT security professionals and identity professionals at organizations with more than 1,000 employees and found 62% had experienced an identity-related incident in 2022, and out of those, 93% said they had experienced an email phishing incident.

Phishing is popular with cybercriminals as it is easy to conduct campaigns, which can be largely automated and require little skill. These campaigns are low cost and they are effective, as people can easily be fooled into disclosing their credentials or downloading malicious files. Email remains the most common vector used for phishing, with emails usually including a web-based component. Users are directed to malicious websites where malware is downloaded, or their credentials are harvested.

Phishing campaigns can be made even more effective if the emails are targeted. General phishing emails that are sent in massive spamming campaigns will attract a low number of responses but certainly enough to make these campaigns worthwhile; however, by targeting small numbers of individuals the response rate increases dramatically. Spear phishing involves tailoring emails for a specific group of people or researching individuals and sending personalized phishing emails. The survey revealed 49% of respondents had experienced spear phishing attacks in the past year.

Phishing is no longer solely conducted via email, and attacks involving other attack vectors have been steadily increasing. SMS and instant messaging platforms are commonly used for phishing. These phishing attacks are referred to as smishing attacks and phishing can occur over the phone – termed vishing. 27% of respondents said they experienced smishing or vishing attacks in the past year.

Phishing attacks can be extremely costly for businesses. These attacks are conducted to gain initial access to business networks to steal sensitive data, which can be used in a wide variety of ways. Once access to networks is gained and all valuable data has been stolen, access to those networks is often sold to other threat actors such as ransomware gangs for follow-on attacks. Businesses are also increasingly being sued for data breaches by employees and customers, the attacks take time to remediate causing business disruption and often result in significant reputational damage.

Phishing attacks are increasing in sophistication as well as number. While it was once sufficient to implement a spam filtering solution and antivirus software to block attacks, defenses have had to become more comprehensive and sophisticated and provide multiple layers of protection.

TitanHQ solutions can form the basis of a robust defense against phishing. TitanHQ offers three cybersecurity solutions that work seamlessly together that can be used by businesses to mount a formidable defense against phishing attacks, with each solution tackling the threat of phishing from a different angle.

The first layer of defense comes from SpamTitan Email Security – An advanced email security solution for blocking phishing and spam emails, including attacks seeking credentials and those delivering malware. SpamTitan incorporates anti-virus software (dual AV engines) for detecting known malware variants, and behavioral analysis through email sandboxing for detecting zero-day (unknown) malware threats.

Protection against the web-based element of phishing comes from the WebTitan DNS filter, which is used to prevent employees from visiting malicious websites and for controlling access to the Internet through category and keyboard-based web filtering. WebTitan blocks downloads of malicious files and risky file types, and secures the DNS to block command-control callbacks. WebTitan not only blocks phishing attacks via email but also phishing and other malicious websites encountered through web browsing, such as via redirects to malicious websites from online adverts (malvertising).

The third layer of protection is concerned with improving human defenses, which is vital considering that more than 80% of data breaches involve the human element (Verizon Data Breach Investigations Report). SafeTitan is used to create effective security awareness training, tailored to meet the needs of each business and individual. The platform includes a huge library of training content that can be tailored for user groups and individuals which covers all aspects of security. Through SafeTitan training, businesses can raise awareness of threats and eradicate bad security practices. The solution also includes a phishing simulator for testing employees, which delivers on-the-spot training in real-time in response to security mistakes.

Cybercriminals are unlikely to stop conducting attacks and they are only likely to increase in number and sophistication. Businesses therefore need to make sure their defenses are up to scratch. For more information on these TitanHQ solutions, contact the sales team today. You can also take advantage of free trials of these solutions to test them before deciding on a purchase.

RPMSG Attachments Used in Sophisticated Phishing Attacks to Steal M365 Credentials

A new phishing technique has been identified by security researchers that uses compromised Microsoft 365 accounts to send phishing emails that contain .RPMSG attachments, which are used in a sophisticated attack to gain access to Microsoft 365 accounts.

RPMSG files are used to deliver e-mails with the Rights-Managed Email Object Protocol enabled. In contrast to regular emails that are sent in plain text and can be read by anyone or any security solution, these files are encrypted and are stored as an encrypted file attachment. The files can also be used to limit the ability of users to forward or copy emails. The intended recipient can read the encrypted messages after they have been authenticated, either by using their Microsoft 365 credentials or a one-time passcode.

Phishing attacks using these files give the impression that the messages are protected and secured, as access is restricted to authorized users. If a user is unfamiliar with RPMSG files and they perform a Google search, they will quickly discover that these files are used for secure emails, giving the impression that the emails are genuine.

The use of RPMSG files in phishing attacks was discovered by researchers at Trustwave. In this scam, an email is sent from a compromised account, and since these accounts are at legitimate businesses, the emails appear genuine. For example, one of the scams used a compromised account at the payment processing company Talus Pay.

The emails are sent to targeted individuals, such as employees in the billing department of a company. The emails are encrypted, and credentials need to be entered before the content of the email can be viewed. In this campaign, the emails tell the recipient that Talus Pay has sent them a protected message, and the email body includes a “Read the message” button that users are prompted to click. The emails also contain a link that the user can click to learn about messages protected by Microsoft Purview Message Encryption.

If the recipient clicks the link to read the message, they are directed to a legitimate Office 365 email webpage where they are required to authenticate with their Microsoft 365 credentials. After authentication, the user is redirected to a fake SharePoint document, which is hosted on the Adobe InDesign service. If they try to open the file, they are directed to the final destination URL that shows a “Loading… Wait” message, and while on that URL, a malicious script runs and collects system information. When that process is completed, a cloned Microsoft 365 login form is displayed, which sends the username and password to the attacker’s command and control server if entered. The script collects information such as visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture.

The problem with phishing attempts involving encrypted content is email security solutions are unable to decrypt the content. In this scam, the only URL in the email directs the user to a legitimate Microsoft service which is not malicious, making these phishing attempts difficult to block without also blocking legitimate Microsoft encrypted emails. The key to preventing this type of sophisticated phishing attack is education. Through security awareness training, employees should be warned never to open unsolicited encrypted messages, even if the messages appear to have been sent by a legitimate user. They should also be conditioned to report any such messages to their IT security team for further investigation.

The SafeTitan security awareness training program can be used by businesses to create training courses for employees, tailored to each individual’s role and the threats they are likely to encounter. The training content is engaging to improve knowledge retention and can be easily updated to include information on the latest threats, such as phishing attacks involving RPMSG files. The platform also includes a phishing simulator that can be used to automate phishing simulations on the workforce, and RPMSG phishing emails can easily be incorporated into the simulator to check whether employees are fooled by these sophisticated attacks. If a user fails a phishing simulation, they are automatically provided with training content in real-time relevant to the simulation they failed. This on-the-spot training is the most effective way of re-educating the workforce and ensures training is provided at the point when it is most likely to be effective.

For more information on SafeTitan Security awareness training and phishing protection, call the TitanHQ team today.

Business Email Compromise: The Biggest Cause of Losses to Cybercrime

Business email compromise (BEC) is big business. For several years, BEC attacks have been the leading cause of losses to cybercrime according to the Federal Bureau of Investigation (FBI). Over the past 5 years, BEC incidents have resulted in more than $43 billion in losses globally, with $83,883,493 in reported losses to BEC scams in 2022.

BEC, also known as email account compromise (EAC), is a sophisticated scamming technique that targets employees and the businesses they work for. These attacks can be conducted to obtain sensitive information such as W-2 forms, which can be used for large-scale tax fraud, but most commonly attempt fraudulent payments, where an employee is tricked into changing payment details for an upcoming payment.

BEC attacks usually start with phishing emails. These can be general phishing emails to gain access to any employee email account, which is then used to send further phishing emails within a company and to vendors to get the high-value email credentials that the attackers seek. Alternatively, spear phishing emails are crafted on well-researched targets, such as employees in the finance department of a company who are likely to have responsibility for making wire transfers or employees at vendors who handle customer accounts. Social engineering techniques are used in the phishing emails to trick the targets into disclosing their credentials.

When access is gained to a targeted email account, the attacker can learn a great deal about the company and can identify vendors/clients, view invoices, and learn about upcoming payments. The style of the target’s emails can be identified, so emails can be carefully crafted using a similar writing style and language to prevent the scam from being detected. A request is then made via email to change banking details for an upcoming payment to attacker-controlled accounts. These accounts are commonly created at overseas banks in Thailand, Hong Kong, China, Mexico, and Singapore.

When the payment is made, funds are rapidly transferred to other accounts or are withdrawn, often before the fraudulent payment is detected. The payments are often large – tens of thousands, hundreds of thousands, or millions of dollars. One common tactic used in BEC attacks is to impersonate construction companies. Research is conducted online to identify a company’s current work projects, and company email accounts are targeted.  When access to accounts is gained, the scammers identify contact information, bid information, and project costs.

Construction projects often involve regular payments during construction, so the attackers change bank account information for an upcoming sizable payment. The client of the construction company expects to make a payment, so a simple change of bank account information is unlikely to arouse suspicion, especially since the request comes from a genuine company domain and email account with the correct logos and footers. Oftentimes, the victim has been communicating with the construction company through the same email account. Email communications between the victim and the scammer can span several emails, with the attackers taking their time before making the request. Reports of losses to the FBI between 2018 and 2020 show the fraudulent payments range from around $10,000 to $4 million.

Defending against BEC attacks requires a combination of measures that aim to block the initial account compromise, detect any compromises, identify suspicious requests, and monitor accounts for any irregularities. Advanced phishing defenses are required to block the initial phishing attacks where account credentials are obtained.  SpamTitan performs a barrage of tests to identify and block phishing and spear phishing emails. These attacks can involve spoofing rather than email account compromise, and SpamTitan solutions can detect and block emails from fake accounts as well as malware, which is often used to gain initial access to networks before pivoting to email accounts.

SpamTitan also incorporates machine-learning detection mechanisms to identify deviations from the standard emails that a business usually receives, which can identify and block the initial phishing emails and fraudulent emails sent from compromised accounts, since checks are performed on inbound and outbound emails. 2-factor or multi-factor authentication should also be enabled for all company email accounts.

2-factor authentication processes should also be established for any changes to account information. Any request to change account information or change upcoming payments should be verified using a second authentication mechanism such as a telephone call to a verified contact number.  Staff should also be provided with security awareness training to alert them to phishing and BEC attacks. SafeTitan security awareness training has extensive training content on phishing and BEC attacks and allows training courses to be easily developed and automated for the specific employees who are likely to be targeted in these scams to provide them with advanced training on how to detect BEC attacks.

For more information on improving email security and security awareness training, contact TitanHQ. TitanHQ solutions are available on a free trial, with full access to customer support for the duration of the trial to help you get the most out of the products.

PDF File Attachments Used for Distributing QBot Malware

When Microsoft started blocking macros in Internet-delivered Office files, threat actors had to come up with new ways of distributing malware via email. Since then, there has been a rise in the use of OneNote files in phishing attacks. OneNote files allow scripts to be embedded and serve as an ideal replacement for Office files and macros; however, Microsoft has responded with security updates for OneNote to prevent this technique from being used for malware distribution. There has also been an increase in the use of container files to bypass protections, which include compressed files such as .rar and .zip, and .iso files.

Another method of bypassing these protections has been adopted to distribute QBot malware. QBot is used to gain initial access to business networks and is often used to drop malware payloads for other threat actors. QBot used to be delivered via phishing emails using malicious macros in Office file attachments, but that technique is no longer viable due to Microsoft’s updates. Instead, the threat actor is now using a combination of .pdf files and Windows Script Files. The phishing emails have a .pdf attachment, which downloads a .wsf file, which is used to deliver QBot.

The emails used in this campaign are reply chain emails, which makes it appear that the emails have been sent as a reply to a previous conversation. That increases the chances of the email being opened as employees are usually trained to be suspicious of unsolicited emails from unknown senders. If the attachment is opened, the PDF file states that the document is protected, and the user is required to click an ‘open’ link, which will trigger a download of a .zip file that includes a Windows Script file.

If the user double clicks that file, the script will be executed, which will run a PowerShell script that will deliver QBot from a hardcoded URL and execute the malware. QBot will be injected into the Windows Error Manager program and will run silently in the background. QBot will steal sensitive data and can move laterally and compromise other devices on the network. Once data has been stolen, access to QBot-infected devices is sold to ransomware gangs. A single device infected with QBot can easily end with large-scale data theft and a network-wide ransomware attack.

The latest campaign involves PDF file attachments, but the methods used for distributing malware such as QBot often change and will continue to do so. The key to improving security is to adopt a defense-in-depth approach, where there are multiple overlapping layers of security in place. If any one measure fails, others will be in place to continue to provide protection.

An email security solution such as SpamTitan is a good place to start. SpamTitan Email Security adds multiple layers of security to your defenses by performing extensive checks on all inbound and outbound emails. Message headers are checked, as is the reputation of the sender, and machine learning techniques are used to identify messages that deviate from the normal messages a user receives. Multiple scans are conducted on email attachments looking for malware and malicious scripts, including signature-based and behavior-based detection through dual antivirus engines and a Bitdefender-powered sandbox. Links are checked and followed to block phishing and malware downloads.

A web filtering solution is an important security measure for blocking the web-based component of these attacks. All attempts to connect with a URL – including automated attempts and clicks by users – will be assessed in real time and blocked if an attempt is made to connect to a known malicious URL. WebTitan can be configured to block downloads of executable files, such as .wsf files, and controls can be implemented to restrict access to websites to confirmed benign URLs.

Email-based attacks attempt to exploit human weaknesses so it is also important to improve your human defenses through security awareness training. The SafeTitan security awareness training platform can be used to automate workforce training and teach security best practices and eliminate risky behaviors, and make employees aware of the threats they are likely to encounter. The platform also includes a phishing simulator with hundreds of phishing templates to test employees to see how they respond to real-world threats, and automatically assigns further training modules if they fail a phishing simulation. These three solutions can be adopted by businesses to greatly improve their security posture against current and evolving threats. Speak with TitanHQ today to find out more.

Effective Workforce Training to Improve Cybersecurity in Healthcare

On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.

In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.

In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.

The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.

Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.

The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.

If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.

Top Malware Threats and How to Prevent Infections

QBot, Emotet, and Formbook are currently the most prevalent malware threats according to new data from Check Point, all of which are mostly distributed using spam emails. Email is still one of the most common methods of malware distribution, and even Microsoft’s efforts to prevent the malicious use of macros have not changed that.

Last year, Microsoft disabled macros by default in Internet-delivered documents, and while this was a blow to cybercriminals who have relied on macros for their infection process, they simply changed tactics and used other methods for malware delivery. Macros were easy to abuse, as victims just needed to be tricked into enabling macros in documents and ignoring security warnings. Now that macros are disabled, cybercriminals have had to adopt new tactics for distributing malware via email, such as sending malicious links or using alternative attachments, such as OneNote files. The latter has been used to distribute Emotet, which has helped the malware return to the top of Check Point’s most wanted malware list.

OneNote files have proven popular for malware distribution as they allow scripts to be embedded and masked with overlays. The user is instructed to double-click a button in the OneNote file as they are told that the document is protected, when what they are actually doing is double-clicking an executable file embedded under the overlay, thus executing the script and triggering the downloading of a malicious payload. Microsoft has announced that this security issue will be tackled by May, but until then OneNote will continue to be used for malware delivery.

The top three malware variants share some of the same functionality but offer specialized features. QBot, also known as QakBot, was primarily a banking Trojan used to steal banking credentials but is now capable of stealing other credentials due to its keylogging capabilities. It has been in use since 2008 and is one of the oldest malware families currently in use.

Emotet has long been at the top of the most common malware variants and has survived a recent law enforcement takedown. Emotet started life as a banking Trojan but has evolved over the years and is now primarily used as a distributor of other malicious payloads under the malware-as-a-service model. Like QBot, Emotet is also extensively distributed via email, helped by its self-propagating capabilities, which allow it to hijack message threads and send copies of itself to the victims’ contacts.

FormBook has been used since at least 2016 and is an information stealer that is also marketed under the malware-as-a-service model. FormBook primarily harvests credentials from web browsers, but also logs keystrokes, collects screenshots, and can deliver additional files to infected devices. It is one of the most widely distributed malware due to its capabilities, relatively low cost, and strong evasion techniques.

These three malware variants have had a huge impact globally, with QBot infections detected at 10% of organizations worldwide and Emotet and FormBook each affecting 4% of organizations worldwide. Preventing infections requires a defense-in-depth approach involving multiple layers of protection, with one of the most important layers provided by a spam filter.

All three of these malware families are extensively spread via spam email, so blocking the initial attack vector is by far the best defense. SpamTitan incorporates several layers of protection against malicious emails, including emails with malicious attachments such as OneNote files and malicious links. SpamTitan performs a multitude of front-line checks including message headers and reputation checks and has dual anti-virus engines for detecting malware and sandboxing for behavioral analysis of email attachments. SpamTitan also scans links and uses machine learning algorithms to identify emails that deviate from the genuine emails typically received by businesses.

While a spam filter and endpoint protection solutions such as antivirus software were once sufficient, the speed at which new malware variants are being released and the evasion methods they use mean additional layers of protection are now required. TitanHQ recommends also deploying a web filter to block Internet-based threats. A web filter such as WebTitan augments the spam filter by blocking malware delivery via the Internet and improves protection against non-email-based threats, such as malicious links in text messages and instant messaging platforms.

Threats will occasionally bypass these protections, so it is important to provide security awareness training to the workforce. By educating the workforce on cyber threats, if one is encountered it can be recognized and avoided. Security awareness training allows businesses to train employees on security best practices and eradicate the risky behaviors that are often exploited by cybercriminals. SafeTitan is a comprehensive training platform covering all aspects of security and includes a phishing simulation platform for testing how employees respond to phishing threats and providing targeted training where it is needed.

For more information on these solutions and improving your security posture in the most cost-effective way, give the TitanHQ team a call today.

New Business Email Compromise Tactics Identified

Business email compromise tactics commonly change, so businesses need to ensure that they provide regular security awareness training to their workforce. Businesses that implement an ongoing security awareness training program can ensure that all employees are made aware of the emerging tactics so that when a threat is received, they will be able to identify it as such and report it to their security team.

BEC attacks typically involve spoofing an individual or company to get an individual to make a fraudulent wire transfer to an attacker-controlled account. The FBI has recently reported that tactics are becoming more sophisticated, and telephone numbers are also being spoofed. When the targeted individual calls to verify the authenticity of the emailed request, they speak with the scammer. It is vital to ensure that employees are told to verify the authenticity of any out-of-band requests for payments, changes to account details, requests for gift cards, and other common scam tactics but to ensure that verified contact information is used, and never the contact information supplied in the email.

Another BEC tactic that is becoming increasingly common attempts to obtain goods under false pretenses, instead of tricking people into making wire transfers. This tactic is often adopted by less advanced threat actors, as they do not have to recruit the money mules to accept the payments. According to the FBI, scammers are impersonating the email domains of U.S. companies and are spoofing emails with the real names of company employees, so if checks are performed, they will be passed.

The scammers trick vendors into believing they are conducting legitimate business transactions and fulfilling purchase orders for distribution to new customers. Scams identified by the FBI include the targeting of vendors of agricultural equipment, construction materials, computer hardware, solar energy products, and more. The goods are distributed and by the time the scam is identified, they have been moved on and cannot be traced or recovered. Since these purchase orders are often for bulk goods, thousands or hundreds of thousands of dollars can be lost.

Businesses often provide new customers with credit repayment terms such as net-30 or net-60, where they are not required to pay for the goods for 30 or 60 days. That means by the time the scam is identified the goods have long since been moved and sold. Businesses naturally conduct credit checks before offering those terms, but the attackers are supplying fake credit references and fraudulent W-9 forms to vendors to get the payment terms to allow them to purchase goods without any upfront payment.

The best way to protect against these scams is to ensure that you have an advanced email security solution in place – Such as SpamTitan – to block the initial contact via email. However, it is also important to provide security awareness training to the workforce.

SafeTitan is a modular training platform that allows businesses to develop custom training courses for different individuals, roles, and departments, and to ensure that the training provided is relevant. The platform includes hundreds of training modules and can be tailored to meet the needs of all organizations. The training content is regularly updated to include the latest tactics that are being used, allowing businesses to keep all members of the workforce 100% up to date on the latest threats.

Administrators can trigger training modules for all members of the workforce when new threats are identified. The modules are easy to fit into busy workflows and take no longer than 10 minutes. Through SafeTitan security awareness training, businesses can develop a security culture and greatly reduce susceptibility to phishing and BEC attacks. Data from the SafeTitan phishing simulation platform shows businesses can reduce susceptibility to email scams by up to 80% over time through email attack simulations.

For more information on SafeTitan Security awareness training and phishing simulations contact TitanHQ today.

BEC is Still A Leading Cause of Losses to Cybercrime and Attacks Continue to Increase

Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.

In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.

BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.

One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.

In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.

Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering service is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.

Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.

TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.

The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.

Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.

Emotet Botnet Back and Sending Malicious Emails with Malicious OneNote Attachments

The Emotet botnet has resumed activity after a break of around 3 months as the threat group attempts to build up the number of infected devices. The Emotet botnet consists of an army of devices that have been infected with Emotet malware, which gives the operators of the botnet access to those devices. That allows data to be stolen from the infected devices and for access to be sold to other threat actors to allow them to conduct attacks, such as by delivering additional malware payloads such as Cobalt Strike, banking Trojans, information stealers, and ransomware. Infected devices are also used to grow the botnet. Emotet malware can hijack email accounts, steal message threads, and send copies of itself to the victim’s contacts. Since the emails come from a trusted email account they are more likely to be opened.

Emotet campaigns do not run constantly throughout the year. The threat actor tends to have several months of downtime with the last campaign coming to an end in November 2022. The botnet is now active once again and is sending emails, which means businesses need to be on high alert. The activity commenced at the end of the first week of the month and now high volumes of emails are being sent.

While Emotet is well known for hijacking email threads and using reply-chain emails, this time around a campaign is being conducted that includes ZIP file attachments purporting to contain invoices. Some of the emails intercepted include compressed Word documents that are over 500 MB in size when they are extracted. The large file size is used to defeat antivirus software. If the documents are opened, the user is presented with a warning that the document is protected and they are told that they need to ‘enable editing’ and ‘enable content’ to preview the document. These security warnings are in place to prevent macros from running and enabling the content will see the macros run and Emotet malware be downloaded onto the device from a compromised website. The downloaded file – a DLL file – is similarly inflated to more than 500 MB to prevent scanning by AV solutions. The payloads often change to prevent detection, and detection rates are usually very low for each payload.

One of the campaigns detected in the past few days targets U.S. taxpayers. In this campaign, the Internal Revenue Service (IRS) and legitimate businesses are impersonated using fake W-9 tax forms. These W-9 tax forms are also included in a ZIP file attachment and the files are also inflated to more than 500 MB. In this campaign, the Emotet gang returns to using reply-chain emails so it appears that the emails have been sent from a trusted entity that has emailed in the past.

Fortunately, email-based attacks using macros to deliver malicious payloads are becoming much less effective due to a 2022 update from Microsoft that disables macros automatically in Internet-delivered Office files. In response, like other threat actors, the Emotet gang has changed tactics and is now sending emails with OneNote attachments, which do not support macros and therefore bypass Microsoft’s anti-macro controls. OneNote files allow embedded content, which in this case is a VBS attachment that is hidden under a view button. The user is told to double-click on the view button, but what they are really doing is double-clicking on the VBS attachment under the fake view button, which executes the script and delivers Emotet malware from a compromised website.

With Emotet back up and running it is a good idea to ensure that employees are trained to recognize these malicious emails and the SafeTitan security awareness training platform from TitanHQ allows you to easily do that and keep employees up to date on the latest Emotet tactics. SafeTitan also includes a phishing simulator that allows you to simulate Emotet emails in phishing tests to see which employees click. Those individuals can then be provided with additional training to ensure that if a real Emotet email is received, they will be able to recognize it as such.

For more information on SafeTitan Security Awareness Training, contact the TitanHQ team today.

SpamTitan Named Leader in 5 Categories in G2 Winter 2023 Grid Report

G2 (formerly G2 Crowd) has recently published its G2 Crowd Grid® Winter 2023 Report, which highlights the leading IT security products for businesses. G2 Grid Reports are based on satisfaction scores from genuine business users of IT solutions and are plotted into a quadrant along with market presence data, with each solution positioned in one of four quadrants: Leader, High Performer, Contender, and Niche. The Leader quadrant indicates products have high satisfaction scores from users and a strong market presence.

TitanHQ is happy to announce that SpamTitan Email Security has been placed in the Leader quadrant in five categories: Cloud Email Security, Small Business Email Security, Email Anti-Spam SMB, Email Protection, and Email Security, and was also given a top five position in 12 other categories.

G2 is a trusted source of reviews of technology for business and is used by thousands of businesses to help them with their purchasing decisions. G2 includes more than 2,072,000 reviews of business software from genuine users of the solutions, and those data are combined with social media reviews and other trusted online sources of data for its quarterly Grid reports. The G2 platform and Grid Reports are relied upon by more than 5 million buyers every month.

TitanHQ is a Galway, Ireland-based provider of cloud-based cybersecurity solutions. Those solutions include email security, DNS filtering, email archiving, email encryption, security awareness training, and phishing simulations. The products consistently attract high satisfaction scores from users on G2 and other business software review platforms such as Capterra, Gartner, GetApp, and Software Advice. Across those platforms, SpamTitan has attracted more than 500 5-star ratings based on customer reviews, and SpamTitan is also the category leader for email security on PeerSpot and Expert Insights, two other highly trusted review platforms.

The high scores show how much users love using SpamTitan products – SpamTitan Cloud, SpamTitan Gateway, and SpamTitan Plus – and how effective they are at blocking email-based threats. SpamTitan Plus is the latest addition to the SpamTitan family of products and was launched last year to provide leading-edge protection against phishing attacks, in particular, real-time phishing threats by utilizing AI and machine learning and extensive threat intelligence data – more than any other anti-phishing solution on the market. The result is 1.5x faster detection of malicious emails than the leading industry anti-phishing solutions from Barracuda, Proofpoint, and Mimecast. In addition to providing excellent protection, SpamTitan is easy-to-implement, easy to use, and far more affordable for businesses than many similar solutions. Users also benefit from exceptional front-line support. If any problems are experienced, help is rapidly provided.

The naming of SpamTitan as a leader in so many categories is a testament to the hard work of everyone at TitanHQ, and the considerable investment in the product. “The overwhelmingly positive feedback from SpamTitan users on independent review sites is a return for the massive investment we made into our products and threat intel,” said Ronan Kavanagh, CEO, TitanHQ.

If you want to save money on email security without sacrificing protection, why not give SpamTitan a try by taking advantage of the free trial of the solution today and see for yourself why SpamTitan products are consistently rated so highly by users.

Use Cyren for Email and Web Security? – You Need to Change Provider Immediately!

The cybersecurity company Cyren has collapsed, leaving its customers at risk. If you use Cyren for email and web security, you should change provider immediately!

It is sad news when any company is forced to significantly reduce its workforce, which for Cyren recently involved laying off 121 employees “in response to current market conditions and associated challenges with raising additional capital.” Cyren issued a press release saying that such extensive layoffs represent a significant reduction in all of the company’s workforce, and that “in the absence of additional sources of liquidity, management anticipates that the Company’s existing cash and projected cash flows from operations will not be sufficient to meet the Company’s working capital needs in the near term.”

So what does that mean for close to 1 billion users that rely on the company’s cybersecurity solutions? TitanHQ contacted the company’s CISO in relation to the news and received a response. “The SDK will work for as long as the systems in the cloud will continue running. Unfortunately, we have no personnel left to watch after the systems, so it is hard to predict how long they will run for.”

As a provider of email and web security solutions, TitanHQ can confirm that without constant updates to anti-spam signatures, the ability of a solution to block new phishing attacks will rapidly diminish, which means that customers will be exposed to threats. While it is possible that Cyren will be able to attract further investment, in the short term customers should be very concerned. Unfortunately, a mass exodus of customers is the last thing Cyren needs, but those customers need to ensure that they continue to be protected against email and web-based threats, which means switching to another solution provider.

TitanHQ has already received many calls from Cyren customers following the company’s February 1, 2023, press release announcing the financial difficulties the company is facing and has offered those customers a special deal that can provide short-term protection while they decide on the best next step, and that is to extend the free trial of SpamTitan Email Security and the WebTitan DNS Filter to 30 days.

Both solutions can be implemented in a matter of minutes and will ensure Cyren customers remain protected against email and web-based threats. The TitanHQ team has been busy helping Cyren customers get up and running with the two solutions over the past 2 weeks since the announcement was made.

Naturally, TitanHQ would love to continue to provide these solutions to Cyren customers past the 30-day free trial and hopes they continue to use the solutions, but this is a no-obligation free use of the platform aimed at helping Cyren customers stay protected. If after the end of the 30 days they decide to go elsewhere, that is no problem at all. This is a totally free offer with no obligation to continue and with no strings attached.

The TitanHQ team will be monitoring capacity – which is already hugely overprovisioned – to ensure that there is no impact on current users, and response times to queries are constantly monitored to ensure that customers are not impacted. TitanHQ’s infrastructure can also be rapidly scaled up to meet demand should the need arise.

Cyren customers wishing to take advantage of the offer should contact TitanHQ to speak to the migration team, and assistance will be provided to get you up and running quickly.

Smishing Campaign Targets Coinbase Users

SMS-based phishing attacks are becoming more common, and these attacks can be particularly effective. SMS phishing – commonly referred to as smishing – is the use of SMS messages for delivering malicious URLs. There are several advantages of smishing over phishing. Most companies have email security solutions in place such as spam filters that can easily detect malicious emails, so many phishing emails will not reach end users. Smartphones tend to have fewer cybersecurity controls than computers, so malicious SMS messages are more likely to be delivered. Another reason why smishing attacks have a high success rate is employees tend to be aware of the risk of email attacks but are more trusting about SMS messages as security awareness training tends to focus on email phishing. Further, since smartphones are often accessed on the go, people can be distracted and click links without stopping to think.

Businesses are often targeted with smishing attacks as it is an easy way of getting phishing URLs in front of employees. One recent attack targeted Coinbase employees. Coinbase is one of the world’s largest cryptocurrency exchanges with more than 1,200 employees and more than 103 million users, which makes the company a big target for cybercriminals (although smishing attacks are conducted on companies of all sizes!).

In this attack, SMS messages were sent to employees using a common ruse – They were told they needed to log in urgently about a security issue. Virtually all Coinbase employees ignored the message, but one employee responded and entered their username and password on the phishing page. Smishing campaigns do not need to fool a lot of employees. They only need to fool one person. Coinbase was protected against smishing attacks to a certain degree, as the company had implemented 2-factor authentication, so while the attackers obtained a username and password, those credentials alone would not allow access to be gained to the user’s account.

However, smishing can be combined with voice phishing to get around 2FA and MFA protections. The attackers then called the employee and pretended to be from the Coinbase IT department, and provided the employee with instructions, which were followed, allowing the attackers to bypass the 2FA protection and log in to the employee’s workstation. In this attack, unauthorized access was rapidly detected by the IT team, as the remote access generated a security alert. Fortunately, the attack was thwarted before the threat actor was able to achieve very much, although, in the short time that access was possible, the attacker was able to steal some employee data, including names, email addresses, and phone numbers. Similar attacks have been conducted on companies that did not have 2FA protection, and many attacks have not been detected rapidly by security teams, allowing much more damage to be caused.

With smishing attacks increasing, businesses need to prepare and ensure they have appropriate defenses in place, which should include 2FA or MFA protection on all accounts. As the Coinbase attack demonstrated, 2FA/MFA alone is not sufficient. Whitelisting IP addresses is recommended, and security alerts should be set up and immediately followed up on by security teams.

Web filtering can provide some protection by restricting access to the websites that employees can access, thus preventing them from accessing the phishing URLs where credentials are harvested. Another important measure is to provide security awareness training to the workforce to ensure that employees are aware of smishing and voice phishing attacks. By raising awareness, employers can greatly improve protection against these attacks.

Give TitanHQ a call today to find out how web filter and security awareness training can improve your defenses against smishing, vishing, and other types of cyberattacks targeting employees.

Namecheap Customers Targeted in Sophisticated Phishing Scam

Phishing emails often spoof a company and include its logos and branding, but one of the red flags that allow these emails to be identified by users is the email address used in the campaign is set up on a domain unrelated to the brand being spoofed. For instance, a phishing email spoofing FedEx is sent from a Gmail account. Oftentimes, a display name is created that makes the email appear to come from a genuine account used by the spoofed company – FedEx customer service for instance – but a quick check will reveal the actual email address used, allowing users to identify the phishing attack.

However, these checks sometimes fail, as highlighted by a recent phishing campaign that impersonated the logistics company DHL and the software cryptocurrency wallet provider, MetaMask that targeted customers of the domain registrar Namecheap. The emails originated from the legitimate customer communication platform SendGrid, which Namecheap uses for sending marketing communications and renewal notices to customers. Namecheap responded quickly when the attack was identified and disabled the accounts, but not in time to prevent many phishing emails from being sent.

The emails spoofing DHL included the DHL Express logo and warned recipients that their parcel was not able to be delivered because the sender did not pay the necessary delivery fees, as such, the parcel has been retained at the delivery depot and will not be released until the delivery fees are paid.

The MetaMask emails purported to be a Know Your Customer verification request, which required the recipient to verify their identity to prevent their account from being suspended. If the verification is not completed, the emails claimed, users would be unable to withdraw or transfer funds without interruption.

In both cases, the emails included a link that the users were required to click to complete the request – a Namecheap.com marketing link that redirected users to a phishing page on an unrelated domain. This was not a data breach at Namecheap, but at the third-party system the company uses for sending emails – SendGrid. It is currently unclear how SendGrid was hijacked to send the phishing emails.

Phishing emails may be sent from legitimate company email accounts, either an account at the actual company being spoofed or other well-known services such as SendGrid. In the summer of 2022, a phishing campaign was conducted targeting customers of the hardware cryptocurrency wallet Trezor, following a hack at the email marketing platform MailChimp.

Phishing attacks such as these can sneak past email defenses and are harder for employees to identify, which is why businesses need to adopt a defense-in-depth approach. Email security solutions will block the majority of spam and phishing emails, but no email security solution will block all malicious messages. In addition to an advanced email security solution such as SpamTitan – which incorporates multiple layers of protection and machine learning mechanisms to block novel phishing attacks – businesses should invest in security awareness training for employees and should provide the training continually throughout the year. Through comprehensive training, employees can be taught more than just the basics and can learn how to recognize and avoid sophisticated phishing attacks.

A web filter is also recommended for blocking access to the malicious URLs that are used to harvest sensitive information. A web filter augments the spam filter by providing time-of-click protection against malicious links in emails and also protects against non-email methods used to drive traffic to phishing sites, such as malvertising, smishing, and vishing attacks.

If you want to improve protection against phishing, call TitanHQ to find out more about improving the depth of your security protections through spam filtering, security awareness training, and web filtering.

Improve Your Security Posture in 2023 with Effective Workforce Security Awareness Training

Cyberattacks on businesses increased during the pandemic and have continued at high levels since. Fortunately, businesses have responded and are taking cybersecurity seriously and have increased investment in cybersecurity. Data from ESG research suggests 65% of organizations are planning to increase investment in cybersecurity in 2023. While there is room for improving technical defenses to block more attacks and identify and address vulnerabilities faster before they can be exploited, it is important not to neglect the human element, which according to Verizon’s 2022 Data Breach Investigations Report, is a factor in 82% of data breaches.

While simple errors can easily lead to data breaches, many are the result of a lack of understanding of security. There is also a common view among employees that cybersecurity is the sole responsibility of the IT department. It is true that one of the roles of the IT department is to ensure that technical measures are implemented to block cyber threats and that vulnerabilities are identified and addressed promptly, but even companies that invest heavily in IT security still suffer data breaches, and that is because even sophisticated defenses can be bypassed.

Technology and hardware will block the majority of threats, but employees are still likely to encounter phishing, social engineering scams, business email compromise, and malware, and need to be provided with proper education to improve awareness of those threats and be taught the skills to allow them to identify and avoid cyber threats. The workforce needs to be educated on all aspects of security, not just how to identify a phishing email. Take password security for example. Password policies can be implemented, and employees provided with password managers, but as the recent credential stuffing attack on NortonLifeLock users revealed, many users of that password manager set a master password for their password vault that had been used elsewhere on the internet, which allowed the hackers to access their accounts.

By providing security awareness training, businesses can improve the baseline knowledge of the workforce, make sure everyone is aware of the threats they are likely to encounter, and security best practices can be taught, along with the importance of always following those best practices. The ultimate aim of security awareness training is to develop a security culture, where everyone in the organization understands that they have a role to play in the cybersecurity of the organization and that cybersecurity is not just a matter for the IT department.

Unfortunately, it is not possible to get to that point overnight. Providing a one-time security awareness training session is not enough and even conducting annual training sessions is unlikely to result in behavioral change. For training to be effective and to change employee behavior, training needs to be provided continuously, with short training sessions conducted regularly throughout the year. Training also needs to be individualized. There is no point in providing a single training course to every employee, as training needs to be role-specific and cover the specific threats each employee is likely to encounter.

The training also needs to be engaging to get employees to take the information on board, and training needs to be regularly reinforced. One of the best ways to do this is through phishing simulations, which test whether employees have understood the training and if they are applying that training day in, day out. Employees should also be empowered to help with cybersecurity by providing a phishing reporting button as an email client add-on, so they can alert the IT department when a suspicious email is encountered. Organizations that provide their workforce with training using the SafeTitan platform and conduct regular phishing simulations through the platform report significant improvements in security. Phishing simulation data also shows improvements in employee susceptibility to phishing attacks, with organizations seeing reductions of up to 92% in click rates by employees.

With 2023 looking like it will be another year with high levels of cyberattacks, January is the ideal time to review your security awareness training programs, make improvements, and implement a training program if you are not yet providing training to your employees. TitanHQ is here to help. Give the team a call today to find out more about how SafeTitan can benefit your business.

OneNote Attachments and Blank Images Used in Phishing Attacks

Phishers are constantly coming up with new ways to evade security solutions, steal credentials, and distribute malware. In January, two new tactics were observed in separate phishing campaigns, one hides malicious URLs from security solutions in a credential-stealing campaign, and the other uses OneNote attachments for distributing malware.

Blank Image Phishing Attacks

The blank image phishing attack involves hiding a Scalable Vector Graphics (SVG) image file within an HTML document sent via email. In this campaign, the email claims to include a DocuSign document, which office workers are likely to be familiar with. The email claims the document includes remittance advice. The user is required to click to view the document and will be directed to the legitimate DocuSign webpage if they do.

However, the attack starts when the user clicks to view the HTML document. The document contains a Base64 blank image file, which has embedded JavaScript that will redirect the victim to a malicious URL. The image itself contains no graphics, so does not render anything on the screen. It is just used as a placeholder for the malicious script. The URL that the user is directed to will prompt them to enter sensitive information. A similar technique using SVG files has previously been used to distribute QBot malware. Many email security solutions ignore HTML files, which increases the chance of the malicious email landing in inboxes. Security teams should consider blocking or quarantining HTML emails to protect against these types of attacks.

OneNote Attachments Used to Distribute Malware

Another campaign has been detected that uses OneNote attachments in phishing emails for distributing remote access malware, which can provide initial access to a victim’s system allowing further malicious payloads to be delivered, such as information stealers and ransomware. For many years, Office documents were the preferred attachment for distributing malware. These files can include macros that download a malicious payload, but Microsoft now blocks macros by default in Office files delivered via the internet, which has forced hackers to look for new ways to distribute their malware.

One new tactic is the use of OneNote attachments. OneNote is installed by default with Microsoft Office and Microsoft 365, which means OneNote files can be opened on most devices even if the user does not use the OneNote application. The lures used in these emails vary, although some of the intercepted emails claimed to be shipping notifications, with the details of the shipment included in the OneNote file.

OneNote files cannot contain macros, but it is possible to insert VBS attachments into a NoteBook. When opening the file, the user is told they must double-click to view the file. Doing so will launch the VBS script, which will download and install malware from a remote site. If the user does click, they will be warned that opening attachments can harm their computer. If that warning is ignored and the user chooses to open the attachment, the script will download a decoy OneNote file – a genuine file – so the user is unlikely to realize that anything untoward has happened, but the script will execute a batch file in the background and will install the second downloaded file, which is malware.

How to Defend Against Phishing Attacks

Cybercriminals are constantly developing new methods for distributing malware and stealing credentials, and phishing is the most common way to do this. Defending against these attacks requires a defense-in-depth approach, involving multiple overlapping layers of protection. If anyone measure fails to detect a threat, others are in place to detect and block the threat.

In addition to a secure email gateway or spam filter, businesses should consider a web filter for blocking the web-based component of the attack, multifactor authentication for all accounts, antivirus software/endpoint security solutions, and security awareness training for employees to help them identify and avoid phishing threats. For assistance improving your defenses against phishing, contact TitanHQ.

ChatGPT Used to Create Convincing Phishing Lures and New Malware

Toward the end of 2022, a new AI-based chatbot was made available to the public which has proven popular for creating written content. Concern is now growing about the potential for the tool to be used by cybercriminals for creating new phishing lures and for rapidly coding new malware.

ChatGPT was developed by OpenAI and was released on 30 November 2022 to the public as part of the testing process. Just a few days after its release, the chatbot had reached a million users, who were using the tool to write emails, articles, essays, wedding speeches, poems, songs, and all manner of written content. The chatbot is based on the GPT-3 natural language model and can create human-like written content. The language model was trained using a massive dataset of written content from the Internet and can generate content in response to questions or prompts that users enter into the web-based interface.

While articles written using the chatbot would be unlikely to win any awards, the content is grammatically correct, contains no spelling mistakes, and in many cases is far better than you could expect from an average high school student. One of the problems is that while the content may superficially appear to be correct, it is biased by the data it was trained on and may include errors. That said, the generated content is reasonable and sufficiently accurate to pass the Bar exam for U.S. lawyers and the US Medical Licensing exam, although only just. It is no surprise that many school districts have already implemented bans on students using ChatGPT.

To get ChatGPT to generate content, you just need to tell it what you want to create. It is no surprise that it has proven to be so popular, considering it is capable of writing content better than many humans could. While there are many benefits from using AI for chatbots that can create human-like text, there is growing concern that these natural language AI tools could be used for malicious purposes, such as creating social engineering scams and phishing and business email compromise attacks.

The potential for misuse has prompted many security researchers to put ChatGPT to the test, to see whether it is capable of generating malicious emails. The developer has put certain controls in place to prevent misuse, but those controls can be bypassed. For instance, asking ChatGPT to write a phishing email will generate a message saying the request violates the terms and conditions, but by experimenting with the queries it is possible to get the chatbot to generate the required content.

Further, it is possible to write a phishing email and spin up many different combinations that are all unique, grammatically correct, and free from spelling errors. The text is human-like, and far better than many of the phishing emails that are used in real phishing campaigns. The rapid generation of content has allowed security researchers to spin up an entire email chain for a convincing spear phishing attack. It has also been demonstrated that the technology can be rapidly trained to mimic a specific style of writing, highlighting the potential for use in convincing BEC attacks. These tests were conducted by WithSecure prior to public release and before additional controls were implemented to prevent misuse, but they continued their research after restrictions were added to the tool, clearly demonstrating the potential for misuse.

The potential for misuse does not stop there. The technology underlying the chatbot can also be used to generate code and researchers have demonstrated ChatGPT and its underlying codex technology are capable of generating functional malware. Researchers at CyberArk were able to bypass the restrictions and generate a new strand of polymorphic malware, then were able to rapidly generate many different unique variations of the code. Researchers at Check Point similarly generated malicious code, in fact, they generated the full infection process from spear phishing email to malicious Excel document for downloading a payload, and the malicious payload itself – a reverse shell.

At present, it is only possible to generate working malicious code with good textual prompts, which requires a certain level of knowledge, but even in its current form, the technology could help to rapidly accelerate malware coding and improve the quality of phishing emails. There are already signs that the tool is already being misused, with posts on hacking forums including samples of malware allegedly written using the technology, such as a new information stealer and an encryptor for ransomware.

With malicious emails likely to be generated using these tools, and the potential for new malware to be rapidly coded and released, it has never been more important to ensure that email security defenses are up to scratch. Email security solutions should be put in place that are capable of detecting computer-generated malware. SpamTitan includes signature-based detection mechanisms for identifying known malware along with email sandboxing. The sandbox is an isolated and secure testing environment where suspicious email attachments are subjected to behavioral analysis. The next-gen sandbox means SpamTitan can detect zero-day malware variants that would otherwise not be detected since their signatures have yet to be added to the blocklists. SpamTitan also uses machine learning mechanisms for detecting zero-day phishing threats, based on deviations from the standard messages received by companies.

TitanHQ also recommends implementing multifactor authentication, web filtering for blocking access to malicious websites, and security awareness training for employees. The quality of phishing emails may get better, but there will still be red flags that employees can be trained to recognize.

HR Departments Spoofed in Phishing Campaigns Targeting Professionals

This month has seen an increase in phishing campaigns targeting professionals purporting to be messages from Human Resources advising them about salary increases, promotions, updates to policies and procedures, and other annual updates. The start of the year typically sees the HR department issue updates to employees, including notifications about changes to employee benefits, proposed pay rises, and annual updates to policies and procedures. It is therefore no surprise that cybercriminals are taking advantage of the increase in HR communications and have adopted lures related to these start-of-year messages. Several campaigns have been detected this month that have targeted employees and used HR-related lures.

The emails have realistic subject lines, appear to have been sent internally, and have lures that are likely to prompt a quick response. Messages about changes to employee benefits, pay rises, and promotions are likely to be opened by employees quickly without thinking, as are other notifications from the HR department such as updates to internal policies. Phishing simulation data shows that these types of emails have some of the highest click rates.

These emails include a combination of attachments and hyperlinks. One campaign claimed to include important information about a new benefits package and required employees to open an attached .shtml file. The email claimed employees needed to review and digitally sign the document to acknowledge receipt. In this case, opening the attached file would load a local copy of a phishing page, which generated a fake Microsoft 365 login prompt in the user’s browser. The user’s email address is populated as the username, and they are required to enter their password. The user is told that their password must be entered as they are accessing sensitive internal information.

These phishing emails may be sent from external email addresses and spoof the HR department, but internal email accounts compromised in previous phishing attacks are often used, adding to the realism of the campaign and making it harder for email security solutions to detect the emails as malicious. It is common for these campaigns to include malicious hyperlinks rather than attachments, where the user is directed to a phishing page that mimics the domain of the organization or a well-known, unrelated company. In one campaign, a healthcare organization was impersonated in an email purporting to provide details of updated medical benefits for employees. One campaign involved notifications about changes to the employee security awareness training program for the new year.

Phishing is one of the most common tactics used by cybercriminals to gain initial access to business networks. The campaigns are easy to conduct, requiring little effort by the attackers, and they are often effective. Simply opening a malicious attachment and enabling the content to view the document is all that is needed to install malware, and if a user can be convinced to disclose their Microsoft credentials, the attacker can gain access to all associated Microsoft applications, including Email, OneDrive, Teams, and SharePoint, giving them the foothold they need for conducting a more extensive attack and access to a considerable amount of sensitive company data.

Cybercriminals mimic the types of emails that employees are likely to receive at different times of the year. Over the next few weeks, it is likely that there will be an increase in phishing campaigns targeting tax professionals, and phishing campaigns targeting individuals that use tax-related lures, such as notifications about tax returns, tax rebates, and unpaid tax as tax season gets into full swing.

Businesses need to take steps to block these attacks. While antivirus software and a spam filter were once effective and could block the vast majority of email-based attacks, phishing is becoming increasingly sophisticated and the speed at which new, previously unseen malware variants can be created and released means these defenses are no longer as effective as they used to be.

To block more phishing attempts, businesses need to adopt a defense in-depth approach. In addition to antivirus/endpoint detection software and an advanced spam filter, they should consider adding a web filter to block access to the web-based component of phishing attacks and block malware downloads from the Internet. Multi-factor authentication should be implemented for accounts, although phishing kits are now being used that can bypass MFA. While any form of MFA is better than nothing, phishing-resistance MFA is ideal and should be implemented, which is based on FIDO standards and provides a much greater level of protection.

While it is the responsibility of organizations to block malicious emails and prevent them from reaching employees, it is inevitable that some will be delivered. It is therefore important to also provide security awareness training to employees to train them how to identify and avoid phishing attempts. Security awareness training combined with phishing simulations, such as those provided by TitanHQ through the SafeTitan platform, are proven to reduce susceptibility to phishing attacks.

Failure to Block Phishing Attack Results in HIPAA Fine

Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). PHI is individually identifiable information that relates to the past, present, or future health of an individual or payment for healthcare. The security safeguards are detailed in the HIPAA Security Rule and compliance is enforced by the Department of Health and Human Services’ Office for Civil Rights and state Attorneys General. When there is a data breach involving PHI, OCR investigates. Investigations are also commonly conducted by state attorneys general to determine if a data breach was the result of a failure to comply with HIPAA.

OCR and state attorneys general understand that it is not always possible to prevent data breaches. Many data breaches are reported each year that are investigated, and the cases are closed because the covered entities have implemented appropriate security measures, only for them to be bypassed. However, when insufficient measures are put in place to safeguard PHI, financial penalties are typically imposed.

The HIPAA Security Rule does not provide a list of security measures that must be implemented to block phishing attacks, as HIPAA was developed to be flexible. HIPAA-covered entities should conduct a risk analysis and reduce risks to a low and acceptable level using a range of measures and by adopting recognized security practices. HIPAA specifies access controls as a security safeguard, which involves the use of strong passwords and ideally multifactor authentication. HIPAA-covered entities must also stay abreast of recently disclosed vulnerabilities and make sure that patches are applied and software is updated to the latest version. The HIPAA Security Rule also calls for security awareness training to be provided to the workforce, and while the frequency of training is not specified, OCR has explained in its cybersecurity newsletters that the program should cover new and current threats and that the training program should be continuous, rather than providing a once-a-year training session.

Recently, Avalon Healthcare, a provider of skilled nursing and assisted living facilities, discovered that the failure to implement appropriate defenses to block phishing attacks is grounds for a financial penalty for non-compliance with the HIPAA Security Rule. After being notified by Avalon Healthcare that email accounts containing the PHI of 14,500 individuals had been accessed by unauthorized individuals, the Oregon and Utah Attorneys General launched an investigation to determine whether non-compliance with the requirements of HIPAA was a factor. The investigation was triggered by a very late breach report, which was 10 months after the phishing attack was detected when data breaches must be reported within 60 days. In addition to determining that the delay violated HIPAA and state laws, the investigation revealed a lack of security safeguards for combatting phishing.

Avalon Healthcare chose to settle the case and paid a $200,000 financial penalty and agreed to adopt a comprehensive information security program that includes email filtering and training for all members of the workforce on phishing and social engineering identification and avoidance, including conducting phishing simulations on the workforce. Had a comprehensive training program been in place, it is possible that the phishing attack would have been detected and avoided.

TitanHQ understands the importance of providing training to the workforce which is why a security awareness training solution has been added to the product portfolio. SafeTitan is a comprehensive training solution for businesses of all sizes that covers all aspects of security, including training employees to recognize phishing, social engineering, and other cyber threats. The platform also includes a phishing simulator for creating and automating phishing simulations on the workforce. SafeTitan security awareness training and phishing simulations have been shown to reduce the susceptibility of the workforce to phishing attacks by up to 80%, and will help to ensure that HIPAA-regulated entities comply with the security awareness training requirements of the HIPAA Security Rule.

If you do not currently provide ongoing security awareness training to your workforce, contact TitanHQ to find out more about the difference this will make to your security posture and how easy it is to provide training through the SafeTitan platform. Like all TitanHQ cybersecurity solutions, SafeTitan is available on a free trial to allow businesses to see for themselves how easy the platform is to use.

Cybercriminals Use Facebook Posts to Bypass Phishing Defenses

Cybercriminals are constantly coming up with new tactics for stealing credentials and other sensitive information. Phishing is one of the main ways that this is achieved, but most businesses have spam filters that block these malicious messages. If a phishing email is developed that can bypass email security measures and land in the inboxes of a business, there is a good chance that the emails will be clicked and at least some accounts can be compromised.

Spam filters such as SpamTitan incorporate a range of advanced measures for detecting phishing emails, including reputation checks of IP addresses, analyses of the message headers and bodies, and machine learning algorithms determine the probability that an email is malicious. Dual anti-virus engines are used for detecting known malware, and the next-gen email sandbox is used to detect zero-day malware threats by analyzing how files behave when opened, and hyperlinks in emails are scanned and followed to determine if they are malicious.

To bypass email security solutions, threat actors may link a legitimate website in an email, such as providing a URL for SharePoint, Google Drive, Dropbox, or another legitimate platform. These URLs are more difficult to identify as malicious as these websites pass reputation checks. Malicious URLs on these platforms are often reported and are then blocked by email security solutions, but the URLs often change and are never used for long.

A campaign has recently been detected that uses this tactic and attempts to direct users to the genuine Facebook.com site, with the phishing emails containing a link to a Facebook post. The phishing email comes from a legitimate-looking domain – officesupportonline.com – and warns the user that some of the features of their Facebook account have been deactivated due to copyright-infringing material. Like many phishing emails, the user is told they must take urgent action to prevent the deletion of their account. In this case, they are threatened with the deletion of their account if there is no response within 48 hours.

A link is supplied to a post on Facebook.com that the user is required to click to appeal the decision. The post masquerades as a Facebook.com support page from Facebook Page Support, which provides a link to an external webpage that the user is required to click to “Appeal a Page Copyright Violation”. The URL includes the name of Facebook’s parent company, Meta, although the domain is actually meta.forbusinessuser.xyz – A domain that is not owned by Meta or Facebook. URL shortening services are used in these campaigns to hide the true URL.

If the user clicks the link they will be directed to a page that closely resembles the genuine Facebook copyright appeal page. In order to appeal the decision, the user must complete a form that asks for their full name, email address, phone number, and Facebook username. If that information is submitted through the form, geolocation information is also collected along with the user’s IP address, and the information is sent to the scammer’s Telegram account.

The next stage of the scam sees the user redirected to another page where they are asked to provide a 6-digit one-time password, which they are told is required when a user attempts to sign into their account from a new device or browser. This is a fake 2-factor authentication box, and if the user enters any 6-digit code it will produce an error, but the code entered will be captured by the attacker. The user will be directed to the genuine Facebook site if they click the “need another way to authenticate?” option on the page.

Campaigns such as this highlight the importance of layered defenses. Spam filters are effective at blocking the majority of spam and phishing emails, but some messages will bypass spam filters and will be delivered to inboxes. One of the best ways to augment your phishing defenses is to provide security awareness training to your workforce, and this is key to combatting new phishing tactics such as this Facebook phishing scam.

Employees should be taught how to identify phishing attempts and what to do if a potentially malicious email is received. In addition to providing training, phishing simulations should be conducted on the workforce to give employees practice at identifying phishing threats while they are completing their usual work duties. If a simulation fails, the employee can be told what went wrong and how they could identify similar threats in the future.

TitanHQ offers businesses a comprehensive security awareness training and phishing simulation platform called SafeTitan. The platform includes an extensive range of training content on all aspects of security, and a phishing simulation platform with hundreds of phishing templates taken from real-world phishing attacks. SafeTitan automates the provision of training and is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to security mistakes by employees, ensuring training is provided at the time when it is likely to be most effective at changing employee behavior.

Godfather Malware Targets More Than 400 Financial Institutions

A new variant of the Android banking Trojan, Godfather, has been detected with the latest version of the malware being used to target more than 400 financial institutions worldwide, including 215 international banks, 110 cryptocurrency exchanges, and 94 cryptocurrency wallets in at least 16 countries including the United States, Canada, United Kingdom, Spain, France, and Germany.

Godfather malware is thought to have evolved from the Anubis banking Trojan, and while it was first detected 18 months ago, it has been rarely used until recently. The malware was only distributed in low volume during its first year, then it disappeared entirely in June 2022, suggesting the developers were working on a new version. That new version was released in September 2022.

While banking Trojans can have quite extensive functionality, their primary purpose is to steal the login credentials for financial institutions, which they usually obtain by generating fake login pages for the institutions that they target. What makes Godfather malware stand out is the number of financial institutions that are targeted. When installed on a device, Godfather malware will generate a fake login page when a user attempts to use the app of a targeted bank or cryptocurrency exchange. These fake login pages are overlays, that are displayed on top of the legitimate targeted app. The fake login page created by the malware will capture the user’s credentials when they are entered.

Most financial institutions have additional authentication requirements and no longer rely on a username and password for granting access. Banking Trojans therefore need to have the capability to bypass these additional authentication measures if they are to be successful. Godfather malware achieves this by masquerading as Google Play Protect and attempts to get the user to grant it accessibility rights, which allows the app to log keystrokes and also read SMS messages and perform screen captures. Those rights will allow the malware to capture the necessary information to bypass multi-factor authentication and other security features. Once credentials and other login information are harvested, accounts are accessed and emptied.

The new version of the malware was detected and analyzed by security researchers at Group-IB, who believe the malware was developed by Russian speakers, as the malware has a kill switch that will deactivate it if it detects any of the languages in former Soviet states, apart from Ukraine. The researchers believe that Godfather malware has been created for use under the malware-as-a-service model, where the developers offer the malware to a range of threat actors for a fee, allowing them to steal login credentials for financial accounts without having to develop their own malware.

Since multiple threat actors will likely be using the malware, the vectors used to distribute the banking Trojan will likely be diverse. As was the case with Anubis, one of the distribution methods is via decoy applications in the Google Play store. Godfather malware is more advanced than its predecessor and it is thought that it will grow into a major threat and will likely be modified further to target even more financial institutions.

UK Cyber Security Agency Makes Recommendations for Businesses to Combat Phishing

Phishing is one of the most common ways that cybercriminals attack businesses. Phishing is used to install malware and steal credentials, both of which will provide them with initial access to the network. Since phishing targets individuals, one of the most important steps to take to prevent phishing attacks is to provide security awareness training to the workforce.

Employees should be warned about the risk of phishing attacks and taught what to look for to help them identify, avoid, and report phishing threats. Training alone is not the answer though, as employees need practice at identifying phishing. Phishing simulations should therefore be conducted. These are realistic but fake phishing emails that are sent to all members of the workforce, the responses to which are tracked. When a user fails a phishing simulation, they can be provided with relevant training to help them identify similar threats in the future and to correct any risky behaviors. The combination of security awareness training and phishing simulations – both of which are provided through SafeTitan – can reduce susceptibility to phishing attacks by up to 80%.

Security awareness training should teach employees the red flags that indicate a phishing attempt. Employees should also be encouraged to report phishing attempts to their security team, as there is a good chance that the phishing email will not be the only such threat in the email system. When these threats are reported, security teams can remove all other copies of that message from the email system, thus preventing other users from being exposed to the threat. It is also important to encourage users to report phishing threats that they have responded to, as the faster the security team is made aware of a clicked link or file download, the faster mitigations can be implemented to reduce the harm that can be caused.

One problem for businesses is employees are often fearful of reporting responses to phishing emails due to the potential for negative repercussions, such as disciplinary action. If reporting is delayed, then mitigations are also delayed, which can potentially have serious consequences. The UK’s National Cyber Security Centre (NCSC) has recently suggested that in order to address this issue, businesses need to change their mindset. At many businesses, employees are made to feel that it is their responsibility to identify and avoid phishing attempts when the reality is it is the responsibility of the employer to block threats by implementing a range of technical controls. Employees should be trained on how to identify phishing attempts of course, but in order to develop a strong reporting culture, employees must not be made to think that a failure to avoid a phishing threat is their fault. The NCSC also takes issue with the commonly provided advice that employees should not click hyperlinks in unsolicited emails as, in many cases, that is actually a requirement of their job.

Technical Recommendations for Protecting Against Phishing Attacks

So how should businesses combat phishing? What technical measures should be implemented to improve defenses and make it much harder for phishing attacks to succeed? TitanHQ has long recommended what the NCSC suggests, and that is phishing prevention requires a defense-in-depth approach, where multiple overlapping layers of protection are implemented. This is vital, as no single anti-phishing measure will be 100% effective, 100% of the time.

The NCSC recommends multiple technical measures, the most important of which are a spam filtering solution that scans all inbound emails for phishing signatures and the setting of DMARC and SPF policies, as these are effective at blocking the majority of phishing threats. TitanHQ’s SpamTitan solution incorporates DMARC, DKIM, and SPF for blocking phishing threats, machine learning for identifying zero-day threats, as has constantly updated blacklists of malicious IP addresses and domains. SpamTitan also has a sandbox for deep behavioral inspection of attachments, in addition to dual anti-virus engines.

The NCSC also recommends implementing web proxies or web filters to prevent employees from accessing malicious websites linked in phishing emails. SpamTitan Plus rewrites URLs in phishing emails and follows them, providing protection against these malicious links. The WebTitan DNS filter will block access to known malicious websites and will also prevent downloads of malicious or risky files from the Internet, such as executable files – another recommendation of NCSC.

While not often considered by businesses as a phishing prevention measure, a password manager does provide a degree of protection against phishing attacks that harvest credentials, so businesses should provide one for their employees to use and they should encourage employees to use it. Password managers suggest strong passwords and then autofill them when they are required. Since the password is tied to a specific URL or domain, if a user lands on a phishing site that spoofs a brand, the password manager will not auto-fill the password, since the URL/domain is not associated with that password. It is also important to ensure that multi-factor authentication is enabled.  Ideally,  businesses should opt for passwordless authentication with a FIDO token.

Additional safeguards that should be considered include allow-listing to prevent executable files from running from any directories that users can write them and configuring the Registry to ensure that dangerous scripting or file types are opened in Notepad and are not executed.  NCSC also recommends using PowerShell in constrained mode, script signing, disabling the mounting of .iso files on endpoints, locking down the macro settings, and only allowing users to enable macros if they need to do so for their job. Businesses should also stay up to date on the latest threats and ensure that mitigations are implemented against those threats and that they are incorporated into security awareness training programs, as TitanHQ does with SafeTitan.

By implementing all of these mitigations and adopting a defense-in-depth approach it becomes less important that employees can recognize and avoid threats, although training is still important because one or more of the above measures may fail. Businesses should also avoid punishing employees for failing to identify phishing attempts, as that is likely to create a culture of fear rather than a culture of reporting threats.

TitanHQ can help businesses significantly improve their defenses and implement many of the NCSC recommendations for combatting phishing. For more information on TitanHQ solutions, give the team a call today, or take advantage of the free trials on all TitanHQ products.

Essential Security Layers for Preventing Phishing Attacks

Phishing is one of the most effective ways of gaining initial access to business networks, either by stealing credentials or installing malware. Phishing exploits human weaknesses and involves tricking individuals using social engineering into taking a certain action, such as visiting a website where they are asked for sensitive information or opening a file that contains malicious code.

One of the best defenses against phishing attacks is an anti spam service. A spam filter will scan all incoming (and often outbound) emails looking for the signatures of spam and phishing. Suspect messages are quarantined pending a manual review and rules can be set for confirmed phishing emails, which is often to delete the messages or quarantine them for further investigation. Spam filters will prevent the majority of malicious emails from reaching inboxes, but crucially, not all. Some malicious messages will bypass the spam filter and will land in inboxes, no matter what spam filtering solution you use.

Advanced spam filters such as SpamTitan provide several layers of protection against spam, phishing, and malware but even advanced spam filters are not sufficient on their own to combat phishing. Cybercriminals are now conducting highly sophisticated attacks, so further layers need to be added to your defenses. A web filter is recommended for blocking access to the URLs linked in phishing emails. Spam filters may check links in emails, but these may be made malicious after emails are delivered. A web filter provides time-of-click protection against malicious links. Web filters can also be configured to block certain file downloads from the Internet.

To protect against credential theft, businesses should consider providing a password manager to their employees. Phishing attacks that seek credentials usually direct users to a spoofed website, such as a site with a fake Microsoft login prompt for stealing Microsoft 365 credentials. Employees are often fooled by these scams as the phishing sites look exactly the same as the brands they spoof. Password managers provide some protection. When a password is added to the password vault, it is associated with a specific URL or domain. If the user lands on that URL or domain, the password manager will autofill the password. If the user lands on an unrelated domain, the password will not be filled as the URL or domain is not associated with that password. That serves as a warning that the URL has not been visited before.

Sometimes, employees will be fooled and will disclose their login credentials. This is where multi-factor authentication helps. With multi-factor authentication enabled, compromised passwords will not grant access to accounts unless an additional factor is provided. Since phishing kits are in use that are capable of intercepting MFA codes, the choice of MFA is important. For the best protection use phishing-resistant MFA, which is based on FIDO authentication.

By implementing all of the above technical measures, businesses will be well protected against phishing attacks, but that does not mean it is not necessary to provide security awareness training to the workforce. Security awareness training forms the final layer of protection and prepares employees for the threats they are likely to encounter. Security awareness training teaches employees about phishing, malware, business email compromise, and other cyber threats, and explains best practices and why they are essential for security. The goal of security awareness training is to create a security culture where all employees are aware that they play a role in the security of their organization and to develop a reporting culture where the IT department is made aware of any threats that bypass defenses. That allows the IT department to tweak security solutions to make sure similar threats are blocked in the future.

Security awareness training should be accompanied by phishing simulations. These simulated phishing attacks identify weaknesses that can be addressed. That may be a gap in the training content or an individual who has not understood the training. Simulations allow gaps to be proactively addressed before they are exploited in real cyberattacks. Simulations also help to keep training fresh in the mind and give employees practice at identifying cyber threats.

TitanHQ can help your business to improve defenses against phishing and cyberattacks through layered defenses provided by SpamTitan email security, WebTitan web filtering, and SafeTitan security awareness training. For more information on improving your phishing defenses, give the TitanHQ team a call.

Use International Computer Security Day to Improve the Security Awareness of your Workforce

Today is International Computer Security Day – A day when the focus is on improving cybersecurity and ensuring all computers and electronic devices are appropriately secured against the increasing number of cyber threats. It has only been 30 days since the end of Cybersecurity Awareness Month, but International Computer Security Day serves as a reminder of the importance of cybersecurity.

International Computer Security Day was the brainchild of the Association for Computer Machinery (ACM), which created this national day of recognition to raise public awareness of the importance of computer security. The first International Computer Security Day was in 1988 when computers were first starting to become widely used by businesses and governments, although were yet to become popular in homes, and a year before the world wide web came into existence. Fast forward 45 years, and not only are computers used extensively in homes, but devices are also now carried in pockets that are around 1,000 times faster than the Cray-2 supercomputer of the mid-80s!

The purpose of International Computer Security Day is to raise awareness of the need to secure all computers, whether they are PCs, laptops, smartphones, or IoT devices, and to empower users of these devices to secure their digital presence. International Computer Security Day is also an ideal time for businesses to take stock of their cybersecurity defenses and assess areas where improvements can be made, and to take the day to improve the awareness of employees and reemphasize the importance of cybersecurity in the workplace.

International Computer Security Day and Cybersecurity Awareness Month are concerned with raising awareness of cybersecurity and its importance for all individuals whenever they use their computer or access the Internet, not just during these national days and months of recognition, but throughout the year. Businesses can raise awareness at these times, but cybersecurity needs to be an ongoing conversation. Security awareness training programs should be running continuously throughout the year if they are to be truly effective.

Running a once-a-year training session for the workforce on computer security is useful, but these classroom-based training sessions have their limitations. A more effective strategy for security awareness training is to run computer-based training courses continuously, with training modules completed regularly throughout the year. If you choose a training platform that delivers training in short modules lasting no more than 10 minutes, these can easily be completed by employees without disrupting workflows. 2-3 three modules completed by each employee every month will only take up 20-30 minutes of their time, but this is likely to be far more effective than a 2-hour training session once a year at helping you to develop a security culture in the workplace, where employees stop and think about security before taking any action on a computer.

An even more effective way of training is to use a training platform that provides intervention training. The most effective training is provided instantly when a mistake is made, such as when an employee responds to a phishing email, saves sensitive data in an insecure location, or engages in any other risky cyber behavior. With the right training platform in place, when employees engage in these behaviors, the platform instantly sends them the relevant snippet of the company policy, along with a short training module relevant to that behavior or threat. This is important for correcting that behavior, as in many cases, the employee in question will not be aware that they have made a mistake. Don’t provide intervention training and that risky behavior is likely to be repeated.

SafeTitan from TitanHQ is a comprehensive security awareness training platform for businesses that has been proven to improve the security awareness of employees and reduce risky cyber behaviors and susceptibility to all common cyber threats. The platform is the only behavior-driven training platform to provide intervention training to employees in real time in response to risky behaviors and security mistakes. The platform automates the provision of that training to reduce admin time and ensures consistent and repeatable training is delivered.

The SafeTitan platform also includes a phishing simulator, for sending realistic dummy phishing emails to the workforce. These are proven to reinforce training by giving employees experience at recognizing and responding correctly to phishing threats. Through SafeTitan security awareness training, intervention training, and phishing simulations, staff susceptibility to phishing threats, ransomware, malware, BEC attacks, CEO spoofing is reduced by up to 92%.

If you want to make a real difference and greatly improve your human defenses, this International Computer Security Day take advantage of the free trial of SafeTitan and sample the training content and see for yourself how easy the platform is to use. Start using SafeTitan and Next International Computer Security Day your company will have a much stronger security posture and will be significantly more resilient to cyber threats.

TitanHQ Ranks 45th in the 2022 Deloitte Technology Fast 50 Awards

Growth at TitanHQ has been tremendous over the past two years thanks to a sizable investment from the UK private equity firm, Livingbridge, in 2020, and the release of new cybersecurity solutions to better meet the needs of SMBs, enterprises, and the MSPs that serve them. TitanHQ has released SpamTitan Plus, which builds on the strong performance of SpamTitan Cloud and delivers industry-leading protection from phishing along with the security awareness training and phishing simulation platform SafeTitan – The only behavior-driven security awareness training platform that delivers security awareness training in real-time in response to security mistakes by employees.

For many years, TitanHQ has been enjoying strong organic year-on-year growth, and over the past couple of years has significantly expanded its footprint in the United States, helped by several strategic new hires and a new office in Shelton, Connecticut, staffed by a highly experienced team. That growth has recently been recognized by Deloitte, which has ranked TitanHQ as the 45th fastest-growing company in Ireland at the 2022 Deloitte Technology Fast 50 Awards. This is the second year in a row that TitanHQ has made the Top 50. The 2022 Deloitte Technology Fast 50 Awards is one of the most prestigious award programs for technology companies in Ireland and has been running for 23 years. The positions calculated by Deloitte are based on the previous four years of revenue growth.

“As the business environment becomes more complex, the Irish technology sector has shown great resilience and tenacity. This year’s ranking shows growth across a broad range of sectors with companies coming up with innovative solutions to address changing consumer and business demands while faced with adversity,” said David Shanahan, Partner, Deloitte. “It’s also encouraging to see so many new entrants, including seven in the top ten. Despite the challenges of late, the Irish indigenous tech sector continues to succeed.”

Combined, the top 50 companies in the list have generated more than €500 million in revenue, averaging €10 million per company, and in 2021 employed more than 5,500 people. The average growth rate for all companies was 594%. This year there were 17 companies that made it into the top 50 for the first time, with 7 of those companies ranking in the top 10. 8 Irish counties and all four provinces are represented in the list, and this year has seen an increase in the number of companies with female CEOs. 7 of the 50 companies are led by women.

“Organic year-on-year growth and recent significant investment have turbocharged TitanHQs growth. This has allowed TitanHQ to accelerate ambitious growth plans through increased investment in product development – and in people,” TitanHQ’s CEO, Ronan Kavanagh.

 

The Emotet Botnet is Back with a Large-Scale Phishing Campaign

This month has seen a return of the Emotet botnet after a 4-month period of inactivity, with a high-volume email campaign identified that is increasing the size of the botnet. Emotet started life as a banking Trojan but has been updated over the years to add new functionality. Devices infected with Emotet are added to the botnet and can be used for a variety of purposes, but one of the main functions of Emotet is as a malware dropper, delivering additional malicious payloads on devices once the botnet operator has achieved their own goals. Currently, Emotet is being used to drop a new variant of the IcedID loader. IcedID is a banking Trojan that is similarly used to drop other malware variants.

Emotet is primarily spread via phishing emails, with the campaigns typically consisting of hundreds of thousands of emails a day. The lures used in these messages are often changed, but the threat actor behind Emotet tends to opt for traditional lures such as IRS notifications and business-themed emails. The Emotet Trojan is able to hijack message threats from infected devices and reply, including a copy of itself in the emails. Since the emails come from a genuine email account and appear to be a response to a past conversation, the probability of the recipient opening the email and attachment is all the greater.

The emails in the latest campaign still use XLS attachments with Auto_Open macros to deliver the malicious payload, despite Microsoft disabling macros in files delivered via the Internet. In some of the emails, the .xls file is directly attached to the email, although it is commonly included in a .zip file. The zip files are often password-protected to prevent them from being scanned by email security solutions, with the password – and often little else other than the file name and a signature – included in the message body.

To get around Microsoft’s macro protections, the user is advised when they open to the .xls file to copy the file to a whitelisted directory and reopen it. The user is told this is a necessary requirement of their security policy to be able to view the contents of the file, with instructions provided for different Microsoft Office versions. By copying the file to the suggested location and then reopening it, Microsoft’s protections will not be applied, and the macro will be able to run. The latest campaign is predominantly targeting the United States, although it is likely that the campaign will be expanded to target other geographical regions.

Defending against Emotet requires a combination of measures. While email security solutions such as SpamTitan can detect and block Emotet phishing emails, a defense-in-depth approach is recommended that includes comprehensive security awareness training for the workforce and more advanced endpoint detection solutions than standard antivirus software.

TitanHQ offers security awareness training and phishing simulations through the SafeTitan platform which trains employees how to recognize the phishing emails that are being used to deliver Emotet. The phishing simulator includes real-world examples of the types of emails that the gang uses to trick employees into installing Emotet.

For further information on improving your defenses against Emotet and other email threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial to allow you to test them for effectiveness and usability before making a decision about a purchase.

StrelaStealer Malware Distributed via Email and Targets Outlook and Thunderbird Credentials

A new malware variant called StrelaStealer has been identified that is being distributed via email that targets credentials for two of the most popular email clients: Outlook and Thunderbird. This previously unknown malware was first identified earlier this month, and so far, has been used to target Spanish speakers.

The campaign was identified by security researchers at DCSO CyTec. The intercepted emails have an ISO (optical disc image) file attachment. These files contain all the data that would normally be written to an optical such as a CD, DVD, or Blu-ray disc, sector by sector, with the content bundled into a single file.

One of the files analyzed by the researchers contained an executable file that sideloads the malware contained in the ISO file via DLL order hijacking. The ISO file also contains a .lnk file and polyglot file. A polyglot file can be treated as several different file formats depending on the application that opens it. In this case, the polyglot file is an x.html file, which is both an x.html file and a DLL program that loads StrelaStealer malware. Execution sees the malware loaded in the memory and simultaneously a decoy document is displayed in the web browser while the malware is executed.

Interestingly the malware does not target browser data, cryptocurrency wallets, and other data commonly obtained by information-stealing malware. Instead, it searches for the %APPDATA%\Thunderbird\Profiles directory looking for login.json and key4.db. The former contains the account and password, and the latter is the password database. Both are then exfiltrated to the attacker’s command and control server.

The malware also searches the Windows Registry and retrieves the Outlook software key, and locates the IMAP User, IMAP Server, and IMAP password values. The passwords for Outlook are encrypted, but the malware uses the CryptUnprotectData function of Windows to decrypt the data before exfiltrating the decrypted data to the C2 server

Cybercriminals are constantly developing new techniques for distributing malware. Security awareness training typically focuses on raising awareness of the most common methods of malware delivery, such as Office files containing malicious macros. Since employees are likely to be much less familiar with ISO files, they may not identify these emails as malicious, or may not report them to their security teams due to the decoy document that is displayed, in the belief that nothing untoward has happened.

To improve protection against campaigns such as this, businesses should consider configuring their email security solution to quarantine emails containing risky file attachments such as executable files, and also configure their web filter to block downloads of these file types from the Internet. That is a simple process with SpamTitan cloud-based anti-spam service and the WebTitan web filter.

IceXLoader Malware Phishing Campaign Targets Corporate Devices

A new phishing campaign has been detected that is being used to distribute a relatively new malware threat called IceXLoader. The malware was first identified in the summer and is being actively developed, with version 3.3 of the malware being distributed in the latest campaign. The malware appears to be a work in progress, with the latest version of the malware having enhanced functionality and a new method of installation is now being used. While it has only been distributed for a few months, it already represents a significant threat.

As the name suggests, IceXLoader is a malware dropper that is designed to deploy additional malicious payloads on infected devices. This could include additional tools to help the operators of the malware achieve their aims or it could be offered to a range of threat actors under the malware-as-a-service model for delivering information stealers, ransomware, and other malicious payloads. The malware was first identified by researchers at Fortinet, who named the malware IceXLoader due to the presence of ICE_X strings in samples of the malware code.

The malware is delivered via phishing emails with a .zip compressed file attachment, which contains the first stage extractor. If allowed to run, this will create a new hidden folder in C:\Users\<username>\AppData\Local\Temp, and will then drop and execute the second stage executable file, which creates a new registry key and deletes the temporary folder. The second stage executable downloads a PNG file from a hardcoded URL, and converts it into an obfuscated DLL file, which is IceXLoader. The dropper will perform checks to see if it is running in a virtual environment and will wait 35 seconds before executing IceXLoader to avoid sandbox detection. IceXLoader will collect a variety of information about its host, will connect to its command-and-control server and exfiltrate that information, and will then drop additional malicious payloads.

The malware is capable of evading Windows Defender and other anti-malware programs to prevent scanning of the folder where IceXLoader resides. Researchers at Minerva Labs note that the exfiltrated data is freely accessible on the C2 server, so the threat actors are currently not interested in securing the stolen data.

Due to the ability of the malware to evade traditional antivirus software solutions, the key to blocking this threat is implement next-generation endpoint detection solutions that are able to identify malware by their behavior, and ensure that strong, multi-layered anti phishing defenses are implemented to block the initial phishing emails, including an advanced spam filter for blocking the email and web filtering technology to prevent downloads of malicious files from the Internet.

It is also important not to neglect the human element of defenses. Security awareness training for the workforce will go a long way toward preventing these and other email-based attacks from succeeding, by teaching employees email security best practices.

DHL is the Most Spoofed Brand in Phishing Attacks

Phishing attempts are often very convincing as the emails mimic trusted brands, include their logos and color schemes, and the message format is often copied from genuine company messages. The most commonly spoofed brands are well-known companies that have millions of customers, which increases the chances of the message landing in the inbox of a person who has, at least at some point in the past, used that company’s products or services.

Every quarter, Check Point releases its Brand Phishing Report, which highlights the latest phishing trends and the brands being impersonated most often. LinkedIn, Microsoft, Google, and Netflix are regulars in the top 10 List, with LinkedIn being the most commonly spoofed brand in phishing attacks in the first half of the year; however, the top spot has now gone to the German logistics and package delivery firm, DHL.

DHL accounted for 22% of all worldwide phishing attempts in Q3, 2022. DHL itself issued a warning to customers in July after the company became aware that it was being spoofed in a massive phishing campaign that was being conducted globally. It is probable that DHL will remain in the top spot in Q4 due to the increase in online purchases in the run-up to Christmas.

While there is some variation in the phishing emails impersonating DHL, one of the most common appears to have been sent by DHL Express and alerts the recipient about an undelivered package. The message warns that it will not be possible to attempt redelivery of the package unless delivery information is confirmed. The phishing emails include a link to a website to allow that information to be provided; however, the link directs the user to a website where they are required to log in and provide their name, username, password, and other sensitive information, such as payment details.

While email phishing is the most common form, DHL has been spoofed in SMS messages that achieve the same purpose. Of course, SMS messages are not subject to spam filtering controls and mobile devices are less likely to be protected by web filters, which can detect and block attempts to visit malicious websites. SMS phishing – termed smishing – has been growing in popularity in recent years.

Unsurprisingly, given the number of users, Microsoft achieved second place, accounting for 16% of phishing emails in the quarter. The phishing emails spoofing Microsoft are more varied due to the extensive product range, although OneDrive phishing emails were common. These emails claim to be collaboration requests and target businesses and ask the recipient to click on a button to view a shared document. Like many phishing emails, the messages warn the recipient that urgent action is required, as the document will be deleted in 48 hours. The user is directed to a malicious website where they are asked to enter credentials for their Microsoft account.

It is unclear why LinkedIn has fallen out of favor slightly, although it still achieved 3rd spot and accounted for 11% of phishing attempts in the quarter. The rest of the top ten consists of Google (6%), Netflix (5%), We Transfer (5%), Walmart (5%), WhatsApp (4%), HSBC (4%), and Instagram (3%).

Phishing is one of the main ways that cybercriminals gain access to business networks. The attacks are easy to conduct, low cost, and do not require extensive technical knowledge. Businesses can block the majority of these malicious messages by implementing an advanced spam filter such as SpamTitan Cloud. They should also consider adding an extra layer to their defenses – A web filter such as WebTitan Cloud.

Technical defenses such as these are vital for protecting against phishing attempts, but it is also important for businesses to ensure that they provide regular security awareness training to their employees to make them aware of the threat of phishing and to teach them how to identify phishing emails. In addition to training, phishing simulations should be conducted on the workforce. These have been proven to reduce susceptibility to phishing attempts, as they give employees practice at identifying phishing and any failures are turned into a training opportunity.

With the SafeTitan security awareness training and phishing simulation platform, training is automatically triggered in real-time in response to phishing simulation failures and other security errors, when the training is likely to have the greatest effect.

If you run a business and want to improve your defenses against phishing, give TitanHQ a call. TitanHQ products are available on a free trial to allow you to put them to the test before making a decision about a purchase. MSPs that have yet to add spam filtering, web filtering, and security awareness training to their service stacks should give the TitanHQ channel team a call to find out more about these opportunities to improve their clients’ defenses against phishing and other cyberattacks.

Failure to Stop Phishing Attack Results in £4.4 Million Financial Penalty

The construction firm Interserve has been slapped with a £4.4 million GDPR fine for failing to prevent a phishing attack and the theft of the personal and financial information of up to 113,000 employees.

Interserve is a construction and outsourcing group, which, at the time of the cyberattack in 2020, was a strategic supplier to the UK government, including the Ministry of Defense. An employee received a phishing email and forwarded it to a colleague, who opened the email and downloaded the malicious content, which saw malware installed on its network. What happened next is all too common in cyberattacks. The threat actors had a foothold in the network, then moved laterally, and compromised 283 Interserve systems and 16 accounts.

Interserve’s anti-virus software was then uninstalled by the threat actors, and ransomware was deployed to encrypt files on the network. The information accessed, encrypted, and stolen by the attackers included highly sensitive employee information such as contact information, national insurance numbers, and bank account details. Data classed as special category data under the GDPR was also compromised, including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

The Information Commissioner’s Office (ICO) investigated the cyberattack and data breach and determined Interserve had failed to put appropriate security measures in place to prevent cyberattacks such as this, and the lack of appropriate safeguards left Interserve vulnerable to cyberattacks from March 2019 to December 2020.

The ICO identified several areas where the attack could have been identified and blocked. The initial phishing email was not blocked, nor was the malicious email detected when it was forwarded internally. The company had anti-virus software installed, which quarantined the malware and generated a security alert, yet Interserve failed to investigate the suspicious activity. Had it been investigated Interserve should have been able to determine that the attacker still had access to its network. The ICO also found outdated software systems and protocols in use, there was a lack of staff training, and insufficient risk assessments had been performed.

The failure to implement appropriate safeguards violated information privacy laws, resulting in a £4.4 million fine being proposed. The response of Interserve to that notice of intent to fine did nothing to warrant any reduction in the penalty.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner, John Edwards.

These cybersecurity failures are all too common at businesses and they leave the door wide open for hackers, yet malware and ransomware attacks such as this can easily be prevented. In this case, following cybersecurity best practices, ensuring employees practice good cyber hygiene, and responding to security alerts quickly could have prevented or certainly reduced the severity of the data breach.

An effective email security solution should have been in place for detecting malicious emails, first when the initial email was received and again when it was forwarded. The email should have been quarantined and checked by the IT security team. Had appropriate end-user training been provided, both employees should have been aware of the threat of email-based attacks and known how to identify phishing emails. The IT security team should also have investigated the alert and suspicious network activity.

It is not possible to prevent all cyberattacks but implementing an advanced spam filter and providing security awareness training to employees will go a long way toward improving an organization’s security posture. Those are areas where TitanHQ can help. TitanHQ has developed a suite of cybersecurity solutions including SpamTitan Email Security, the SafeTitan Security Awareness and Phishing Simulation Platform, and the WebTitan DNS Filter for blocking web-based attacks.

For more information on improving your security posture to block cyberattacks, prevent data breaches, and protect against financial penalties from regulators, give the TitanHQ team a call.

TitanHQ Launches New MSP Security Awareness Training and Phishing Simulation Platform

One of the fastest areas of growth for Managed Service Providers (MSPs) is managed security services. The number of cyberattacks on businesses continues to increase and there is a major shortage of skilled cybersecurity staff. Further, the cost of hiring new talent can be prohibitively expensive for many small- and medium-sized businesses, who are turning to their MSPs to provide those services. Many MSPs have developed a technology stack to meet the demand and are offering managed security services such as identity protection and access management, endpoint security, spam filtering/email security, web security, data protection, network security, and mobile security, but one area that is often lacking in managed services is security awareness training. Currently, only 60% of MSPs offer security awareness training as part of their managed security services.

Technological solutions are implemented by MSPs to protect against hackers, malware, ransomware, and phishing attacks, and these solutions will detect and block the majority of threats, but it is not possible to prevent employees from encountering all threats. The workforce, therefore, needs to be prepared and be taught how to recognize the signs of phishing and other types of attacks, so that when these threats are encountered, they can be identified as such and avoided.

Studies conducted on companies that have conducted benchmarking phishing tests on employees prior to commencing security awareness training have shown that susceptibility to phishing attacks can be reduced considerably. Across all industry sectors, the average click rate for phishing is 37.9%. TitanHQ’s data shows that with regular security awareness training through the SafeTitan platform, susceptibility reduces to under 3%. Such a major reduction will significantly improve an organization’s security posture, yet as important as security awareness training is, a recent survey has shown that 57% of SMBs provide no security awareness training to their workforce whatsoever.

MSPs that do not offer security awareness training are missing out on easy, regular recurring revenue, and their clients are likely to be at risk of falling victim to phishing and other attacks that target employees. It is also worth noting that 69% of SMBs say they would hold their MSP accountable for a phishing attack!

TitanHQ Launches Security Awareness Training & Phishing Simulation Platform for MSPs

It has been a few months now since TitanHQ launched its new security awareness training and phishing simulation platform – SafeTitan.  The initial launch was aimed at SMBs and enterprises to help them create an effective, ongoing security awareness training program for the workforce, and conduct phishing simulations to reinforce training, identify weak links, and track improvements over time.

The platform includes an extensive library of training content on a wide range of topics including security best practices, cyber hygiene, phishing, vishing, and smishing, to allow businesses to easily create training programs to match their needs and risk profiles. The training is gamified, engaging, and delivered in short (max 10-minute) modules, which makes security awareness training enjoyable, while allowing it to be easily fit into busy workflows.

While the platform is well suited to businesses of all sizes, from the smallest of businesses to large enterprises, the platform had to be developed further to meet the needs of MSPs. To make a truly MSP-friendly solution, TitanHQ worked closely with the MSP advisory council and TitanHQ’s extensive MSP customer base to discover exactly what MSPs need to be able to start delivering security awareness training and phishing simulations as a managed service, which lead to the addition of several important new features.

TitanHQ is now happy to announce that SafeTitan for MSPs has now officially been launched. The new product incorporates an intuitive MSP dashboard, through which campaigns can be easily managed. The dashboard gives MSPs real-time live analytics and allows quick actions to be performed.

The phishing simulation platform includes more than 1.8K phishing templates, taken from real-world phishing attempts, with the campaigns easy to schedule for a group of customers, to be run at set intervals every week, month, or year. The platform allows mass training campaigns to be developed, along with mass phishing simulations. The addition of the direct email injection (Graph API) feature allows MSPs to deliver their phishing simulations directly to user inboxes, without having to spend time and effort configuring allowed lists and firewalls.

MSPs also benefit from dynamic user management, so changes can be made quickly and easily to existing campaigns if new users need to be added.  If any user fails a phishing simulation, they can be automatically enrolled in relevant training content to provide targeted training on the aspect of security relevant to the failure.

MSP clients will want to be provided with feedback on how their campaigns are progressing and the impact the training is having on phishing susceptibility, and to make this as easy as possible, the platform now includes scheduled reporting. Reports are automated and are sent to clients at regular intervals with no MSP interaction once configured.

Contact TitanHQ Today

If you have yet to add security awareness training and phishing simulations to your managed security services, contact TitanHQ today to find out more about SafeTitan for MSPs on +1 813 519 4430 (US) or +353 91 545555 (IRL).

5-Award Haul for TitanHQ in Expert Insights Fall 2022 ‘Best-Of’ Awards

TitanHQ has collected 5 awards for its cybersecurity solutions in the Expert Insights Fall 2022 ‘Best-Of’ Awards across 5 product categories.

Expert Insights is an online platform for businesses that provides independent advice on business software solutions to help businesses make informed purchasing decisions about software solutions. The advice provided on the website is honest and objective, and the site features helpful guides to help businesses purchase with confidence. The site is used by more than 85,000 businesses each month, with the website helping more than 1 million readers each year.

Twice yearly, Best-of awards are given to the top ten solutions in each of the 41 product categories. The awards showcase the best quality solutions that are helping businesses to achieve their goals and defend against the barrage of increasingly sophisticated cyberattacks. The awards are based on several factors, such as the features of products, market presence, ease of use, and customer satisfaction scores, with the award winners chosen by the in-house team of editors. The editorial team conducts research into each solution to assess its performance, functionality, and usability, and assesses the reviews from genuine business users of the solutions.

TitanHQ collected five awards for its products in the Spring 2022 Best-of awards, and this has been followed up with another 5 Fall 2022 Best-of awards. TitanHQ was given a Best-of award for SafeTitan in the Phishing Simulation and Security Awareness Training categories, SpamTitan Cloud received an award in the Email Security category, WebTitan Cloud got an award in the Web Security category, and ArcTitan won in the Email Archiving category. Further, ArcTitan Email Archiving was rated the top solution in the Email Archiving category and SpamTitan was rated the top solution in the Email Security category.

There were several big winners at the Fall 2022 Expert Insights Best-of awards, with TitanHQ joining companies such as ESET, CrowdStrike, and Connectwise in winning big.

“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh.  “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.

TitanHQ Adds Several New Features and Enhancements to the WebTitan DNS Filter

WebTitan Cloud is an award-winning DNS filter that prevents access to malicious websites and allows businesses to control the web content users can access with precision. This week, TitanHQ has announced the release of a new version of WebTitan Cloud, that includes new features to improve usability, security, protection for remote workers, and provides greater insights into DNS requests. These new features now form part of an industry-leading feature set that is in a cloud-delivered solution that is easy to set up, use, and maintain.

New UI with Advanced Reporting Features

If you are a current WebTitan Cloud user, the first change you will notice is the new user interface which provides easy access to all WebTitan Cloud features. The enhancements provide intuitive, advanced, relevant, and easy-to-digest data, through new interactive reports and data visualization tools, which are embedded into the UI to improve the user experience.

The advanced security reports show malware-infected clients, malware-infected domains, malware-infected users, blocked phishing sites, blocked phishing domains, and blocked phishing sites by user, and the view can be customized by date and client IP. New reports show behavior, blocked sites, and trends to provide insights into network use and threats. These reports have been added based on the feedback received by WebTitan Cloud users.

Interactive Threat Intelligence with DNS Data Offload

The latest version of WebTitan Cloud provides users with easier access to valuable threat intelligence to aid IT decision-making, network troubleshooting, and security planning. Users can now list DNS request history on screen, download DNS request logs, view all DNS data to gain valuable insights into activity, and easily extract DNS query data for sophisticated integrations and advanced data analysis.

DNSSEC Security Enhancements

WebTitan Cloud now benefits from security enhancements to protect against DNS attacks by strengthening authentication using Domain Name System Security Extensions (DNSSEC). DNSSEC uses digital cryptographic signatures to verify the origin and integrity of data during the DNS resolution process to protect against malicious DNS poisoning attacks. Users of WebTitan Cloud can implement DNSSEC through a simple and straightforward process to improve security.

WebTitan OTG Improvements for Protecting Off Network Users

The WebTitan On-the-Go (OTG) agent allows users to extend the protection of WebTitan Cloud to off-network users, no matter where they connect to the Internet. WebTitan OTG was introduced some time ago; however, the latest release includes several enhancements. The JSON Config filters have been replaced for OTG devices, and the agent used to protect, manage, and monitor off-network users has been significantly improved. It is also much easier to add and update exceptions to OTG devices through an easy-to-use interface.

“This WebTitan release is hitting so many key pillars of success for TitanHQ. The data offload feature has been requested by many customers and creates real differentiation for our solution in the market. This coupled with our new advanced reporting were major requests from our MSP customers,” said Ronan Kavanagh, CEO of TitanHQ. “Finally, security is at the heart of what we do and are, the addition of DNSSEC just continues to add to our credentials.”

New Reverse Proxy Phishing-as-a-Service Helps Low-Skilled Hackers Bypass MFA

When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.

One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.

The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.

These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.

These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools.  There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.

Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.

EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.

Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.

Vote for SpamTitan in the PeerSpot 2022 User Choice Awards!

For more than 10 years, PeerSpot (formerly IT Central Station) has been helping tech pros make intelligent decisions on the best information technology solutions to implement to ensure they get the solutions that perfectly address the needs of their businesses. The PeerSpot Buying Intelligence Platform is powered by the world’s largest community of enterprise tech buyers and bridges the gap between vendors and buyers. Vendors are helped through the voice of their customers, and enterprise tech buyers receive relevant and practical advice to help them make better purchasing decisions. The platform provides in-depth reviews of products, online forums, and tech buyers have access to direct Q&A support.

This year sees PeerSpot launch its first Annual User’s Choice Award program to recognize the products that are helping businesses to achieve their goals. Customers of enterprise technology vendors are invited to vote for their favorite B2B Enterprise Technology products across 11 product categories.

In 2022, those product categories are:

  • Endpoint Protection for Business
  • Firewalls
  • Backup and Recovery Software
  • Network Monitoring Software
  • HCI
  • All-Flash Storage Arrays
  • Email Security
  • Ethernet Switches
  • Application Security Tools
  • Functional Testing Tools
  • Rapid Application Development Software

In order for a solution to be included in the relevant category, it must be amongst the highest-rated products on the PeerSpot Buying Intelligence Platform. That requires a product to have generated significant user engagement on the platform and to have been rated highly by verified users of the solutions.

The winners in each category will be decided by popular vote.

TitanHQ is proud to have had its SpamTitan solution included as one of the top spam filtering, anti-phishing, and anti-malware solutions in the email security category. SpamTitan provides layered protection for enterprises, SMBs, and managed service providers and blocks email-based threats such as phishing, malware, spam, viruses, and botnets. The solution incorporates signature- and behavior-based detection to block malware threats and predictive technologies to anticipate zero-minute threats.  SpamTitan is much loved by users not just for its performance, but also ease of set up, use, maintenance, price, and the industry-leading customer support provided by TitanHQ. SpamTitan has an overall star rating of 4.6/5 on the platform.

If you love using SpamTitan and it has helped your business block more threats, cut down on the resources you have had to devote to email security, or saved you money, TitanHQ encourages you to vote for SpamTitan. Voting will take around a minute of your time. Votes are being accepted until September 16th, 2022, and the winners in each category will be announced by PeerSpot on October 25, 2022.

Vote for SpamTitan Email Security Here

Common Security Awareness Training Mistakes to Avoid

Technology is vital for defending against cyberattacks, but it is important not to neglect employee training. Training the workforce on how to recognize and avoid threats should be a key part of your security strategy, but if you want to get the best return on your investment it is important to avoid these common security awareness training mistakes.

Why Security Awareness Training is Essential

Data from the ransomware remediation firm, Coveware, shows phishing is the main way that ransomware gangs gain initial access to business networks, and IBM reports that phishing is the main way that data breaches occur. In 2021, 40% of all data breaches started with a phishing email. Businesses should implement technologies to block these attacks, such as a spam filter, antivirus software, and a web filter; however, even with these defenses in place, threats will arrive in inboxes, they can be encountered over the Internet, or via instant messaging services, SMS, or over the phone. Unless you totally isolate your business from the outside world, employees will encounter threats.

It is therefore important to provide security awareness training to teach employees how to recognize and avoid threats and to educate them on cybersecurity best practices that they should always follow. Security awareness training is concerned with equipping employees with the skills they need to play their part in the overall security of the organization, to give them practice at detecting threats, and build confidence. Through training, you can create a human firewall to add an extra layer to your cybersecurity defenses.

Security Awareness Training Mistakes to Avoid

It is important to avoid these common security awareness training mistakes, as they can seriously reduce the effectiveness of your training.

Infrequent training

Creating a training course that covers all security best practices and threats to educate the workforce is important, but if you want to change employee behavior and get the best return on your investment, it is important to ensure that your training is effective. If you provide a once-a-year training session, after a few weeks the training may be forgotten. One of the most common mistakes with security awareness training is not providing training often enough. Training should be an ongoing process, provided regularly. You should therefore be providing training regularly in small chunks. A 10-minute training session once a month is much more likely to change behavior than a once-a-year training session.

Not making training fun and engaging

Cybersecurity is a serious subject, but that does not mean that training cannot be enjoyable. If your training course is dull and boring, your employees are likely to switch off, and if they are not paying attention, they will not take the training on board. Use a third-party security awareness training course that includes interactive, gamified, and fun content that will engage employees, and use a variety of training materials, as not everyone learns in the same way.

Using the same training course for all employees

Don’t develop a training course and give the same course to everyone. Use a modular training course that teaches the important aspects of security, but tailor it to user groups, departments, and roles. Training should be relevant. There is no point in training everyone how to recognize specific threats that they will never encounter.

Not conducting phishing simulations

Training and then testing is important to make sure that the training content has been understood, but that is unlikely to change employee behavior sufficiently. The best way to reinforce training and change employee behavior is by conducting phishing simulations. These simulations should be relevant, reflect real-world threats, and should be conducted regularly. Phishing simulations will show you how employees respond to threats when they are completing their work duties and are not in a training setting. If a phishing simulation is failed, it is a training opportunity. Provide targeted training to employees who fail, specific to the mistake they made.

Not providing training in real-time

Intervention training is the most effective. When an employee makes a security mistake, training should be automatically triggered, such as when an employee fails a phishing simulation or takes a security shortcut. If the employee is immediately notified of the error and is told where they went wrong, that will be much more effective at changing behavior than waiting until the next scheduled training session.

Speak with TitanHQ About Security Awareness Training

TitanHQ offers a security awareness training and phishing simulation platform for businesses – SafeTitan – that makes workforce training simple. The platform includes an extensive library of gamified, fun, and engaging content on all aspects of security to allow businesses to create customized training for all members of the workforce and automate phishing simulations.

The platform is easy to set up, use, and customize, and the platform is the only security awareness training solution that provides intervention training in real-time in response to employees’ security errors. For more information contact TitanHQ and take the first step toward creating a human firewall.

What is Callback Phishing?

Phishing attacks are mostly conducted via email but there has been a major increase in hybrid phishing attacks over the past 12 months, especially callback phishing. Here we explain what callback phishing is, why it poses such a threat to businesses, and why threat actors are favoring this new approach.

What is Callback Phishing?

Email phishing is used for credential theft and malware distribution, but one of the problems with this type of phishing is most businesses have email security solutions that scan inbound emails for malicious content. Phishing emails and malicious files distributed via email are often identified as such and are rejected or quarantined. Some threat actors conduct voice phishing, where an individual is contacted by telephone, and attempts are made to trick them into taking an action that benefits the scammer using a variety of social engineering tactics.

Callback phishing is a type of hybrid phishing where these two methods of phishing are combined. Initially, an email is sent to a targeted individual or company that alerts the recipient to a potential problem. This could be an outstanding invoice, an upcoming payment or charge, a fictitious malware infection or security issue, or any of a long list of phishing lures. Instead of further information being provided in an attachment or on a website linked in the email, a telephone number is provided. The recipient must call the number for more information and to address the issue detailed in the email.

The phone number is manned by the threat actor who uses social engineering techniques to trick the caller into taking an action. That action is usually to disclose credentials, download a malicious file, or open a remote desktop session. In the case of the latter, the remote desktop session is used to deliver malware that serves as a backdoor into the victim’s computer and network.

This hybrid approach to phishing allows threat actors to get around email security solutions. The only malicious element in the initial email is a phone number, which is difficult for email security solutions to identify as malicious and block. That means the emails are likely to reach their targets.

Major Increase in Callback Phishing Attacks

Callback phishing was adopted by the Ryuk ransomware threat group in 2019 to trick people into installing BazarBackdoor malware, in a campaign that was dubbed BazarCall/BazaCall. Typically, the lure used in these attacks was to advise the user about an upcoming payment for a subscription or the end of a free trial, with a payment due to be automatically taken unless the trial/subscription is canceled by phone.

The Ryuk ransomware operation is no more. The threat actors rebranded as Conti, and the Conti ransomware operation has also now shut down; however, three threat groups have been formed by members of the Conti ransomware operation – Silent Ransom, Quantum, and Zeon – and all have adopted callback phishing as one of the main methods for gaining initial access to victims’ networks for conducting ransomware attacks. These three groups impersonate a variety of companies in their initial emails and trick people into believing they are communicating with a genuine company. The aim is to get the user to establish a remote desktop session. While the user is distracted by the call, a second member of the team uses that connection to install a backdoor or probe for ways to attack the company, without the user being aware what is happening.

Callback phishing is also used by other threat groups for credentials theft and malware distribution, often by impersonating a cybersecurity firm and alerting the user to a security threat that needs to be resolved quickly. These attacks see the user tricked into installing malware or disclosing their credentials. According to cybersecurity firm Agari, phishing attacks increased by 6% from Q1, 2022 to Q2, 2022, and over that same time frame hybrid phishing attacks increased by an incredible 625%.

How to Protect Against Callback Phishing Attacks

As is the case with other forms of phishing, the key to defending against attacks is to implement layered defenses. Email security solutions should be implemented that perform a range of checks of inbound emails to identify malicious IP addresses. Email security solutions such as SpamTitan incorporate machine learning mechanisms that can detect emails that deviate from those normally received by an organization. Multi-factor authentication should be implemented on accounts to block attempts to use stolen credentials.

The best defense against callback phishing is to provide security awareness training to the workforce. Employees should be told about the social engineering tactics used in these attacks, the checks everyone should perform before responding to any email, and the signs of callback phishing to look out for. Callback phishing simulations should also be conducted to gauge how susceptible the workforce is to callback phishing. A failed simulation can be turned into a training opportunity to proactively address the lack of understanding.

TitanHQ offers a comprehensive security awareness training platform for businesses – SafeTitan – that covers all forms of phishing and the platform included a phishing simulator for conducting phishing tests on employees. For more information, give the TitanHQ team a call today.

BEC Attacks on Businesses are Increasing: How To Improve Your Defenses Against These Damaging Attacks

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.

BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.

Anatomy of a BEC Attack

BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.

With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.

A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.

How to Improve Your Defenses Against BEC Attacks

Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.

Use an Email Security Solution with Outbound Scanning

An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.

Implement Robust Password Policies and MFA

Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.

Provide Security Awareness Training to the Workforce

Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.

Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.

Set Up Communication Channels for Verifying Transfer Requests

Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.

Speak to TitanHQ about Improving Your Defenses Against BEC Attacks

TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.

Twilio SMS Phishing Attack Highlights Importance of Security Awareness Training on all Forms of Phishing

Phishing is mostly conducted via email; however, a recent data breach at the cloud communication company Twilio demonstrates that phishing can be highly effective when conducted using other popular communication methods, such as SMS messages.

An SMS phishing attack – known as SMiShing – involves sending SMS messages with a link to a malicious website with some kind of lure to get people to click. Once a click occurs, the scam progresses as an email phishing attack does, with the user being prompted to disclose their credentials on a website that is usually a spoofed site to make it appear genuine. The credentials are then captured and used by the attacker to remotely access the victims’ accounts.

Twillio provides programmable voice, text, chat, video, and email APIs, which are used by more than 10 million developers and 150,000 businesses to create customer engagement platforms. In this smishing attack, Twilio employees were sent SMS messages that appeared to have been sent by the Twilio IT department that directed them to a cloned website that had the Twilio sign-in page. Due to the small screen size on mobile devices, the full URL is not displayed, but certain keywords are added to the URLs that will be displayed to add realism to the scam. The URLs in this campaign included keywords such as SSO, Okta, and Twilio.

According to Twilio EMEA Communications director, Katherine James, the company detected suspicious account activity on August 4, 2022, and the investigation confirmed that several employee accounts had been accessed by unauthorized individuals following responses to the SMS messages. The attackers were able to access certain customer data through the Twilio accounts, although James declined to say how many employees were tricked by the scam and how many customers had been affected.

Twilio was transparent about the data breach and shared the text of one of the phishing emails, which read:

Notice! [redacted] login has expired. Please tap twilio-sso-com to update your password!

The text messages were sent from U.S. carrier networks. Twilio contacted those companies and the hosting providers to shut down the operation and take down the malicious URLs. Twilio said they were not the only company to be targeted in this SMS phishing campaign, and the company worked in conjunction with those other companies to try to shut the operation down; however, as is common in these campaigns, the threat actors simply switch mobile carriers and hosting providers to continue their attacks.

The smishing attack and data breach should serve as a reminder to all businesses of the risk of smishing. Blocking these types of phishing attacks can be a challenge for businesses. The best starting point for improving your defenses is to provide security awareness training for the workforce. Security awareness training for employees usually has a strong emphasis on email phishing, since this type of phishing is far more common, but it is important to also ensure that employees are trained on how to recognize phishing in all its forms, including smishing, social media phishing, and voice phishing – vishing – which takes place over the telephone.

The easiest way to do this is to work with a security vendor such as TitanHQ. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – with an extensive range of training content on all aspects of security, including smishing and voice phishing. The training content is engaging, interactive, and effective at improving cybersecurity understanding, and SafeTitan is the only security awareness training platform that delivers training in real-time in response to the behavior of employees. The platform also includes a phishing simulator for automating simulated phishing tests on employees.

For more information about improving security awareness in your organization, contact TitanHQ today.

Predictive Threat Detection Capabilities Enhanced in SpamTitan Plus

TitanHQ has announced an update has been made to its flagship anti-phishing solution, SpamTitan Plus. The new enhancements have been added to the predictive phishing detection capabilities of SpamTitan Plus to help users block personalized URL attacks.

Phishing attacks on businesses have become much more sophisticated and new tactics are constantly being developed to evade standard email security solutions. While commercial email security solutions perform well at identifying and blocking spam emails, achieving detection rates in excess of 99%, blocking phishing emails is more of a challenge and many phishing threats sneak past email security solutions and are delivered to inboxes.

One of the ways that cyber threat actors bypass email security solutions is by creating personalized URLs for their phishing emails. One of the methods used by email security solutions for blocking phishing URLs is a real-time blacklist of known malicious URLs and IP addresses. If an email is sent from an IP address that has previously been used to send spam or phishing emails, the IP address is added to a blacklist and all emails from that IP address will be blocked. The URLs in phishing campaigns are set up and massive email runs are performed. When those URLs are detected as malicious, they are also added to a blacklist and will be blocked by email security solutions.

However, it is becoming increasingly common for personalized URLs to be used. These URLs can be personalized for the targeted organizations at the path and parameter level, and since a unique URL is used in each attack, standard anti-phishing measures such as blacklists are ineffective at detecting these URLs as malicious. That means the emails containing these malicious URLs are likely to be delivered to inboxes and can only be blocked after they have been delivered. That typically means an employee needs to report the email to their security team, and the security team must then act quickly to remove all phishing emails in that campaign from the email system. That process takes time and there is a risk that the links in the emails could be clicked, resulting in credential theft or malware infections. Most of the phishing detection feeds that are used by email security solutions do not gather the necessary intelligence to be able to inform customers of the level at which a phishing campaign should be blocked. SpamTitan Plus, however, does have that capability.

“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing,” said Ronan Kavanagh, CEO of TitanHQ. “At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals.”

SpamTitan Plus

SpamTitan Plus is an AI-driven anti-phishing solution that is capable of blocking even the newest zero-day phishing threats. The solution has better coverage than any of the current market leaders and provides unparalleled time-of-click protection against malicious hyperlinks in phishing emails, with the lowest false positive rate of any product. SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints worldwide, which sees the solution block 10 million new, never-before-seen phishing and malicious URLs a day.

The solution protects against URL-based email threats including malware and phishing, performs predictive analyses to identify suspicious URLs, URLs are rewritten to protect users, real-time checks are performed on every click, and the solution includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in unique phishing URL detections, 1.6x faster phishing detections than the current market leaders, and 5 minutes from initial detection of a malicious URL to protecting all end user mailboxes.

For more information about the best phishing solution for businesses, give the TitanHQ team a call today. Current users of SpamTitan Plus already have these new capabilities added, at no additional cost.

Cybersecurity Companies Impersonated in Convincing Callback Phishing Campaign

A new phishing campaign is being conducted that abuses trust in cybersecurity companies. The campaign uses scare tactics to get company employers to pick up the phone and speak to the cybersecurity vendor about a recently detected data breach and potential workstation compromise.

It is becoming increasingly common for phishing scams to involve initial contact via email with requests to make a call. This tactic is often used in tech support scams, where victims are convinced they have a malware infection or another serious security issue on their device, and they are tricked into downloading malicious software such as Remote Access Trojans (RATs).

RATs give the attackers access to the user’s computer, and that access can be abused by the attacker or the access can be sold to other threat groups such as ransomware gangs. Affiliates of ransomware-as-a-service operations may use this technique to conduct attacks and are then paid a percentage of any ransom payments they generate.

In this campaign, the impersonated companies are very well-known providers of enterprise security solutions, such as CrowdStrike, and the emails are very well written and convincing. They claim that a data breach has been detected that affected the part of the cybersecurity provider’s network associated with the customer’s workstation and warns that all workstations on the network may have been compromised. As such, the cybersecurity company is conducting an audit.

The emails claim that the cybersecurity vendor has reached out to the IT department, which has instructed the vendor to contain individual users directly. The emails claim that the audit is necessary for compliance with the Consumer Privacy Act of 2018 (CCPA) and other regulations and that the agreement between the targeted individual’s company and the cybersecurity vendor allows it to conduct regular audits and security checks. A phone number is provided for the individual to make contact, and the email includes the correct corporate logo and genuine address of the cybersecurity vendor.

CrowdStrike reports that a similar scam has been conducted by the Wizard Spider threat group, which was responsible for Ryuk ransomware attacks. That campaign delivered BazarLoader malware, which was used to deliver the ransomware payload.

This type of phishing attempt is known as callback phishing. This technique can be effective at bypassing email security solutions since the emails contain no malicious content – There are no hyperlinks and no file attachments. This scam highlights the importance of conducting security awareness training on the workforce to help employees identify and avoid phishing scams.

How TitanHQ Can Help

TitanHQ provides a range of security solutions for blocking phishing attacks, including SpamTitan Email Security, WebTitan DNS Filtering, and the SafeTitan Security Awareness and Phishing Simulation Platform.

SafeTitan has an extensive library of interactive, gamified, and engaging training content for improving security awareness of the workforce, including phishing and the full range of cyberattacks that employees are likely to encounter. The training is delivered in easily assimilated modules of no more than 8 to 10 minutes, and training can be delivered in real-time in response to risky user behaviors to nip bad security practices in the bud. The platform also includes hundreds of phishing templates for conducting and automating phishing simulations on the workforce, to gain insights into the individuals who are susceptible to phishing attacks and any knowledge gaps.

For more information on improving your defenses against phishing attacks, review our solutions in the links at the top of this page or give the team a call. Products are available on a free trial and demonstrations can be arranged on request.