Blog
by titanadmin | Sep 30, 2024 | Internet Security, Network Security |
Spear phishing attacks are being conducted by a cyber threat group working on behalf of Iran’s Islamic Revolutionary Guard Corps. The cyber threat actors have been gaining access to the personal and business accounts of targeted individuals to obtain information to support Iran’s information operations.
According to a joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Cyber Command – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), and the United Kingdom’s National Cyber Security Centre (NCSC), the campaign has been targeting individuals with a nexus to Iranian and Middle Eastern affairs, including journalists, political activists, government officials, think tank personnel, and individuals associated with US political campaign activity.
Individuals are typically contacted via email or messaging platforms. As is common in spear phishing attacks, the cyber threat actors impersonate trusted contacts, who may be colleagues, associates, acquaintances, or family members. In some of the group’s attacks, they have impersonated known email service providers, well-known journalists seeking interviews, contacts offering invitations to conferences or embassy events, or individuals offering speaking engagements. There have been instances where an individual is impersonated who is seeking foreign policy discussions and opinions.
In contrast to standard phishing attacks where the victim is sent a malicious email attachment or link to a phishing website in the initial email, more effort is put into building a rapport with the victim to make them believe they are engaging with the person the scammer is impersonating. There may be several exchanges via email or a messaging platform before the victim is sent a malicious link, which may be embedded in a shared document rather than being directly communicated via email or a messaging app.
If the link is clicked, the victim is directed to a fake email account login page where they are tricked into disclosing their credentials. If entered, the credentials are captured and used to login to the victim’s account. If the victim’s account is protected with multi-factor authentication, they may also be tricked into disclosing MFA codes. If access to the account is gained, the cyber threat actor can exfiltrate messages and attachments, set up email forwarding rules, delete or manipulate messages, and use the account to target other individuals of interest.
Spear phishing attempts are harder to identify than standard phishing attempts as greater effort is put in by the attackers, including personalizing the initial contact messages, engaging in conversations spanning several messages, and using highly plausible and carefully crafted lures. These emails may bypass standard spam filtering mechanisms since the emails are not sent in mass campaigns and the IP addresses and domains used may not have been added to blacklists.
It is important to have robust anti-phishing, anti-spam, and anti-spoofing solutions in place to increase protection and prevent these malicious emails from reaching their intended targets. An advanced spam filtering solution should be used that incorporates Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to identify spoofing and validate inbound emails. SpamTitan also incorporates machine learning and AI-based detection to help identify spear phishing attempts.
If you are a Microsoft 365 user, the anti-spam and anti-phishing mechanisms provided by Microsoft should be augmented with a third-party anti-phishing solution. PhishTitan can detect the spear phishing emails that Microsoft’s EOP and Defender often miss while adding a host of detection mechanisms and anti-phishing features including adding banners to emails from external sources.
One of the main defenses against these attacks is vigilance. An end-user security awareness training program should be implemented to improve awareness of spear phishing attacks. SafeTitan makes this as easy as possible and covers all possible attack scenarios, with training provided in short and easy-to-assimilate training modules. It is also important to conduct phishing simulations to raise and maintain awareness. These simulations can be especially effective at raising awareness about spear phishing emails and giving end users practice at identifying these threats.
Multifactor authentication should be enabled on all accounts, with phishing-resistant multi-factor authentication providing the highest degree of protection. IT teams should also consider prohibiting email forwarding rules from automatically forwarding emails to external addresses and conducting regular scans of the company email server to identify any custom rules that have been set up or changes to the configuration. Alerts should also be configured for any suspicious activity such as logins from foreign IP addresses.
by titanadmin | Sep 30, 2024 | Email Scams |
Sextortion – financially motivated sexual extortion – is a form of digital blackmail, where the attacker either holds or claims to hold compromising information and threatens to publish or share that information with others unless a payment is made. One of the most common types of sextortion scams involves a cybercriminal making contact, usually via email, claiming they have accessed the victim’s computer and found sexually explicit material such as photographs or viewed the victim’s browsing history of adult web content. The emails claim that the victim’s webcam and microphone have also been hacked, and the victim has been recorded while viewing sexually explicit content. Threats are issued to share that information with the victims, friends, family members, spouse, or employer and a demand is issued for payment. These hacking-based sextortion scams are usually empty threats, as the scammer has not managed to hack the user’s device.
New tactics have been identified in recent sextortion scams. In one campaign, the cyber threat actor impersonates a cybersecurity company and claims they have found evidence that indicates the victim’s spouse has been cheating on them. Rather than demand payment to prevent the publication or sharing of that information, the messages ask for payment to provide evidence of the infidelity. The company claims to have obtained full copies of the spouse’s address book, social media communications, website viewing history, dating app activity, and more, and that the information will be provided as a package if payment is made. The messages are addressed to the victim by name and include the spouse’s name, which adds legitimacy to the claim. That information is thought to have been obtained in a data breach.
Another sextortion tactic has been identified that uses a photograph of the victim’s home in the initial communication. In this scam, the targeted individual is sent an email with a PDF file that uses the victim’s first and last name for the file name. If the file is opened, the victim will see a photograph of their house along with their address. The sextortion scam follows a similar pattern to the hacked computer scam, where the victim is told that their computer has been hacked and the hacker has viewed their browsing history and recorded them browsing filthy videos using the laptop’s camera and clicking on links to unsafe websites. In one scam, the user is told that the well-known Pegasus spyware was used to covertly record and remotely monitor the user’s laptop and mobile, and that access has been gained to the user’s email account, social media accounts, and their full contact list has been downloaded.
The house image is a novel twist that is intended to make the scammer’s claim even more realistic and suggests that the scammer has visited the user’s home and knows where they live. While the latter is true, the image has been screenshotted from Google Maps Street View, and in all likelihood, the user’s email address and home address have been obtained from a publicly available source or a data breach.
These scam emails are intended to make the victim panic and make payment; however, these scams rarely involve actual hacking. Any payment is likely to lead to further blackmail attempts. The best approach is to simply not respond to the email and delete it.
by titanadmin | Sep 30, 2024 | Security Awareness |
While no sector is immune to cyberattacks, some sectors are targeted more frequently than others and attacks on the education sector are common and on the rise. In May 2024, new data released by the UK’s Information Commissioner’s Office revealed there had been 347 cyber incidents reported by the education and childcare sector in 2023, an increase of 55% from the previous year.
These attacks can prevent access to IT systems, forcing schools to resort to manual processes for checking pupil registers, teaching, and all other school functions. Without access to IT systems, teachers are unable to prepare for lessons, schools have been prevented from taking payment for pupil lunches, and many have lost students’ coursework. The impact on schools, teachers, and students can be severe. Some schools have been forced to temporarily close due to a cyberattack.
A survey conducted by the Office of Qualifications and Examinations Regulation (Ofqual) found that 9% of surveyed headteachers had experienced a critically damaging cyberattack in the past academic year. 20% of schools were unable to immediately recover from a cyberattack and 4% reported that they still had not returned to normal operations more than half a term later.
The Ofqual survey revealed more than one-third of English schools had suffered a cyber incident in the past academic year and a significant percentage faced ongoing disruption due to a cyberattack. Cyberattacks can take many forms and while ransomware attacks are often the most damaging, the most common type of cyber incident is phishing. According to the survey, 23% of schools and colleges in England experienced a cybersecurity incident as a result of a phishing attack in the past year.
Schools are not sufficiently prepared to deal with these attacks. According to the survey, 1 in 3 teachers said they had not been provided with cybersecurity training in the past year, even though cybersecurity training has proven to be effective at preventing cyberattacks. The survey revealed that out of the 66% of teachers who had been provided with training, two-thirds said it was useful.
TitanHQ has developed a comprehensive security awareness training platform for all sectors, that is easy to tailor to meet the needs of individual schools. The platform includes an extensive range of computer-based training content, split into modules of no more than 10 minutes to make it easy for teachers and other staff members to complete. The training material is enjoyable, covers the specific threats that educational institutions face, and teaches the cybersecurity practices that can help to improve defenses and combat phishing, spear phishing, and malware attacks.
The SafeTitan platform also includes a phishing simulator for conducting simulated phishing attacks to improve awareness, reinforce training, and give staff members practice in identifying phishing and other cyber threats. The training and simulations can be automated, and training modules can be set to be triggered by security errors and risky behaviors. Further, the platform is affordable.
To find out more about improving human defenses at your educational institution through SafeTitan, give the TitanHQ team a call. TitanHQ can also help with improving technical defenses, with a suite of cybersecurity solutions for the education sector including SpamTitan anti-spam software, the PhishTitan anti-phishing solution, and the WebTitan DNS-based web filter. Combined, these technical defenses can greatly improve your security posture and prevent cyber threats them from reaching end users and their devices.
by titanadmin | Sep 29, 2024 | Network Security, Security Awareness |
October is Cybersecurity Awareness Month – a four-week international effort to raise awareness of the importance of cybersecurity and educate everyone about online safety and the steps that can easily be taken to protect personal data. In the United States, the federal lead for National Cybersecurity Awareness Month is the Cybersecurity and Infrastructure Security Agency (CISA) and resources have been made available by the National Cybersecurity Alliance (NCA) to help organizations communicate to their employees and customers the importance of cybersecurity.
This year, the theme of the month is “Secure Our World,” and the focus is on four simple and easy-to-implement steps that everyone can take to significantly improve defenses against cyberattacks and prevent unauthorized access to personal data. Those steps are:
- Use strong passwords and a password manager
- Enable multifactor authentication
- Update software
- Recognize and report phishing
Passwords should be set that are resistant to brute force guessing attempts. That generally means setting a password that is complex and uses several different character sets to increase the number of potential combinations. The standard advice is to ensure that each password contains at least one capital letter, lowercase letter, number, and special character. Ideally, a password should consist of a random string of all of those characters and be at least 8 characters long. Since strong passwords are difficult to remember, a password manager should be used. Password managers can help to generate truly random strings of characters and store them (and autofill them) so they do not need to be remembered.
The U.S. National Institute of Standards and Technology (NIST) has recently updated its password guidance and suggests moving away from enforcing complexity rules in favor of longer passwords, as they are easier to remember and are less likely to see individuals taking shortcuts that weaken password security. NIST recommends a password of at least 8 characters, ideally 15 characters or more, and to allow passwords of up to 64 characters. Enforced password changes should only be required if a password is compromised, and businesses should maintain a list of weak and commonly used passwords and prevent them from being set. A unique password should be set for each account. Only 38% of people set a unique password for all accounts.
A password alone should not be enough to grant access to an account, as while strong passwords may be difficult to guess, they can be obtained through other means such as data breaches or phishing attacks. To better protect accounts, multifactor authentication should be enabled. If a password is compromised, another method of authentication is required before access to an account is granted. For the best protection, phishing-resistant multi-factor authentication should be used.
While the exploitation of vulnerabilities is not the main way that cybercriminals gain access to devices and networks, everyone should ensure that their software and operating system are kept up to date and running the latest version with patches applied promptly. Software should ideally be configured to update automatically, but if not possible, should be checked regularly to ensure it is running the latest version.
One of the most important defenses is to improve education about phishing, as it is one of the main ways that accounts are compromised and networks are breached. This is an area where employers need to take action. Education of the workforce about the threat of phishing and malware is vital, and it should be provided often. Employees should be taught how to identify phishing attempts, and they should be provided with an easy way of reporting potential threats to their security team and be encouraged to do so. A one-click option in their email client will make this quick and easy.
This is an area where TitanHQ can help. TitanHQ’s SafeTitan security awareness training platform has an extensive library of training content that teaches cybersecurity best practices to help eradicate the risky behaviors that open the door to hackers and scammers. The platform allows training courses to be easily created and tailored for different roles within the organization. The platform also delivers training in response to security mistakes, ensuring training is immediately provided to correct poor security behavior at the time when it is likely to have the greatest impact. The training content is constantly updated using real-world examples of the latest tactics, techniques, and procedures used by cybercriminals to ensure the workforce is kept aware of the latest threats. The platform also includes a phishing simulator, that businesses can use to reinforce training. Internal campaigns can be easily configured and automated, with reports generated to demonstrate how training is improving over time. The simulator can also be configured to immediately generate relevant training in response to a failed phishing simulation.
TitanHQ also offers a range of cybersecurity solutions that provide cutting-edge protection against phishing, social engineering, malware, and other threats. These include SpamTitan antispam software to prevent threats from reaching inboxes. SpamTitan is a cloud-based email filtering service with an exceptional detection rate thanks to AI- and machine-learning capabilities, dual anti-virus engines, a next-generation email sandbox, and the information of SPF, DKIM, and DMARC to prevent spoofing. The solution also includes an Outlook add-in to allow employees to easily report suspicious emails to their security team.
PhishTitan is an anti-phishing solution for Microsoft 365 that provides excellent protection against phishing threats, adds banners to emails to alert employees about messages from external sources, and allows security teams to rapidly remediate phishing attempts on the organization. WebTitan is a DNS-based web filtering solution that prevents employees from visiting malicious web content, blocking malware and potentially risky file downloads from the Internet, and allows organizations to carefully control the web content that can be accessed on and off the network.
This Cybersecurity Awareness Month is the ideal time to improve your defenses against phishing and other cyberattacks through our anti-spam service and security awareness training platform. Give the TitanHQ team a call today to discuss these and other solutions that can help improve your security posture. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Sep 28, 2024 | Phishing & Email Spam, Security Awareness, Spam Software |
New SEO poisoning, phishing, and deepfake techniques have been identified in campaigns for malware delivery, credential theft, and financial fraud this month. It is important to ensure you have appropriate defenses in place and you update your training programs to raise awareness of these new tactics.
SEO Poisoning Used to Deliver Wikiloader Malware Masquerading as the GlobalProtect VPN
Early in September, Palo Alto Networks reported that its virtual private network, GlobalProtect, was being spoofed in a campaign to deliver Wikiloader (WailingCrab) malware – A malware variant used for delivering other malware payloads onto infected devices. The threat actors behind Wikiloader campaigns sell access to other cybercriminals. An infection with Wikiloader could lead to all manner of other infections.
This campaign was focused on the higher education and transportation sectors and like many malware distribution schemes used search engine (SEO) poisoning to get malicious websites to appear high in the search engine listings for key search terms targeting those sectors. The campaign claimed to offer a download of GlobalProtect and used a combination of cloned webpages and cloud-based git repositories and delivered a file – named GlobalProtect64.exe – offering the VPN. The file delivered was a trojanized version of a share trading application, that sideloaded a malicious DLL that allowed the execution of shellcode that delivered Wikiloader from a remote server. On execution, the user was told that GlobalProtect could not be installed due to missing libraries.
This was a marked change from other campaigns that have distributed Wikiloader, which has previously been delivered via phishing emails. This is the first time that GlobalProtect has been spoofed to deliver Wikiloader. The change in tactics is believed to be due to a different initial access broker starting using Wikiloader.
Threat Actors Increasingly Using Archive Files for Email Malware Distribution
One of the most common ways of delivering malware is via phishing emails with malicious attachments. For years, the most common method involved emailing Microsoft Office documents that contained malicious macros. If the files are opened and macros are allowed to run, a malware download will be triggered. A variety of file attachments are now used for malware delivery, including PDF files, which allow links, scripts and executable files to be incorporated into the files. To hide malicious files from email security solutions, they are often added to archive files.
According to a recent analysis by HP security researchers, 39% of malware deliveries came from archive files in Q2, 2024, up from 27% the previous quarter. The researchers noted that in addition to using the most popular and well-known archive formats such as.zip, .rar, and .7z, more obscure archive files are increasingly being used. The researchers identified around 50 different archive file formats in Q2. Threat actors are also moving away from documents and are instead favoring script languages such as VBScript and JavaScript for malware delivery, with the scripts hidden in encrypted archive files to evade email security defenses.
End users are less likely to identify obscure archive formats and script files as malicious, as security awareness training has tended to focus on malicious documents containing macros. Security awareness training programs should inform employees about the different file types that may be used for malware delivery and safeguards should be implemented to reduce the risk of malware downloads, such as advanced spam filter software and web filters for blocking malware downloads from the Internet.
Deepfakes Increasingly Used in Attacks on Businesses
Deepfakes are increasingly being used in attacks on businesses on both sides of the Atlantic, and these scams have proved to be highly effective in financial scams. According to a survey conducted by Medius, around half of UK and US businesses have been targeted with deepfake scams and around 43% have fallen victim to the scams. Deepfake scams use artificial intelligence to alter images, videos, and audio recordings, making it appear that respected or trusted individuals are requesting a certain action.
The individuals deepfaked in these scams include executives such as the CEO and CFO, as well as vendors/ suppliers. For example, a deepfake of the CEO of a company was used in a video conference call with the company’s employees. In one of these scams, an Arup employee was tricked into making 5 fraudulent transfers to Hong Kong bank accounts before the scam was detected. These scams highlight the importance of covering deepfakes in security awareness training.
TitanHQ Solutions That Can Help Protect Your Business
TitanHQ has developed a range of cybersecurity solutions for businesses and managed service providers to help defend against increasingly sophisticated cyberattacks.
- SpamTitan Email Security – An advanced AI-driven cloud-based anti-spam service with email sandboxing that has been recently shown to block 99.98% of phishing threats and 100% of malware in independent performance tests.
- PhishTitan Microsoft 365 Phishing Protection – A next-generation anti-phishing and phishing remediation solution for Microsoft 365 environments that augments native M365 defenses and blocks threats that EOP and Defender misses
- WebTitan DNS Filter – A cloud-based DNS filtering and web security solution providing AI-driven threat protection with advanced web content controls for blocking malware delivery from the Internet and access to malicious websites.
- SafeTitan Security Awareness Training – A comprehensive, affordable, and easy-to-use security awareness training and phishing simulation platform that delivers training in real-time in response to security mistakes.
For more information on these solutions, give the TitanHQ sales team a call today. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Sep 27, 2024 | Phishing & Email Spam |
Generative artificial intelligence (GenAI) services are already being leveraged by cybercriminals to create convincing phishing emails, and it appears that these tools are being used for the creation of malware. GenAI services are capable of writing code; however, guardrails have been implemented to prevent malicious uses of these tools, such as the creation of malware. If those guardrails can be circumvented, the creation of malware would no longer be limited to skilled malware developers. Lower-skilled cybercriminals could develop their own malware using GenAI services, and there is growing evidence they are doing just that.
Over the summer, HP security researchers identified an email campaign targeting French users. The phishing email used HTML smuggling (encrypted HTML) to evade detection, and on analysis, the campaign delivered malicious VBScript and JavaScript code that appeared to have been created using GenAI tools. The entire malicious code included comments about what each function does, which is rare in malware development as the exact workings of the code tend not to be described. The comments, along with the use of native language function names and variables all suggest that GenAI was used to create the malware.
The code was used to deliver AsyncRAT malware, a widely available, open source malware that is an information stealer capable of recording the victim’s screen and logging keystrokes. The malware also acts as a malware downloader that can deliver other malware payloads, including ransomware. In this campaign, little technical skill was required as HTML smuggling does not require any programming, the malware being delivered is widely available, and the fact that the comments had not been removed and there was no obfuscation, points to the development of malware by an inexperienced cybercriminal.
There have been other examples of apparent malicious code creation using GenAI, such as a malicious PowerShell script identified earlier this year that was also used to deploy infostealer malware. That campaign targeted users in Germany and impersonated Metro cash-and-carry and was also delivered via email. Just as GenAI tools are helping writers rapidly create written content, GenAI tools can be used to rapidly develop malicious code. ChatGPT and Gemini have guardrails in place that it may be possible to circumvent, but there are many dark LLMs that lack those controls such as WormGPT and FraudGPT. If these tools are leveraged, relatively low-skilled cybercriminals can develop their own malware variants.
Traditional antivirus solutions use signature-based detection. When malware is identified, a signature is added to the antivirus solution for that specific malware variant that allows it to be detected in the future. There is a delay between the creation of malware and the addition of malware signatures to the definition lists of antivirus solutions, during which time malware can easily be smuggled onto devices undetected. If the creation of malware can be accelerated with GenAI tools, cybercriminals will have the upper hand.
The solution for businesses is to deploy security solutions capable of detecting novel malware variants by their behavior rather than a signature. Since malware is commonly delivered via email, having a cloud-based email security solution that incorporates behavioral analysis of attachments will help identify and neutralize these malware variants before they can be installed.
SpamTitan from TitanHQ is a cloud-based antispam software that incorporates email sandboxing. When standard antivirus checks are passed, suspicious emails and attachments are sent to a next-generation email sandbox for deep inspection, where the behavior of the attachments is assessed in an isolated sandbox environment. If malicious actions are detected, the threat is neutralized. SpamTitan also incorporates AI-based and machine-learning detection mechanisms to assist with malicious email detection, and along with a host of other checks ensure malicious emails are detected and blocked. In recent independent tests, SpamTitan has a 99.99% phishing catch rate and a 100% malware catch rate, with zero false positives.
SpamTitan, like all other TitanHQ cybersecurity solutions, is available on a free trial to allow you to see for yourself the difference it makes. To find out more about protecting your business from increasingly sophisticated threats, give the TitanHQ team a call.
by titanadmin | Sep 25, 2024 | Industry News, Security Awareness |
TitanHQ has launched a new version of its SafeTitan security awareness training and phishing simulation platform, which now includes new features for Managed Service Providers (MSPs) to allow them to enhance their security awareness training services.
Security awareness training is now vital due to the increasing number and sophistication of phishing attempts. Even with an advanced anti-phishing solution in place, it is inevitable that some phishing attempts will reach their intended targets, so the workforce needs to be trained on how to recognize and avoid phishing attempts. Companies are increasingly turning to MSPs to provide security awareness training as they lack the time and resources to develop and administer training courses and conduct phishing simulations. By providing training as a service, MSPs can better protect their clients against phishing and reduce support time, while also improving their bottom line.
Two key features added to the platform in the latest release are a multi-lure feature and reactive training for MSPs. When conducting phishing simulations internally, there is a chance that an employee will correctly identify a simulated phishing email and tip off their colleagues. The multi-lure feature of the SafeTitan platform solves this problem by allowing randomized lures to be sent during a simulated phishing campaign.
When this feature is activated, phishing emails will be sent in randomized bursts during working hours to ensure a high level of diversity within a phishing campaign and to maintain the element of surprise. The variety will help to ensure that members of the workforce experience a genuine test of their knowledge to help equip them with the skills they need to identify real phishing attempts.
Another new feature has been added to the MSP layer of the platform to ensure that MSPs can provide enhanced security awareness training. Reactive training is often not available to MSPs, yet it is one of the most effective ways of changing user behavior. Administrators can configure the platform to provide training in response to insecure behaviors by employees in real-time, ensuring timely training is provided to correct a bad behavior at the time when it is most likely to have the greatest impact. SafeTitan captures all data from users’ interactions with simulated phishing emails. If the user responds inappropriately, such as clicking a link or opening an attachment, training can be provided in real time relevant to that insecure action ensuring the employee is made aware of the error and their behavior is corrected.
For the MSP, not only does that help to improve the security awareness of the workforce, it means there is no need for manual assessments, saving MSPs valuable time. Other updates in the latest release include several much-awaited feature requests, including updates to the user experience that make navigating the platform even easier.
If you are an MSP that does not currently offer security awareness training, give the TitanHQ team a call to find out more about the SafeTitan platform. Product demonstrations, including demos of the new features, can be arranged on request.
by titanadmin | Sep 24, 2024 | Security Awareness, Spam Software |
The primary defense against spam and malicious emails is anti-spam software, through which all emails must pass to be delivered to inboxes. A spam filter performs a variety of checks to ensure that the email is genuine and does not contain any threats, and if you use an advanced spam filtering service such as SpamTitan you will be well protected.
SpamTitan incorporates SPF, DKIM, and DMARC to identify and block spoofing, AI and machine learning algorithms to identify spam and malicious messages based on how they deviate from the genuine emails a business usually receives, and the solution performs checks of message headers and the message body including Bayesian analysis to identify unsolicited and malicious messages. SpamTitan also incorporates email sandboxing to identify malicious attachments based on their behavior. The Bitdefender-powered email sandbox service identifies the zero-day malware threats that antivirus controls miss. In recent independent tests, the engine that powers the SpamTitan and PhishTitan solutions scored second-highest in the tests with a phishing catch rate of 99.990%, a malware catch rate of 100%, and a false positive rate of 0.0%.
While these advanced antispam solutions can protect your business and block the majority of threats, spam filters for incoming mail will not block 100% of threats without also blocking an unacceptable number of genuine emails. That means that your corporate email filter may not catch all malicious and unwanted messages, which is why it is important not to totally rely on your enterprise spam filter for protection.
Cybercriminals are constantly developing new tactics to defeat spam filters and get their messages in inboxes where they can be opened by their intended targets. One tactic that has been increasing is callback phishing, where the emails contain no malicious links or attachments, only a phone number. The malicious actions take place over the phone, such as convincing the user to download software that provides remote access to their device. Spam filters cannot easily determine if a phone number is malicious, although the AI content detection mechanisms of SpamTitan can identify these types of threats.
Cybercriminals are increasingly leveraging legitimate third-party infrastructure for sending their spam and malicious emails, such as exploiting web forms with backend SMTP infrastructure, legitimate online services such as Google Drive, Dropbox, and SharePoint for hosting malware and phishing content, and services such as Google Forms for hosting fake quizzes for capturing sensitive information. All of these methods can be difficult to identify as they use legitimate services that are generally trusted by email security solutions. Then there are other forms of phishing that no email security solution can block, as the phishing occurs on social media pages and links are sent via instant messaging services and SMS. These “smishing” attacks bypass standard technical defenses and often reach their intended targets.
The reality is that no matter how good your technical defenses are, threats will be encountered by employees. An advanced spam filter like SpamTitan will help to reduce the number of malicious and unwanted messages that arrive in inboxes but without comprehensive security awareness training, employees may respond to the malicious messages that sneak past your spam filter, are encountered via the Internet, or are sent via SMS or instant messaging services.
This is why TitanHQ strongly recommends providing regular security awareness training to the workforce to train individuals how to recognize and avoid threats such as malware and phishing and to teach cybersecurity best practices to eradicate risky behaviors. This is also an area where TitanHQ can help. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) that makes it easy for businesses to create security awareness training programs for the workforce, with those campaigns tailored for different departments and roles and the different threats that each is likely to encounter.
The training courses are modular, with each element lasting no more than 10 minutes, which makes it easy to fit training into busy workflows. Through regular training, reinforced with phishing simulations conducted through the platform, businesses will be able to improve their human defenses. If malicious messages do make it past your perimeter defenses or if employees encounter threats online or elsewhere, they will have the skills to recognize and avoid those threats.
Give the TitanHQ team a call today to discuss improving your defenses through advanced spam filtering, web filtering, and security awareness training. TitanHQ solutions are available on a free trial to allow you to put them to the test before making a purchase decision, and demonstrations can be arranged on request.
by titanadmin | Sep 24, 2024 | Network Security, Phishing & Email Spam, Security Awareness |
Cybercriminals and nation state threat actors are targeting businesses to steal sensitive information, often also using file encryption with ransomware for extortion. Initial access to business networks is gained through a range of tactics, but the most common is the use of compromised credentials. Credentials can be guessed using brute force tactics, by exploiting password reuse in credential stuffing attacks, using malware such as keyloggers to steal passwords, or via phishing attacks.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), compromised credentials are the most common method for initial access in attacks on critical infrastructure entities. CISA revealed that 41% of all attacks on critical infrastructure used compromised credentials and phishing and spear phishing were identified as the second most common attack vector. A separate study by Osterman Research and OPSWAT revealed that the majority of critical infrastructure entities have suffered an email security breach in the past 12 months, with 75% of critical threats arriving via email.
Should any of these email threats arrive in inboxes, they could be opened by employees resulting in the theft of their credentials or the installation of malware. Both could provide a threat actor with the access they need to steal sensitive data and encrypt files with ransomware. Email threats usually impersonate a trusted entity such as a vendor, well-known organization, colleague, or previous acquaintance, which helps to make the correspondence appear authentic, increasing the likelihood of an employee responding.
According to CISA, the success rate of these emails depends on the technical defenses a business has in place and whether security awareness training has been provided to the workforce. The primary defense against phishing and other email attacks is a spam filter, which can be a cloud-based spam filtering service or gateway spam filter. CISA recommends implementing email filtering mechanisms incorporating Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), as both are important for protecting against spoofing and email modification.
Antiphishing defenses should rewrite URLs to show their true destination, and for maximum protection – especially against AI-generated phishing attempts – anti-spam software should incorporate machine learning and AI-based detection mechanisms and analyze email content to determine how emails deviate from the typical emails received by a business. Malware is often used in attacks, so spam filters should incorporate antivirus protection, including email sandboxing to detect malware based on its behavior rather than signature since many novel threats can bypass the signature-based defenses of standard anti-virus products.
A web filter is a useful tool for protecting against the web-based component of phishing attempts, as it can block access to known malicious websites and also prevent visits to malicious websites from general web browsing. Security awareness training should be provided frequently to the workforce to improve human-based defenses and reduce the risk of employees being tricked by social engineering and phishing attempts. Employees should also be provided with an easy way of reporting suspicious requests to their security teams. Backing up security awareness training with phishing simulations can help reinforce training and identify knowledge gaps.
To protect against compromised credentials, multifactor authentication should be implemented, with phishing-resistant MFA providing the highest level of protection. Password policies should be implemented that require the use of unique, strong passwords, all default passwords should be changed, and any inactive or unnecessary accounts should be disabled.
TitanHQ can help protect against these attacks through a suite of cybersecurity solutions. SpamTitan email Security, the WebTitan DNS-based web filter, the PhishTitan anti-phishing solution for Microsoft 365, and the SafeTitan security awareness training platform. All solutions have been developed to be easy for businesses to implement and use and provide cutting-edge protection against the full range of cyber threats. For more information give the TitanHQ team a call and take the first steps towards improving your defenses against increasingly sophisticated cyber threats.
by titanadmin | Sep 15, 2024 | Network Security |
Ransomware attacks can cause an incredible amount of damage to an organization’s reputation as well as huge financial losses from the downtime they cause. Recovery from an attack, regardless of whether the ransom is paid, can take weeks and the theft and publication of sensitive data on the dark web can prompt customers to leave in their droves. Attacks are still being conducted in high numbers, especially in the United States and the United Kingdom. One recent survey indicates that 90% of businesses in those countries have experienced at least one attack in the past 12 months, with three-quarters of organizations suffering more than one attack in the past year.
The healthcare sector is often attacked as defenses are perceived to be weak and sensitive data can be easily stolen, increasing the chance of the ransom being paid. The Inc Ransom group has been targeting the healthcare sector and conducted an attack on an NHS Trust in Scotland earlier this year, stealing 3 TB of sensitive data and subsequently publishing that data on the dark web when the ransom wasn’t paid.
The Inc Ransom group also conducted an attack on a Michigan healthcare provider, preventing access to its electronic medical record system for 3 weeks in August. A group called Qilin attacked an NHS pathology provider, Synnovis, in June 2024 which had a huge impact on patient services, causing a shortage of blood in London hospitals that caused many surgeries to be postponed. Education is another commonly attacked sector. The Billericay School in Essex had its IT system encrypted, forcing the school to temporarily close. In all of these attacks, highly sensitive data was stolen and held to ransom. The public sector, healthcare, and schools are attractive targets due to the value of the sensitive data they hold, and attacks on businesses cause incredibly costly downtime, both of which can force victims into paying ransoms. What is clear from the reporting of attacks is no sector is immune.
There is increasing evidence that ransomware groups are relying on malware for initial access. Microsoft recently reported that a threat actor tracked as Vanilla Tempest (aka Vice Society) that targets the healthcare and education sectors has started using Inc ransomware in its attacks and uses the Gootloader malware downloader for initial access. A threat actor tracked as Storm-0494 is responsible for the Gootloader infections and sells access to the ransomware group. Infostealer malware is also commonly used in attack chains. The malware is installed by threat groups that act as initial access brokers, allowing them to steal credentials to gain access to networks and then sell that access to ransomware groups. Phishing is also commonly used for initial access and is one of the main initial access vectors in ransomware attacks, providing access in around one-quarter of attacks.
Infostealer malware is often able to evade antivirus solutions and is either delivered via malicious websites, drive-by malware downloads, or phishing emails. Gootloader infections primarily occur via malicious websites, with malvertising used to direct users to malicious sites where they are tricked into downloading and installing malware. Credentials are commonly compromised in phishing attacks, with employees tricked into disclosing their passwords by impersonating trusted individuals and companies.
Advanced cybersecurity defenses are needed to combat these damaging cyberattacks. In addition to traditional antivirus software, businesses need to implement defenses capable of identifying the novel malware threats that antivirus software is unable to detect. One of the best defenses is an email sandbox, where emails are sent for behavioral analysis. In the sandbox – an isolated, safe environment – file attachments are executed, and their behavior is analyzed, rather than relying on malware signatures for detection, and links are followed to identify malicious content.
DNS filters are valuable tools for blocking web-based delivery of malware. They can be used to control access to the Internet, prevent malvertising redirects to malicious websites, block downloads of dangerous file types from the Internet, and access to known malicious URLs. Employees are tricked into taking actions that provide attackers with access to their networks, by installing malware or disclosing their credentials in phishing attacks, so regular security awareness training is important along with tests of knowledge using phishing simulations.
There is unfortunately no silver bullet when it comes to stopping ransomware attacks; however, that does not mean protecting against ransomware attacks is difficult for businesses. TitanHQ offers a suite of easy-to-use cybersecurity solutions that provide cutting-edge protection against ransomware attacks. TitanHQ’s award-winning products combine advanced detection such as email sandboxing, AI and machine-learning-based detection, and are fed threat intelligence from a massive global network of endpoints to ensure businesses are well protected from the full range of threats.
Give the TitanHQ team a call today and have a chat about improving your defenses with advanced anti-spam software, anti-phishing protection, DNS filtering, and security awareness training solutions and put the solutions to the test on a free trial to see for yourself the difference they make.
by Jennifer Marsh | Aug 30, 2024 | Phishing & Email Spam |
QR codes are used for a wide range of purposes, including marketing, communications, and even in restaurants to direct diners to menus, and with the popularity of QR codes soaring it should be no surprise that they are being used by cybercriminals in their phishing campaigns. QR codes are similar to the bar codes on products. They are black and white images that contain information, which for QR codes is commonly a URL for a web page or hosted file. A camera on a smartphone is used to scan the code, which will detect the URL, and the user can click that URL to visit the resource. It is far more convenient than entering a URL on a mobile phone keypad.
The use of QR codes has been growing considerably. According to a 2024 report from QR Tiger on QR Code trends, there has been 47% year-over-year growth in QR code usage. The convenience of QR codes and their growing popularity have not been lost on cybercriminals who are using QR codes to direct unsuspecting users to malicious websites that host malware or are used to phish for credentials. As an added advantage, many traditional security solutions are unable to assess the URLs in QR codes and fail to block access to malicious sites.
QR code phishing (aka quishing) may involve QR codes sent via email. Instead of embedding a hyperlink in an email, a QR code is used to evade email security solutions. A novel campaign has recently been detected by security researchers at Netskope Threat Labs that uses QR codes to steal Microsoft 365 credentials. In this campaign, a Microsoft 365 product called Microsoft Sway is abused to host the spoofed web pages.
Microsoft Sway is used for creating newsletters and presentations and was first released by Microsoft under the M365 product suite in 2015. Since Microsoft Sway is a legitimate Microsoft cloud-based tool, a link to a Sway presentation is unlikely to be identified as malicious by security solutions, as Sway is a trusted platform. The link to the Sway presentation may be distributed in emails, SMS messages, and instant messenger platforms, or can be added to websites in an iframe. A QR code could even be used to direct a user to the Sway presentation.
That presentation includes a QR code that encodes a URL for a website that masquerades as a legitimate Microsoft site. If scanned, the user is directed to a web page where they are asked to enter their Microsoft 365 credentials. What makes this campaign even harder for users to identify is the transparent phishing technique used. Entering credentials will log the user into the legitimate site, and at the same time credentials are captured along with any MFA code, which are relayed to the attacker. The credentials and MFA code are then used to hijack the account.
TitanHQ offers several cybersecurity solutions that provide layered protection against advanced phishing attempts, including quishing. Since these scams target individuals, it is important to raise awareness of the threat by providing security awareness training to the workforce. The SafeTitan platform from TitanHQ includes a wealth of training content, including modules for raising awareness of quishing. The platform also includes a phishing simulator with quishing templates to test whether employees scan QR codes and visit the websites they encode.
Regardless of how a URL is communicated to a member of the workforce, it is possible to block access to a malicious URL with a DNS filter. TitanHQ’s DNS filter, WebTitan, blocks access to all known malicious websites and is constantly updated with the latest threat intelligence from a global network of users. As soon as a malicious URL is detected, the solution is updated and all WebTitan users are protected. QR code may direct users to websites where malware is downloaded. WebTitan can be configured to block file downloads from the internet by file type.
QR codes are commonly sent via email, so an advanced email security solution is required. SpamTitan is a cutting-edge spam filtering service that uses advanced detection techniques, including AI and natural language processing to identify and block these threats, even zero-minute phishing attempts. In contrast to many spam filters for incoming mail, SpamTitan can detect novel phishing and quishing attempts. Finally, businesses can add another layer of protection through PhishTitan, TitanHQ’s advanced anti-phishing solution for Microsoft 365 which blocks attempts to visit phishing sites and allows security teams to easily remediate phishing attempts across their entire email system.
Phishers are constantly developing new tactics and techniques for distributing malware and stealing credentials, but with TitanHQ solutions in place, you will be well protected against these rapidly evolving threats. Talk with TitanHQ’s cybersecurity experts today for more information on staying one step ahead of cybercriminals and keeping your company safe.
by Jennifer Marsh | Aug 30, 2024 | Internet Security, Security Awareness |
A malvertising campaign is behind a surge in FakeBat malware infections, according to researchers at Google’s Mandiant. FakeBat is a malware loader that is offered to other cybercriminals under the malware-as-a-service model. Once infected with FakeBat, system information is gathered and exfiltrated to its command-and-control server, and if the victim is of interest to the threat actor’s business partners, they can use FakeBat to download their own payloads onto an infected device. FakeBat, also known as EugenLoader, has fast become a major player among cyber threats with infections increasing significantly in recent months due to the ability of the malware to evade security solutions and hide the additional payloads it delivers.
FakeBat malware is primarily distributed via malvertising and drive-by downloads. Malvertising is the name given to malicious adverts that trick Internet users into downloading malicious software. Malicious adverts are created on online advertising platforms such as Google Ads, and the adverts then appear prominently at the top of search engines for certain search terms. They often catch unwary Internet users who fail to check the URL they are directed to after clicking an advert. Google has numerous safeguards in place to thwart attempts by threat actors to upload malicious adverts to its platform, but threat actors can bypass those security controls. Malicious adverts may also appear in the third-party ad blocks that many website owners add to their sites to generate additional revenue. The domains used for these scams can be convincing, as they often closely resemble the domain name of the legitimate software provider.
Drive-by downloads of malware can occur on many different websites, including attacker-owned domains and compromised sites. Websites may be created for the sole purpose of delivering malware, with black hat search engine optimization (SEO) techniques used to get web pages to appear high in the search engine listings for certain search terms. Cybercriminals may also compromise legitimate websites by exploiting vulnerabilities and then create new web pages on those sites for malware distribution. These sites often contain JavaScript that runs when a user lands on the site and generates a fake security warning, such as an alert that malware has been detected on their device. Software is offered to remove the malware, but downloading the installer will result in malware being installed.
These approaches are often used to target company employees, with adverts and malicious web pages offering popular software downloads. The adverts and websites are carefully crafted to make the user believe they are downloading the genuine software they seek. Oftentimes, the adverts and websites provide legitimate software; however, the installers also side-load malware. These malware infections often go unnoticed since the user gets the software they are expecting.
The malvertising campaigns that deliver FakeBat malware use signed MSIX installers that impersonate popular software products such as WinRAR, the password software KeePass, the gaming platform Steam, the video conferencing platform Zoom, and web browsers such as Brave. Malware known to be delivered by FakeBat includes information stealers (e.g. Redline Stealer, Lumma Stealer), banking trojans (e.g. IcedID), Remote access Trojans (e.g. SectopRAT), and more. The threat actor is also known to use phishing to distribute FakeBat malware.
Businesses should ensure they take steps to prevent malware infections via malvertising and drive-by downloads, as a single mistake by an employee can result in a costly malware infection and data breach and could potentially also lead to a ransomware attack and significant data loss.
TitanHQ offers cybersecurity solutions that offer multiple layers of protection against malware infections. Since these campaigns trick employees into installing malware, one of the best defenses is to provide comprehensive security awareness training. TitanHQ’s SafeTitan security awareness training platform makes it easy for businesses to improve the security awareness of their workforce by eradicating risky behaviors and teaching employees how to recognize, avoid, and report threats. The platform also includes a phishing simulator to test employees’ skills at identifying phishing attempts with training content automatically generated in response to simulation failures.
Technical defenses are also important to prevent employees from visiting malicious websites. The WebTitan DNS filter is a powerful tool for carefully controlling access to websites. WebTitan blocks access to all known malicious sites and can be configured to block certain file downloads from the Internet, such as MSIX installers. TitanHQ’s SpamTitan cloud-based spam filter and the PhishTitan anti-phishing solution provide cutting-edge protection against phishing attempts. The engine that powers these solutions has been independently tested and demonstrated to block 100% of known malware. SpamTItan also includes email sandboxing for identifying malware by its behavior, in addition to twin antivirus engines for blocking known malware, and machine learning capabilities to detect novel phishing threats.
To find out more about improving your defenses against malvertising, drive-by downloads, phishing, and other cyber threats, give the TitanHQ team a call. All TitanHQ solutions are also available on a free trial to allow you to put them to the test before making a purchase decision.
by Jennifer Marsh | Aug 29, 2024 | Phishing & Email Spam, Security Awareness |
If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.
There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.
In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.
Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.
Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.
It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.
The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.
Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts. These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.
Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.
TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.
The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.
The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.
For more information about improving your phishing defenses, speak with TitanHQ today.
by Jennifer Marsh | Aug 28, 2024 | Spam Software |
Phishing is the name given to a type of cyberattack where the threat actor uses deception to trick an individual into taking an action that benefits the threat actor. A lure is used to get the targeted individual to respond and these attacks typically create a sense of urgency. Urgency is required as phishers need users to act quickly rather than stop and think about the request. The faster the response, the less time there is to identify the scam for what it is. There is often a threat to help create a sense of urgency, such as negative consequences if no action is taken.
Phishing can take place over the phone, SMS, and instant messaging platforms, but email is the most common way of getting the phishing lure in front of an employee. It is now common for businesses to provide security awareness training to the workforce to raise awareness of phishing threats and to have a spam email filter in place to detect and quarantine these malicious emails before they reach inboxes; however, even with robust defenses in place, some malicious emails will arrive in inboxes and employees are often tricked into responding.
Security awareness training programs teach employees to stop and think before taking any request in an email, which is the last thing phishers want the recipients of their emails to do. One of the ways they can get a quick response is to make the recipient believe that the email has been sent from an internal email account, either through spoofing or by using a compromised internal email account. Some of the lures used in phishing attempts that the majority of employees will at least open and read, are detailed below.
HR Themed Phishing Emails
One of the ways that phishers increase the chance of a user responding is to use Human Resources (HR)-themed lure, as any communication from the HR department is usually taken seriously by employees. These phishing attempts include the types of notifications that HR departments often send via email, examples of which include:
- Changes to working hours
- Updates to working practices
- Dress code changes
- Upcoming training/cybersecurity training sessions
- Annual leave notifications
- Payroll information requests
- Tax matters
- Healthcare and wellness benefit updates
- Employee rewards programs
- Notifications about disciplinary procedures
IT Department Notifications
Notifications from the IT department are also common as employees typically open these emails and act quickly. These include:
- Internet activity reports
- Security alerts
- The discovery of unauthorized software
- Changes to access rights
- Requires software installations
Notifications from Board Members
Phishers often impersonate the CEO or other executives, as they know that employees will want to respond quickly and are unlikely to question requests from these authority figures. CEOs are commonly impersonated in business email compromise attacks, where the threat actor tries to get an employee to make a wire transfer to their account, purchase gift cards, or divulge sensitive information. These emails may include a hyperlink to a website where the user is told they must enter their login credentials, a hyperlink to a website where a file download takes place, or the emails may include an attachment. Common file types used in these email campaigns include PDF files, HTML attachments, Office files, and compressed files. These files may contain malware or malicious scripts, or may be used to hide information from spam filtering software. For example, PDF files are commonly used that contain malicious links. By adding the link to the PDF file, there is less chance that spam filtering software will find and follow the link.
How to Defend Against These Common Email Threats
Defending against email attacks requires advanced anti spam software and regular security awareness training for the workforce. SpamTitan from TitanHQ is an advanced cloud-based anti-spam service that performs comprehensive checks for spam and malicious emails, including an inbound spam filter and outbound filtering with data loss prevention. SpamTitan performs reputation checks of the sender’s domain and email account, recipient verification, anti-spoofing checks, and alias recognition, and allows geoblocking to prevent the delivery of emails from certain locations (overseas, for instance).
SpamTitan also incorporates extensive content filtering mechanisms, including rewriting URLs to identify the true destination, URL checks to identify malicious content, anti-phishing measures including machine learning algorithms to detect suspicious content that deviates from the standard emails typically received, Bayesian analysis to identify spam and phishing, OLE detection, dual antivirus engines, and email sandboxing. Sandboxing is key to blocking malware threats, including previously unseen malware. With SpamTitan in place, the vast majority of threats will not arrive in inboxes. In recent independent tests, SpamTitan had a 99.99% spam detection rate, a 99.98% phishing detection rate, and a 100% malware detection rate, with zero false positives.
TitanHQ also offers a comprehensive security awareness training platform called SafeTitan. SafeTitan makes it easy for businesses to create and automate security awareness training programs for the workforce, and tailor programs for different departments and user groups. The content is fun and engaging and is delivered in modules of more than 10 minutes, which makes security awareness training easy to fit into busy workflows. SafeTitan also includes a phishing simulator for assessing the effectiveness of training and for giving employees practice at identifying phishing attempts, including the types of phishing attempts mentioned in this article that often fool employees.
SpamTitan and SafeTitan, like all TitanHQ solutions, are easy to implement, use, and maintain, and are available on a free trial. For advice on improving cybersecurity at your business and for further information on TitanHQ solutions, call the team today and take the first step toward improving your security posture.
by Jennifer Marsh | Aug 27, 2024 | Security Awareness |
Do you provide security awareness training to your workforce? If so, when was the last time you updated the content? Chances are you are not keeping your employees sufficiently up to date on the rapidly changing tactics, techniques, and procedures used by cybercriminals which means your training will not be as effective as it should be.
Security awareness training used to be a relatively straightforward process aimed at teaching members of the workforce good cybersecurity practices such as choosing complex passwords, exercising caution when entering sensitive information on screen to ensure they are not being watched, and looking for spelling mistakes, grammatical errors, unusual email addresses, and other signs of phishing emails. Providing an annual security awareness training session once a year or biannually was satisfactory, but things are now very different.
Cybercriminals are constantly developing new ways of tricking employees, translators are much more accurate than they once were, and generative AI can be leveraged not only to create phishing emails free of errors but these tools can also be used to create new lures to trick employees into responding, not to mention the use of deepfakes that can be incredibly convincing.
While the main threat is still email-based attacks, cybercriminals are using a range of methods to reach employees including SMS messages, instant messaging services, social media platforms, and voice phishing, and often a combination of those methods. For example, initial contact may be made via email, and the recipient is told to call the provided phone number urgently to prevent a payment for a subscription service from being taken from their account. Tactics are also changing rapidly, with new attacks on employees constantly being developed. Any training program that is not constantly being changed to reflect these new tactics means there will be significant knowledge gaps and cybercriminals will be all too quick to exploit.
While the aim of security awareness training for many businesses is to raise the baseline level of knowledge and ensure that everyone is aware of security risks that they are likely to encounter, given the rapidly changing threat landscape and the sophistication of phishing and BEC attacks, more needs to be done.
Security awareness training should be an ongoing process, with training provided regularly throughout the year. Training should be provided at least monthly and preferably weekly, using short training modules that can be completed in just a few minutes. Providing training regularly in small bite-size chunks helps to keep cybersecurity fresh in the mind, makes it more likely that the information will be remembered, allows businesses to keep employees up to date on changing tactics, and it is much easier to fit the training into busy workflows. The training content can be completed when employees find they have 10 minutes spare.
Developing a training course is time-consuming, especially when the content needs to be regularly refreshed. The easiest approach is to use a training vendor who keeps their content up to date based on the latest threat intelligence and provides a platform that makes creating tailored training courses for businesses and the individuals who work there a quick and easy process.
The SafeTitan platform from TitanHQ has been developed to make security awareness training simple for employers, allowing them to create effective training courses tailored for each individual, job role, or department. The platform makes it easy to automate training programs so they run continuously throughout the year, including automated training in response to errors by employees. When a security error is made, training relevant to that error is immediately generated. That means the problem is nipped in the bud as training is delivered when it is most likely to have the desired effect – changing behavior to prevent similar errors in the future.
The SafeTitan platform includes hundreds of training modules of no more than 10 minutes, which can be easily customized and compiled into training courses for all job roles and knowledge levels, with new content constantly added based on the latest threat intelligence. The platform includes a phishing simulator that allows simulations to be conducted to give employees practice at identifying threats as well as to provide management with feedback on the effectiveness of the training. Weak links can be identified and corrected through further training and, like the training courses, the simulations can be automated.
The SafeTitan platform allows businesses to adopt a more proactive approach to security awareness training to stay one step ahead of cybercriminals and develop a security culture through training where employees can recognize, avoid, and report security threats. Coupled with the SpamTitan anti-spam service and the PhishTitan anti-phishing platform, businesses will be well protected in this ever-changing threat landscape.
Give the TitanHQ team a call to find out more about improving your technical defenses against phishing, malware, and other threats as well as creating a formidable human firewall. All TitanHQ solutions are available on a free trial and the team will be happy to arrange a product demonstration to help get you started.
by Jennifer Marsh | Aug 27, 2024 | Phishing & Email Spam, Security Awareness |
Business email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial losses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.
BEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These attacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker then tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the case of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black supplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was conversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.
BEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted email accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker often has access to emails, they will be aware of confidential information that no other individual other than the genuine account holder should know. The attacker can also check past emails between the account holder and the victim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans to distinguish from genuine communications. Scammers often reply to existing email threads, which makes these scams even more believable.
BEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams even harder for humans and email security solutions to identify. AI tools can be fed past emails between two individuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could fool even the most security-aware individual.
Some of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains access to the account through phishing or stolen credentials and searches through the account for information of interest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s clients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change the bank account information for genuine upcoming payments.
Due to the difficulty of identifying these threats, a variety of measures should be implemented to improve defenses, including administrative and technical controls, as well as employee training. In order to beat AI tools, network defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning capabilities, such as the SpamTitan cloud-based spam filtering service.
SpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails can be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to identify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution is also strongly recommended to protect accounts against initial compromise and to raise awareness of potential threats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about external emails and other threats and allows IT teams to rapidly remediate any attacks in progress.
Security awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these scams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the threat, taught how to identify these scams, and the actions to take when a potentially malicious message is received. With the SafeTitan security awareness training program it is easy to create training courses and tailor the content to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most pertinent threats.
While spam email filtering and security awareness training are the most important measures to implement, it is also important to strengthen defenses against phishing through the adoption of multi-factor authentication on all email accounts, to prevent initial compromise. Administrative controls should also be considered, such as requiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and maintaining a contact list of verified contact information to allow phone verification of any high-risk change. This two-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.
by Jennifer Marsh | Aug 27, 2024 | Industry News |
TitanHQ has upgraded its award-winning SpamTitan email security solution, with the latest release including several enhancements to improve protection against malware, phishing, and other advanced threats. The latest release – version 9 – of the flagship email security solution is named SpamTitan Skellig, which includes major enhancements to the anti-spam engine at the core of the solution to improve malware detection and new phishing enhancements to protect against ever-evolving sophisticated threats.
SpamTitan is a leading cloud-based anti-spam service that has been shown in recent independent tests to provide exceptional protection against spam, phishing emails, and malware. The hosted spam filter includes a next-gen email sandbox, up-to-the-minute threat intelligence feed, AI and machine learning algorithms, twin antivirus engines, and more. In June 2024, Virus Bulletin put the new version of SpamTitan to the test and gave it VBSpam+ certification, with the solution achieving the second-highest final score in the test of 12 leading email security solutions. SpamTitan successfully blocked all malware samples, only missed one phishing email, and did not generate any false positives. SpamTitan had a malware catch rate of 100%, a phishing catch rate of 99.99%, a spam catch rate of 99.98%, and was given an overall score of 99.984%.
The update to SpamTitan Skellig will ensure that users continue to have best-in-class protection against email threats but there is more to the update than protecting against threats. SpamTitan has long been popular with end users due to the ease of use of the solution, which is why users consistently give the solution 5-star reviews. The latest release includes a brand new UI that is even more intuitive with improved navigation and better administrative functions across the board and makes it easier to onboard new users.
The upgraded version is available to all new users and current users can upgrade and get better protection at no additional cost for the upgrade and no change to the subscription price, with full assistance provided with upgrading if required. You can find out more about migrating to the new version here.
by Jennifer Marsh | Aug 20, 2024 | Phishing & Email Spam |
Russian threat actors have been conducting increasingly advanced phishing campaigns against media organizations, international NGOs, and other targets perceived as being a threat to Russia. According to a recent report from Access Now and Citizen Lab, several international NGOs have reported being targeted with spear phishing emails in a campaign that has been ongoing since the start of 2023.
The campaign has been attributed to a threat actor known as COLDRIVER (aka Star Blizzard, Calisto) which multiple governments have attributed to the Russian Federal Security Service (FSB), and another campaign has been conducted by a second threat group, a relatively;y new threat group known as COLDWASTREL, whose interests align with those of COLDRIVER.
The campaigns aim to steal credentials rather than infect devices with malware. Spear phishing emails are used to make initial contact and trick the targets into disclosing their credentials. Emails are sent to individuals that have been highly personalized to maximize the probability of the recipient responding. A common theme was to make initial contact by masquerading as a person known to the target, including colleagues, funders, and U.S. government employees.
One of the common lures used in the emails was to request that the recipient review a document relevant to their work, which for media companies was often a draft article. In some of the emails, the document that the target was requested to view was not attached to the email. The failure to attach the file is likely a tactic used by the threat actor to see if the recipient responds and to only provide the file if they do. That could help to ensure that only the intended recipient is presented with the malicious file, reducing the risk of detection.
The file is often a PDF file, which if opened, only displays blurred text. The target is told that the text has been encrypted using an online service e.g. ProtonDrive. In order to view the document, the recipient is required to click a link. If the link is clicked, JavaScript code is fetched from the attacker’s server which fingerprints the system. If deemed to be of interest, they are directed to a URL that has a CAPTCHA check that must be passed to prevent bots from landing on the destination URL.
The landing page presents the user with a login prompt relevant to their email service, such as Gmail or ProtonMail, which may be pre-populated with the user’s email address so they are only required to enter their password and multifactor authentication code. If they are entered, the threat actor will obtain a session cookie that will allow them to access the account for some time before they are required to reauthenticate, allowing them to immediately access sensitive information in the target’s email account and associated online storage, such as Google Drive. The domains used for these campaigns did not remain operational for more than 30 days and they were registered with Hostinger, which rotates the IP addresses for the domains every 24 hours in an effort to prevent the sites being blocked by security solutions.
The targets of the campaign who spoke with the researchers chose to remain anonymous. They included Russian opposition figures in exile, NGO staff members in the US and Europe, funders, and media organizations. The researchers suggest that the campaign may have been conducted more broadly on other targets that are perceived threats to Russia. The researchers said a common theme among the targets was that they had extensive networks among sensitive communities and links to Russia, Ukraine, and Belarus.
Spear phishing campaigns can be highly effective as they are hyper-focused on small numbers of individuals and often are highly researched preceding initial contact to ensure that the right person is impersonated and a lure is used that the target is likely to respond to. Various measures are also used to reduce the chance of detection, including avoiding sending malicious content in the initial email, the use of CAPTCHA checks, and rotating IP addresses. Standard email security solutions may fail to detect these threats which means it is often down to the individuals to identify and avoid these threats. The consequences of failing to do so can be severe, especially for the targeted individuals in this campaign who could be subjected to physical harm or arrest and imprisonment.
Spear phishing is also used by cybercriminals in their campaigns, and while these attacks are typically financially motivated, they can cause significant harm to businesses. Similar tactics are used and the campaigns can be highly effective. To block spear phishing and other sophisticated phishing attacks, businesses need to have advanced email security measures that include email sandboxing and machine learning algorithms to identify potentially malicious emails, since standard checks of the sender’s reputation, embedded URLs, and malware scans are unlikely to identify anything suspicious. This is an area where TitanHQ can help. Give the team a call to find out more about protecting against advanced phishing and malware threats.
by Jennifer Marsh | Aug 19, 2024 | Uncategorized |
The latest figures from Microsoft indicate that in 2024, around 1 million businesses worldwide are using Microsoft 365, and in the United States alone there are around 1 million users of its Office suite. That makes Microsoft 365 a big target for cybercriminals, and phishing is the main way that M365 users are targeted. Microsoft includes cybersecurity protections for its customers that can block phishing emails and malware, and those protections do a reasonable job of blocking malicious emails; however, threats do bypass defenses and reach end users, which is why many businesses choose to augment Microsoft’s protections with third-party anti-phishing and anti-malware solutions, and now there is another good reason to bolster protection.
Recent research has uncovered a flaw in Microsoft’s anti-phishing measures that allows cybercriminals to bypass its email safety alerts. Microsoft’s First Contact Safety Tip generates these warnings when a user receives an email from an unfamiliar email address to warn them that the email may be malicious. The email will include the message “You don’t often get emails from xxx@xxx.com. Learn why this is important.” That message warns the user to take extra care and if it is not shown in the email the user may assume that the message is legitimate.
That warning message is added to the body of the HTML email and the problem with that approach is it is possible to manipulate the message by embedding Cascading Style Sheets (CSS), which is what researchers at Certitude discovered. They demonstrated that by manipulating the CSS within the HTML of the email, they were able to hide that warning, They did that by hiding the anchor tags (<a>) so the link is not displayed, changing the font color to white, and forcing the email to have a white background, ensuring that the text is not displayed since it is also in white. While the warning is still included in the email this trick renders it invisible. They also showed that it is possible to spoof Microsoft’s encrypted and signed icons to make the email appear secure.
Microsoft has confirmed that the finding is valid but has chosen not to address the problem at this time. Microsoft has instead marked the issue for potential resolution through future product updates but there have been no known cases of this tactic being used in the wild and the issue was deemed to be sufficiently severe to qualify for immediate servicing.
This issue serves as a reminder about M365 cybersecurity. Microsoft produces some excellent products that are invaluable to businesses, but Microsoft is not a cybersecurity vendor and while protections have been added, they can be circumvented. Microsoft 365’s EOP and Defender solutions do a good job at blocking most threats, but malicious emails do get through to inboxes where they can be opened by end users. The Microsoft 365 spam filter only provides an average level of protection against email threats.
TitanHQ has developed cybersecurity solutions to address M365 security gaps and provide greater protection for Microsoft 365 users through the SpamTitan spam filter for M365 and PhishTitan anti-phishing solution, both of which integrate seamlessly with Microsoft 365 and add important extra layers of protection against phishing, scam emails, and malware.
The engine that powers the SpamTItan and PhishTitan solutions has been independently tested and confirmed to provide superior protection through advanced features designed to catch more malicious emails. Those measures include a powerful next-generation email sandbox for protecting against advanced email attacks. When emails pass initial checks and scans using twin antivirus engines, they are sent to the sandbox for deep inspection, which allows malware to be identified from its behavior rather than a signature. These solutions include AI and machine learning protection, where malicious emails can be identified based on how they deviate from the normal emails received by a business, improving protection against zero-day threats – phishing and business email compromise emails that have not been seen before.
The PhishTitan solution has been developed specifically for Microsoft 365 to provide unmatched protection against phishing threats. PhishTitan displays banner notifications in emails to warn end users about suspicious content, which will provide protection should Microsoft’s First Contact Safety Tip be hidden. Links in emails are rewritten to display their true destination, and the solution makes it quick and easy for security teams to remediate phishing threats throughout the entire email system.
The engine that powers these solutions has recently been shown to beat leading email security solutions such as Mimecast for catch rate, malware catch rate, and has far lower false positives. In the June Virus Bulletin Test, TitanHQ had a 99.99% phishing catch rate, a spam catch rate of 99.98%, a malware catch rate of 100%, and zero false positives. PhishTitan catches 20 unique and sophisticated threats per 80,000 emails received that Microsoft 365 misses. Give TitanHQ a call today to find out more about these solutions and how adding extra layers of protection can strengthen your business’s security posture.
by Jennifer Marsh | Aug 15, 2024 | Phishing & Email Spam, Security Awareness |
Business Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest data from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500 complaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion. Between October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and internationally.
What is Business Email Compromise?
BEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to individuals that appear to have come from a trusted source and making a legitimate-sounding request, which is typically a change to bank account details for an upcoming payment or payment of a fake invoice.
One such scam targets homebuyers, with the attacker impersonating the title company and sending details for a wire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire money for an upcoming payment to a different bank account. While the scammer is usually based overseas, the bank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are immediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.
BEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email account, then the account is used to send phishing emails internally. The goal is to compromise the account of an executive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively, vendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their customers.
Once a suitable email account has been compromised, the scammers search through previous emails in the account to find potential targets – the company’s customers in the case of a vendor account or individuals responsible for making wire transfers in the case of a CEO’s account. The attackers study previous communications between individuals to learn the writing style of the account holder, and then craft their messages impersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching targets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email addresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen via malware infections.
From here, a single request may be sent or a conversation may ensue over several emails to build trust before the request is made. Considerable time and effort is put into these scams because the effort is worth it for the scammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of dollars or more, and with two recent scams, the losses have been immense.
Tens of Millions Fraudulently Obtained in BEC Scams
INTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC attack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In July, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to a new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an account that differed slightly from the supplier’s legitimate email address. That difference was not identified and the bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was only determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL was able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery of a further $2 million.
There has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing company Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm told the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into transferring the funds to multiple third-party accounts. So far, that loss has not been recovered.
How to Reduce Risk And Defeat BEC Attacks
Defending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers are expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against BEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare the workforce by improving awareness of the threats.
Security awareness training is vital. All members of the workforce should receive training and be made aware of BEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they are conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly beneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying these scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it easy for businesses to improve their human defenses against BEC attacks.
Policies and procedures should be developed and implemented to reduce risk. For instance, it should be company policy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank account changes by vendors to require verification by phone, using previously verified contact information.
It is vital to implement technical security measures to prevent email accounts from being compromised, malware from being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect these sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s reputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate compromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel malware threats.
What is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can learn about the standard emails sent and received by a company or individual and determine when emails deviate from the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI tools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection to identify and block novel malware threats, to prevent the malware infections that are used to gather information to support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests confirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as BEC attacks.
The most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your business featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses for your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.
by Jennifer Marsh | Jul 31, 2024 | Network Security |
Each year, IBM conducts a study of data breaches to determine how much these incidents are costing businesses, the main factors that contribute to that cost, and how attackers are gaining access to their victims’ networks. Aside from 2020, data breach costs have continued to increase annually, and this year is no exception. The average cost of a data breach has risen from $3.86 million in 2018 to $4.88 million in 2024 and has increased by 10% since last year. The highest costs were incurred at critical infrastructure entities, especially healthcare organizations. Breaches at the latter were the costliest at an average of $9.77 million per incident.
The report is based on 3,556 interviews with individuals at 604 organizations who had knowledge about data breaches at their respective organizations. The data breaches included in the report involved between 2,100 and 113,000 compromised records and occurred between March 2023 and February 2024. The calculations include direct costs such as the breach response, ransom paid, forensic analysis, and regulatory fines, as well as indirect expenses such as in-house investigations, loss of business, and loss of customers.
This year’s Cost of a Data Breach Report revealed the high cost of breaches stemming from phishing, business email compromise, social engineering, and stolen credentials, which are the costliest incidents to resolve. Breaches stemming from stolen credentials and phishing were the costliest root cause, as was the case in 2023. Compromised credentials were the leading attack vector and were behind 16% of breaches, with phishing the next most common behind 15% of breaches. In terms of cost, phishing attacks cost an average of $4.88 million and compromised credentials cost $4.81 million. Business email compromise attacks were also costly at an average of $4.88 million with social engineering incidents costing an average of $4.77 million.
The report dives into the factors that contribute to the cost of a breach and the main areas where businesses have been able to reduce costs. The main factors that contributed to the cost of a breach were security system complexity, a security skills shortage, and third-party breaches, which are difficult things to address. Businesses have been able to reduce breach costs by implementing a number of measures, and the two biggest factors were employee training and AI/machine learning insights, with one constant identified being the use of AI and automation in security.
Employee training was determined to reduce the average breach cost by $258,629, with the most important aspect of training related to detecting and stopping phishing attacks. If a business is targeted in a phishing campaign, it may not be possible to prevent all employees from being fooled by the campaign, but through regular training and phishing simulations, the severity of the incident can be greatly reduced. For instance, a recent phishing attack on a U.S. healthcare organization resulted in more than 50 email accounts being compromised. More effective training could have prevented many of those employees from being tricked, greatly reducing the severity of the attack and the cost of remediation.
AI and machine learning insights were determined to reduce the average breach cost by $258,538, a close second in terms of cost reduction. Cybercriminals are leveraging AI in their attacks, especially for phishing and social engineering attacks. Network defenders need to leverage AI and machine learning tools to help them defend against these attacks and identify phishing, social engineering, and BEC threats, which are becoming much harder for humans to spot. Automation is key, especially due to the cybersecurity skills shortage – one of the leading factors that increases breach costs. Network defenders are overworked, and automation is key to reducing their workload, especially since it is difficult to find and retain skilled cybersecurity staff.
At TitanHQ, we understand the importance of staff training, and the benefits of AI, machine learning, and automation and offer businesses an easy way to implement these and better protect themselves from cyberattacks, remediate incidents quickly and efficiently, and ensure that their workforce is well trained and aware of cyber threats and how to avoid them. Security awareness training is provided through the SafeTitan platform, which includes an extensive library of engaging training content to teach security best practices, raise awareness of cyber threats, and teach employees how to recognize and avoid threats including phishing, social engineering, and business email compromise.
The content is constantly refreshed to account for changing work practices, technology, and the latest tactics, techniques, and procedures being used by cybercriminals. The phishing simulator includes hundreds of templates taken from real-world phishing attempts to reinforce training and identify employees who fall for phishing attempts. It is quick and easy to create training courses and phishing simulations, and importantly, to automate them to run continuously throughout the year. The platform also automatically delivers training modules to employees in response to mistakes such as phishing simulation failures, to ensure training is delivered in real-time when it is needed the most and likely to have the greatest impact.
TitanHQ offers two cutting-edge products to protect against email-based attacks, especially phishing and social engineering attempts. SpamTitan is a cloud-based anti-spam service (or can be provided as a gateway spam filter) that incorporates exceptional malware protection, email sandboxing, AI, and machine learning algorithms to identify and quarantine sophisticated threats, including novel threats that have not been seen before. In recent independent tests, the machine learning algorithms and other threat detection features achieved a detection rate of over 99.99%.
PhishTitan incorporates the same AI and machine learning capabilities to identify and block more threats in Office 365 environments. PhishTitan layers extra protection on top of Microsoft 365’s EOP and Defender provides best-in-class phishing protection. PhishTitan is also a remediation solution for automating the response to phishing threats to reduce the burden on IT staff, including instant inbox threat removal of emails containing malicious URLs and tenant-wide remediation with robust cross-tenant features for detection and response.
With these solutions, businesses can improve protection, prevent data breaches, and greatly reduce costs while easing the burden on their IT staff. They are also easy to implement and use, as we understand that IT staff don’t need any more management headaches. For more information, give the TitanHQ team a call to discuss your requirements, find out more about the products, and arrange a product demonstration. All three products are also available in a free trial to allow you to put them to the test and see the difference they make.
by Jennifer Marsh | Jul 31, 2024 | Phishing & Email Spam |
A massive phishing campaign that involved around 3 million emails a day was made possible due to a misconfiguration in Proofpoint’s email servers. The vulnerability was exploited to get the emails DomainKeys Identified Mail (DKIM) signed and approved by SPF, thereby ensuring the emails were delivered to inboxes.
Researchers at Guardio identified the campaign, which ran from January 2024 to June 2024 and at its peak involved sending around 14 million emails a day. The purpose of the campaign was to steal credit card numbers and set up regular credit card payments. The emails impersonated well-known brands such as Nike, Disney, Coca-Cola, and IBM. As is common in phishing attempts, the headers of the emails were spoofed to make it appear that the email had been sent by a genuine company. The majority of spam filters would be able to detect this spoofing and block the emails because they use Sender Policy Framework (SPF) and DKIM, specifically to detect and prevent spoofing.
Emails must be sent from approved servers to pass SPF checks and they must be authenticated using the DKIM encryption key for the domain. With DKIM, public-key cryptography is used to sign an email with a private key when it leaves the sender’s server, and the recipient server uses the public key to verify the source of the message. If the from filed matches the DKIM check is passed and the email is determined to be authentic and will be delivered. If not, the email will identified as spam and will be blocked. In this campaign the emails were all properly signed and authenticated, ensuring that they would be delivered.
For an email that impersonated Nike, a spoofed email address would be used with the nike.com domain, which thanks to passing the SPF and DKIM checks, would be verified by the recipient as having been authenticated. The recipient may be fooled that the email has come from the genuine company domain, and since the emails themselves contained that company’s branding and provided a plausible reason for taking action, the user may click the link in the email.
As with most phishing emails, there is urgency. Action must be taken quickly to avoid negative consequences, such as an impending charge, notification about the closure of an account, or another pressing matter. If the link is clicked, the user will be directed to a phishing site that also spoofs the brand and they are asked to provide their credit card details. Alternatively, they are offered a too-good-to-be-true offer, and by paying they also enroll in an ongoing subscription involving sizeable monthly charges.
The way that the attackers got around the checks was to send the emails from an SMTP server on a virtual server under their control and to route them through a genuine Office 365 account on an Online Exchange server, then through a domain-specific Proofpoint server which sent the email on to the intended recipient. Since the Proofpoint customers being spoofed had authorized the Proofpoint service to send emails on their behalf as an allowed email sender, the attackers only had to find a way to send spoofed emails through the Proofpoint relay. Due to a misconfiguration that allowed Microsoft Office 365 accounts to easily interact with its relay servers, they were able to do just that, pass SPF and DKIM checks, and make their fake emails appear to be clean.
They obtained the MX record for the company being spoofed by querying the domain’s public DNS, then routed the email through the correct Proofpoint host that is used to process email for that domain. Since the Proofpoint server was tricked into believing that the emails had come from the genuine domains of its customers – such as Nike and Disney – the emails were then forwarded to the intended recipients rather than being quarantined.
Spammers are constantly developing new methods of defeating the best email security solutions and while email security products can usually block spam and malicious emails, some will be delivered to recipients. This is why it is important to have layered defenses in place to protect against all phases of the attack. For instance, in this attack, spam filters were bypassed, but other measures could detect and block this attack. For instance, a web filter can be used to prevent a user from visiting a phishing website linked in an email, and security awareness training should be conducted to teach employees how to identify the signs of phishing, to check the domain of any website linked in an email, and to also check the domain when they arrive on any website.
by titanadmin | Jul 31, 2024 | Phishing & Email Spam |
Microsoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a feature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used in the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent abuse, but these campaigns show that those measures are not always effective.
To increase the probability of the phishing emails being delivered and the recipients responding, threat actors use compromised email accounts for the campaigns. If a business email account can be compromised in a phishing attack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to conduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account, which may even be whitelisted on email security solutions to ensure that their messages are delivered.
If the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that the user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to enter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used to access their account.
The initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests to change passwords, and notifications about shared documents. When the user lands on the form, they are told to click a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine login page for Microsoft 365 or another company, depending on which credentials are being targeted.
The attackers make their campaign more realistic by using company logos in the phishing emails and familiar favicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL provided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine Microsoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also makes it much harder for email security solutions to determine that the email is not legitimate as the forms.office[dot]com is generally trusted as it has a high reputation score.
When these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has a ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to shut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window of opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web pages and forms and continue.
These phishing campaigns involve two phases, the first phase involves compromising email accounts to send the initial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based detection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office 365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts. Banner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant as it may be up to them to spot and report the phishing attempt. That means security awareness training should be provided to raise awareness of these types of phishing attempts.
Security awareness training should also incorporate phishing simulations, and it is recommended to create simulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing attempts, they can be provided with further training and told how they could have identified the scam. If another Microsoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.
TitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite, which includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan security awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection rates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more information about these products, you can book a product demonstration to find out more, and all solutions are available on a free trial.
by titanadmin | Jul 30, 2024 | Phishing & Email Spam, Security Awareness |
Cybersecurity awareness training is now vital for businesses to raise employees’ awareness of cyber threats. Here we will explain why you need real-time security awareness training and phishing simulations and the difference they can make to your security posture.
The biggest cybersecurity threat faced by businesses is phishing. Phishing attacks target employees as cybercriminals and nation-state actors know all too well that employees are a weak link in security defenses. If they can get a phishing email in front of an employee and give them a plausible reason for taking the action they suggest, they can steal credentials that will give them the access they need or get the employee to download and open a malicious file, that will download malware and provide persistent access to the network.
If doesn’t always need to be a sophisticated phishing attempt if the email lands in the inbox of a busy employee or one who lacks security awareness. Many unsophisticated phishing attempts succeed due to human error. The problem is that phishing attempts are often sophisticated, and are now being crafted using LLMs that not only ensure that the emails are devoid of spelling mistakes and grammatical errors, but LLMs can also help to devise new phishing lures.
All it takes is for one phishing attempt to be successful to give an attacker the access they need for an extensive compromise. Cybercriminals often gain access to an employee’s email account and then use that account to conduct further phishing attempts internally, until they compromise large numbers of email accounts and manage to steal credentials with high privileges. Since email accounts often contain a wealth of sensitive and valuable data, the attack does not even need to progress further for it to be costly to remediate.
Businesses need to ensure that they have robust email security defenses, including an email security solution with sandboxing, AI, and machine learning detection to identify and block malware threats and zero-day phishing attacks, malicious URL detection capabilities, and a solution that is constantly updated with the latest threat intelligence. While the most advanced cloud-based email security solutions will block the vast majority of malicious emails, they will not block all threats. For example, in recent independent tests, SpamTitan email security was determined to have a spam catch rate of 99.984%, a phishing catch rate of 99.99%, and a malware catch rate of 100% with zero false positives, finishing second in the test.
For the small percentage of malicious emails that do reach inboxes, employees need to be prepared, be on their guard, and have the skills to identify and report suspicious emails, which is where security awareness training and phishing simulations are needed.
The purpose of security awareness training is to raise the level of awareness of cyber threats within the workforce, teach cybersecurity best practices, and eliminate risky behaviors. Training will only be effective if it is provided regularly, building up knowledge over time. Training should ideally be provided in short regular training sessions, with training programs running continuously throughout the year. Each week, every employee can complete a short training module which will help to build awareness and keep security fresh in the mind, with the ultimate goal of creating a security culture where every employee is constantly on their guard and aware that the next email they receive could well be a phishing attempt or contain malware.
Training is most effective when combined with phishing simulations. You can teach employees how to recognize a phishing email, but simulations give them practice at detecting threats and applying their training. Further, the emails will be received when the employees are completing work duties, just the same as a genuine phishing threat. A phishing simulator can be used to automate these campaigns, and administrators can track who responds to determine the types of threats that are tricking employees and the individuals who are failing to identify threats. Training programs can then be tweaked accordingly to address the weaknesses.
The most effective phishing simulation programs automatically deliver training content in real-time in response to security mistakes. When a phishing simulation is failed, the employee is immediately notified and given a short training module relevant to the mistake they made. When training is delivered in real time it serves two important purposes. It ensures that the employee is immediately notified about where they went wrong and how they could have identified the threat, and the training is delivered at the point when it is likely to have the greatest impact.
SafeTitan from TitanHQ makes providing training and conducting phishing simulations simple. The training modules are enjoyable, can be easily fitted into busy workflows, and the training material can be tailored to the organization and individual employees and roles. The training and simulations can be automated and require little management, and since the content is constantly updated with new material and phishing templates based on the latest tactics used by cybercriminals, employees can be kept constantly up to date.
For more information about SafeTitan security awareness training and phishing simulations, give the TitanHQ team a call.
by Jennifer Marsh | Jul 29, 2024 | Phishing & Email Spam |
Businesses that rely on Microsoft Defender for detecting malware and phishing emails may not be as well protected as they think. While Defender performs a reasonable job at blocking malware, spam, and phishing emails, it lacks the high detection levels of many third-party anti-phishing solutions.
Take malware for example. A study conducted in 2022 by AV-Comparatives found Defender only had a 60.3% offline detection rate. Fast forward to Q2, 2024, and TitanHQ’s email security suite was put to the test alongside 12 other email security solutions by Virus Bulletin. In the independent tests, TitanHQ had a malware catch rate of 100%.
In the same round of testing, TitanHQ’s spam filter for Office 365 and the email security suite had a spam catch rate of over 99.98%, a phishing email catch rate of 99.99%, and was given an overall final score of 99.984, the second highest in the tests. It is possible to configure an email solution to provide maximum protection; however, that will be at the expense of an elevated number of false positives – genuine emails that are inadvertently marked as potentially suspicious and are quarantined until they are released by an administrator. In the tests, TitanHQ had a 0.00% false positive rate, with no genuine emails misclassified.
Another issue with Microsoft Defender is the exception list, which contains locations such as files, folders, and processes that are never scanned. These are used to ensure that legitimate apps are not scanned, to prevent them from being misclassified as malware. The problem is that the exception list lacks security protections, which means it can be accessed internally by all users. Should a device be compromised, a threat actor could access the exceptions list, identify folders and files that are not scanned, and use those locations to hide malware.
Given the increasingly dangerous threat environment and the high costs of a cyberattack and data breach, businesses need to ensure they are well-defended, which is why many businesses are choosing to protect their Microsoft 365 environments with TitanHQ’s PhishTitan anti-phishing solution.
PhishTitan is a cloud-based, AI-driven solution for Microsoft 365 that integrates seamlessly into M365 to increase protection from sophisticated phishing attacks. Rather than replacing Microsoft’s EOP and Defender protections, PhishTitan augments them and adds next-generation phishing protection, not only ensuring that more threats are blocked but also giving users easy-to-use remediation capabilities.
PhishTitan adds advanced threat detection capabilities through machine learning and LLM to identify the zero-day and emerging threats that are missed by Defender. PhishTitan provides real-time protection against phishing links in emails in addition to checks performed when the email is received. URLs are rewritten for Link Lock protection with all links reassessed at the point a user clicks to ensure that URLs that have been made malicious after delivery are detected and blocked. If the link is detected as malicious, access to that URL will be prevented.
PhishTitan also adds banner notifications to emails to alert users to unsafe content and emails from external sources, and the auto-remediation feature allows all threats to be instantly removed from the entire mail system, with robust cross-tenant features for detection and response for MSPs.
PhishTitan has also been developed to be quick to set up and configure. There is no need to change MX records, setup typically takes less than 10 minutes, and the solution is incredibly easy to manage. Why put up with inferior threat detection and complex interfaces, when you can improve the Office 365 phishing protection with an easy-to-use anti-phishing solution
Don’t take our word for it though. Take advantage of the free trial of PhishTitan to see for yourself. Product demonstrations can also be arranged on request.
by titanadmin | Jul 28, 2024 | Spam Software |
Phishing is one of the most common ways that cybercriminals gain initial access to networks. A single response to a phishing email can be all it takes to compromise an entire network. These attacks can be incredibly costly. According to the 2024 Cost of a Data Breach Report from IBM, the average cost of a data breach that starts with phishing has risen to $4.88 million. According to the Federal Bureau of Investigation (FBI), phishing was the leading reason for reports of cybercrime to its Internet Crime Complaint Center in 2023.
The best way to gain access to an internal network is to ask someone with access (an employee) to provide that access. That is essentially what phishing is about. Phishing involves deception to gain access, tricking employees into disclosing their credentials or installing software that provides remote access, such as malware or a remote desktop solution. Social engineering techniques are used to convince the employee to take an action that benefits the attacker. That action may be required to fix a problem, such as preventing an avoidable charge to an account, correcting a security issue before it is exploited, or recovering a missing package.
Phishing often involves the impersonation of a trusted entity, which could be the CEO, HR department, colleague, vendor, lawyer, government entity, or a trusted business. Emails may impersonate a trusted individual or company, provide a plausible reason for clicking a link in an email or opening a file attachment. When links are included in emails, they often direct the user to a website that requires them to log in. The log-in box presented will be familiar as it will be a carbon copy of the brand that is being spoofed. When the credentials are entered, they are captured and used to remotely log into that user’s account. Alternatively, they may be directed to a web page and told they must download and open a file, which unbeknown to them, contains a malicious script that silently installs malware.
Phishing targets human weaknesses so one of the best solutions for combatting phishing is end user training. Training the workforce on how to identify a phishing attempt and providing an easy way for them to report potential phishing attempts is vital. Security awareness training should cover cyber threats and how to identify and avoid them, as well as teach cybersecurity best practices and why they are important. If a threat actor can get phishing content in front of an employee, whether that is via email, SMS message, social media, an instant messaging platform, or over the phone, they will be more likely to recognize that threat for what it is and take the appropriate action. Security awareness training is about strengthening your defensive line.
Training can be provided in a one-time training session, but that is unlikely to be effective. If your child wants to drive, you would not pay for a 1-hour lesson and expect them to pass their driving test. Multiple lessons are required along with a lot of practice, and as experience builds, they will become a better driver and learn how to react to situations they have not seen before. It is the same with security awareness training. Providing training frequently will build knowledge and understanding and that knowledge can then be tested and employees given practice at recognizing phishing attempts by using a phishing simulator.
The best defense against phishing is to ensure that no phishing attempt ever reaches an end user; however, in practice that is a major challenge. The aim should be to make it as difficult as possible for attackers to reach end users by implementing technical solutions that can recognize phishing attempts and block them before they are delivered. The primary technical defense is anti-spam software.
Anti-spam software can be provided as a cloud-based anti-spam service or an anti-spam gateway for on-premises email systems, through which all inbound and outbound emails must pass. A spam filter for incoming mail is essential for blocking the majority of phishing threats, but an outbound spam filter is also important for identifying phishing attempts from compromised internal mailboxes.
An anti-spam server must be capable of identifying and blocking malware threats. Spam filters include anti-virus software that scans for known malware signatures, but that is no longer enough. Malware is constantly changing and can easily defeat signature-based detection measures, so email sandboxing is also required. Sandboxing uses pattern filtering and behavioral analysis in a safe environment to identify malware by what it attempts to do. Since phishing attempts are becoming more sophisticated, often not including any malicious content in the emails – such as callback phishing – an anti-spam solution should have AI and machine learning capabilities, to predict phishing attempts by how they deviate from the standard messages received by a business.
Technical defenses will reduce the number of threats that employees encounter, and security awareness training will prepare the workforce in case a threat is not blocked. Further technical defenses should also be considered to combat phishing. Multifactor authentication is important for preventing unauthorized access in the event of an employee disclosing their credentials. With multifactor authentication, a username and password are not enough to grant access to an account. Since multifactor authentication can be circumvented with some of the more advanced phishing kits used by cybercriminals, robust MFA is required, often referred to as phishing-resistant MFA.
No single anti-phishing measure is sufficient on its own. Layered defenses are key to mounting a good defense against phishing, and this is an area where TitanHQ can help. TitanHQ can offer cutting-edge anti-spam software (SpamTitan) that has been shown to block 100% of known malware and, through sandboxing, block novel malware threats, and has a phishing and spam detection rate of over 99.99%. To block phishing threats in Microsoft 365 environments and to help security teams with remediation, TitanHQ offers the PhishTitan solution, and security awareness training and phishing simulations can be created and automated with the SafeTitan platform.
Give the TitanHQ team a call today to find out more about these anti-phishing measures and the team will help you with improving your defenses and getting started on a free trial of these solutions.
by titanadmin | Jul 27, 2024 | Phishing & Email Spam |
A ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the ZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into thinking the email is genuine and safe.
The ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new technique; however, this version uses a novel approach. When an email is sent to a business user, before that email is delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will perform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of spam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a technique for hiding certain words from email security solutions to ensure that the messages are not flagged as spam and are delivered.
According to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat actor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not have access. Spam filters will check to make sure that the domain from which the email is sent matches the signature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the signature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical string of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of zero, which means the text is machine-readable but cannot be seen by the user.
A recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam filter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view option, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook users to engage with the messages, which means the messages must be sufficiently compelling so as not to be deleted without opening them. This is especially important if the sender of the email is not known to the recipient.
The email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear trustworthy by displaying text indicating the message had been scanned and secured by the email security solution, rather than showing the first lines of visible content of the message. This was achieved by using a zero font size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail client in the listing view, regardless of the font size, which means if the font is set to zero, the text will be displayed in the listing view but will not be visible to the user in the message body when the email is opened.
The email used a fake job offer as a lure and asked the user to reply with their personal information: Full name, address, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of the phishing attempt is not known. There were no malicious links in the email and no malware attached so the email would likely pass through spam filters. If a response is received, the personal information could be used for a spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in place, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.
Security awareness training programs train employees to look for signs of phishing and other malicious communications, and they are often heavily focused on embedded links in emails and attachments. Emails such as this and callback phishing attempts lack the standard malicious content and as such, end users may not identify them as phishing attempts. It is important to incorporate phishing emails such as this in security awareness training programs to raise awareness of the threat.
That is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message formats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator includes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and automate comprehensive security awareness training programs for the workforce and provide training on how to identify novel techniques such as this when they are identified, to ensure employees are kept up to date on the latest tactics, techniques, and procedures used by cybercriminals.
by Jennifer Marsh | Jul 26, 2024 | Phishing & Email Spam |
CrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable following a faulty update last Friday have now been restored to full functionality; however, businesses are still facing disruption and many scams have been identified by cybercriminals looking to take advantage.
One of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to provide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows devices to crash and display the blue screen of death. The phishing emails include a document attachment named “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy of a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that automates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable content; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the Daolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies stored in Chrome and Firefox.
Another campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing campaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a website that spoofs a legitimate German company. The website was registered a day after the CrowdStrike disruptions started. If the user attempts to download the installer by clicking the download button in the email, a ZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake CrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could not be determined.
Another campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain, crowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot loop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware loader, which will, in turn, deliver the Lumma infostealer.
These are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the way to make contact with individuals affected by the outage. Many other campaigns are being conducted and a large number of CrowdStrike-themed domains have been registered since the problems started. Other malicious domains used in campaigns include the following, all of which should be blocked.
crowdstrike-helpdesk.com
crowdstrike.black
crowdstrikefix.zip
crowdstrikebluescreen.com
crashstrike.com
fix-crowdstrike-bsod.com
crowdstrike-falcon.online
crowdstrike-bsod.com
crowdstrikedoomsday.com
crowdstrikedown.site
crowdstrikefix.com
isitcrowdstrike.com
crowdstriketoken.com
crowdstrike0day.com
crowdstrikeoutage.com
These scams are likely to continue for some time, so it is important to remind employees of the high risk of malicious emails and warn them to exercise extreme caution with any emails received. Employees should be told to report any suspicious emails to their security team.
TitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of which are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan web filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan anti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The latter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a comprehensive security awareness training platform and phishing simulator for improving your human defenses by raising awareness of cyber threats and providing timely training content on the latest tactics used by cybercriminals in targeted attacks on employees.
Give the TitanHQ team a call today for further information on improving your defenses, or take advantage of the free trial available with all TitanHQ products to get immediate protection.
by Jennifer Marsh | Jul 25, 2024 | Industry News |
TitanHQ has announced a new strategic alliance with ATS Network Management, a provider of network management solutions, monitoring, security, and performance management services across South Africa and the African continent. Under the alliance, ATS Network Management will become a value-added distributor and will incorporate TitanHQ’s portfolio of cybersecurity and compliance solutions into its service stack, packaging the solutions with other tools and services to provide a more comprehensive range of services to its clients and ensuring they are shielded from constantly evolving cyber threats.
ATS Network Management will now be able to offer its clients email security and phishing prevention and remediation through TitanHQ’s PhishTitan solution for Office 365, as well as email filtering to remove malware, phishing, and unwanted emails from email systems and protect against malicious links with TitanHQ’s SpamTitan solution. SpamTitan is an award-winning email security solution with email sandboxing that protects against the full range of email threats. Independent tests have recently confirmed that SpamTitan has a 99.99% phishing catch rate and 100% malware catch rate, and it is one of the best-loved MSP spam filtering solutions.
To protect against web-borne threats and control access to the Internet, ATS Network Management will be providing DNS filtering using WebTitan. WebTitan blocks access to known malicious sites, prevents user-specified file types from being downloaded from the internet to protect against malware and control shadow IT, and restricts access to categories of web pages to improve employee productivity. To protect against the interception of sensitive email data in transit, ATS Network Management will be using EncryptTitan, and email archiving services will be offered through ArcTitan for compliance purposes.
Due to the number of threats targeting employees directly, it is vital for businesses to raise awareness of cyber threats and teach employees cybersecurity best practices. This is an area where many businesses turn to their MSPs for assistance. ATS Network Management will be offering its clients comprehensive security awareness training through SafeTitan, TitanHQ’s security awareness training platform. In addition to allowing businesses to create and automate tailored training courses with engaging content, the platform includes a phishing simulator to allow them to automate phishing simulations to identify knowledge gaps and provide targeted training where it is needed.
The partnership will help TitanHQ expand its footprint in Africa while ensuring that African businesses can benefit from TitanHQ’s cutting-edge security solutions and defend their businesses from increasingly sophisticated cyber threats.
by Jennifer Marsh | Jul 22, 2024 | Phishing & Email Spam |
On July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for CrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue Screen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry showed 8.5 million Windows devices had been affected in around 78 minutes.
CrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection and response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses around the world, including around half of Fortune 500 firms. The disruption caused by the update has been colossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable to access electronic patient records and had to cancel appointments and surgeries, financial institutions faced major disruption, and some media companies were unable to broadcast live television for hours. Even organizations that did not use the Falcon product were adversely affected if any of their vendors used the product. The incident has been called the worst-ever IT outage, with huge financial implications.
It did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were registering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were registered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial impact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution but the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed malware.
Those fake updates are being used to deliver a range of different malware types including malware loaders, remote access Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where they are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have been posing as tech specialists and independent researchers and have been using deepfake videos and voice calls to get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive codes.
CrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each affected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it will likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for threat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and verify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely on trusted sources for guidance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded all organizations of the importance of having robust cybersecurity measures in place to protect their users, assets, and data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in emails.
It is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including AI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect and neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business in all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing and email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness training and phishing simulator.
by Jennifer Marsh | Jul 1, 2024 | Phishing & Email Spam |
Phishing attacks and business email compromise scams are leading causes of losses to cybercrime and attacks have increased in 2024. According to the Federal Bureau of Investigation, phishing is the leading cause of complaints to its Internet Crime Complaint Center and business email compromise currently ranks second out of all tracked forms of cybercrime in terms of total losses.
Over the coming days and weeks, there are several events that cybercriminals take advantage of in their attacks and scams. The UEFA European Football Championship is currently taking place in Germany and thousands of individual phishing campaigns have been detected so far that are piggybacking on the popularity of the championship in Europe and beyond.
Cybercriminals often take advantage of sporting events and commonly use lures related to tickets, which usually sell out months before the first football is kicked and this year is no exception. Now that the tournament is underway and broadcasters and other legitimate entities are running competitions offering free tickets to the finals, scammers are doing the same and are using email and social media networks to advertise their scams. These campaigns use realistic websites that are almost identical to the brands they spoof and attempt to steal sensitive information such as credit card numbers and login credentials.
Many of the phishing attacks and scams impersonate businesses associated with the tournament. These include accommodation providers, airlines and travel companies, and others. The Wimbledon tennis tournament is underway, which will be shortly followed by another major sporting event in Paris – The 2024 Olympics. The latter has a huge global audience and there is a high risk of cyber threat activity using Olympics-themed lures. Cybercriminals are impersonating event organizations, sponsors, ticketing systems, and travel companies. Many cyber espionage groups and nation-state actors are likely to target the Olympics, in addition to financially motivated threat actors.
This week, there is a major celebration in the United States on July 4. Independence Day is a very active time for a host of malicious actors who conduct scams related to the celebrations, including holiday-themed texts and emails, fake giveaways and vouchers, and Independence Day event ticket scams. Being a major holiday in the United States when staffing levels are greatly reduced, it is a time when many ransomware groups choose to strike as their activities are less likely to be identified.
Also on July 4, 2024, a major event is taking place across the Atlantic in the UK. The UK general election will be taking place to decide the next government and scammers are already taking advantage and are using deepfake scams and malicious websites used to steal information and influence voters. It will be a similar story in the United States in the run-up to the November Presidential election.
With so many events taking place, it is vital for everyone to be on their guard and be constantly alert to the threat of scams, phishing, and malware attacks. Due to the elevated threat from phishing, businesses should step up their security awareness training to raise awareness of cyber threats and teach cybersecurity best practices. It is a good idea to use these events in your internal phishing simulations to identify any knowledge gaps and provide immediate training to any individual who fails a phishing simulation.
Security awareness training is made simple with SafeTitan from TitanHQ. SafeTitan is a comprehensive security awareness training platform that teaches security best practices to eradicate risky behaviors, raises awareness of the threat from phishing and malware, teaches the red flags to look for in emails and texts, and what to do if a potential threat is found. The phishing simulator can be used to automate internal phishing simulations to test awareness of threats and how employees are applying their training.
It is also a good time for businesses to bolster email security with an advanced email security solution. SpamTitan from TitanHQ is an advanced email security solution that uses predictive techniques to identify malicious emails, including AI and machine learning to block phishing threats and email sandboxing to block malware. SpamTitan integrates seamlessly with Microsoft 365 and is consistently rated as one of the best spam filters for Outlook, improving the native defenses that Microsoft offers. TitanHQ also offers a host of cybersecurity solutions for managed services providers, including advanced phishing protection, to help them better protect their clients.
If you want to improve protection this summer against increasingly sophisticated cyberattacks and scams, give the TitanHQ team a call to find out more about improving your security posture.
by Jennifer Marsh | Jun 30, 2024 | Phishing & Email Spam |
Many malware infections start with a malicious email that contains a file attachment with a malicious script that downloads malware if executed. One response to a single email is all it takes to infect the user’s device with malware, which may be able to spread across the network or at least provide the threat actor with the foothold they need in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user infecting the network with one malware variant, that single response to the malicious email results in multiple malware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that can infect the user’s device with up to 10 different malware variants.
The campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as Unfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been attacked, although most of the victims have so far been located in the United States. The campaign has been running since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and malware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of malicious files in the 5 months since the operation is believed to have commenced.
In the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called WExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is executed, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting with the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with some of those stages delivering multiple malware variants.
The malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and botnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including Amadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows Defender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the status of the malware infections.
It is not clear how the threat actor is using these malware infections. They could be delivering malware for other threat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting their own attacks using whatever malware variant serves their purpose, or a combination of the three. What the attack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the malware variants are detected, some are likely to remain.
The delivery of multiple malware variants means this campaign could be highly damaging, but it also increases the chance of detection. While antivirus software is a must and may detect some of the malware variants, others are likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end users and to provide training to the workforce to help with the identification and avoidance of these malicious emails.
Many email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at bypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual antivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails are sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis identifies malicious actions, resulting in the messages being quarantined for further analysis by the security team. SpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails typically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective Microsoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.
End user training is an important extra layer of security that helps eradicate bad security practices and teaches employees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses, trained employees will be more likely to recognize and report the threat to the security team. Training data from SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and phishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout the year.
Give the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to improve your defenses against the full range of cyber threats.
by Jennifer Marsh | Jun 29, 2024 | Industry News, Spam Software |
For the second consecutive quarter, TitanHQ’s SpamTitan and PhishTitan solutions earned the #2 spot in the VBSpam+ awards, with a 99.99% phishing catch rate. For more than 20 years, the Virus Bulletin information security portal has been conducting fully independent benchmarking tests of cybersecurity solutions, including email security, anti-malware, and anti-phishing solutions. In the phishing and malware tests, Virus Bulletin fired a barrage of threats and spam at security solutions, but it is not sufficient to just be able to block malware, phishing, and spam. Email security solutions need to be able to block those threats without also blocking genuine emails so Virus Bulletin also sent a range of genuine emails to the email security solutions to make sure they were not overblocking and preventing genuine messages from being delivered quickly.
SpamTitan is provided as a cloud spam filter or gateway spam filter and incorporates machine learning and AI-based detection and sandboxing technology for predictive and behavioral analysis to identify zero-day threats. PhishTitan is TitanHQ’s inline phishing protection solution for Microsoft 365, which improves the Microsoft 365 spam filter. For every 80,000 emails sent to Microsoft 365 accounts, PhishTitan catches 20 threats that Microsoft’s most advanced security offering misses (E5 premium). PhishTitan auto-remediates these phishing threats. The same anti-spam, anti-malware, and anti-phishing engine powers both SpamTitan and PhishTitan.
The technological superiority of these solutions was demonstrated in the Virus Bulletin tests. In the Virus Bulletin Q1,2024 benchmarking tests, SpamTitan & PhishTitan achieved an impressive second place in the round of testing with a 99.914% phishing catch rate with a 0.000% false positive rate and a malware catch rate of 99.511%. TitanHQ achieved an overall final score of 99.983%
In the Q2, 2024 benchmarking tests, Virus Bulletin assessed 12 leading email security solutions and TitanHQ performed even better, achieving a phishing catch rate of 99.990%, a malware catch rate of 100.000%, and a false positive rate of 0.000%, resulting in a second-place spot for the second consecutive quarter with an overall final score of 99.984%. TitanHQ was pipped to the top spot by just 0.004% and outperformed email security providers such as Sophos, FortiMail, Mimecast, N-able, SpamAssassin, and Zoho Mail. The test ensures that TitanHQ collects another VBSpam+ certification for Q2, 2024. The scores clearly demonstrate that TitanHQ provides powerful and effective anti-spam and anti-phishing solutions for businesses and Managed Service Providers which are capable of blocking ever-evolving cyber threats. The benchmarking tests cement TitanHQ’s position as a leader in the cybersecurity industry.
“This test reaffirms TitanHQ’s unrivaled prowess in spam and phishing protection—we stand as the first choice for combating phishing attempts and spam infiltrations,” said Ronan Kavanagh, CEO at TitanHQ. “Our customers need not settle for anything less. With TitanHQ solutions, they receive unparalleled defense against phishing and spam and experience minimal false positives.”
Ronan Kavanagh explained that the company is attracting an unprecedented number of new Managed Service Provider customers who have decided to make the switch from other solutions to TitanHQ, not only because of the impressive level of protection provided, but also the low management overhead, ease of use, and the MSP features of both SpamTitan and PhishTitan, which were developed from the ground up to meet the needs to MSPs. “Their resounding feedback echoes the sentiment: TitanHQ delivers immediate and substantial threat mitigation. These independent test results validate our ongoing efforts, ensuring our customers benefit from top-tier protection against phishing, spam, and viruses at a compelling value proposition.”
by Jennifer Marsh | Jun 29, 2024 | Phishing & Email Spam, Spam Advice |
Around 40% of businesses use Office 365 for email, which includes Exchange Online Protection (EOP) with standard licenses for blocking spam and other email threats. While EOP will block a substantial amount of unwanted spam emails and malicious emails, the level of protection provided falls well below what many businesses need as too many threats pass through undetected.
Businesses can opt for a more expensive Business Premium license to improve Microsoft’s spam filter for Office 365, as this license includes Defender for Office 365. Alternatively, businesses can pay for Defender as an add-on. While Defender improves the phishing detection rate, this security feature only adds a little extra protection to EOP, and many malicious emails still go undetected. The E5 license provides the greatest amount of protection but it is prohibitively expensive for many businesses, and even this license does not give you cutting-edge protection.
Fortunately, there is a way to improve Office 365 email filtering that will provide you with excellent protection against phishing, malware, spam, and other email threats without having to cover the cost of expensive licenses and add-ons. That solution is to use a third-party email security solution that augments the spam filter for Office 365 regardless of the license you have. Many businesses prefer to use a third-party solution rather than placing all of their trust in Microsoft – a company that has recently struggled with preventing hackers from compromising its own systems.
SpamTitan from TitanHQ is a cloud-based email security solution that integrates seamlessly with Office 365 to greatly increase protection against email threats such as phishing, business email compromise, malware, and data theft by insiders, and is easy to set up, configure, and manage.
There are several features of SpamTitan that are lacking in Microsoft’s security solutions. In addition to performing reputation checks and blocking known malicious email addresses and domains, SpamTitan uses predictive techniques for detecting spam and phishing emails, such as Bayesian analysis, machine learning, and heuristics. These features allow SpamTitan to detect and block zero-day phishing threats and business email compromise, which Microsoft struggles to detect and block.
SpamTitan performs extensive checks of embedded hyperlinks to combat phishing, including checks of Shortened URLs. Office 365 malware detection is greatly improved with dual antivirus engines for detecting known malware and email sandboxing. The sandboxing feature includes machine learning and behavioral analysis for the safe detonation of files in an isolated environment, and message sandboxing is vital for detecting and blocking the zero-day malware threats that EOP and Defender miss.
SpamTitan cloud-based email filtering is also an ideal choice for Managed Services Providers looking to provide their customers with more advanced email security, especially for small- and medium-sized clients unwilling to pay for E5 licenses. SpamTitan has been developed from the ground up to meet the needs of MSPs and manage email security with minimal management overhead.
TitanHQ can also MSPs additional protection against phishing with TitanHQ’s new anti-phishing solution, PhishTitan. PhishTitan uses a large language model (LLM) and AI to analyze emails to identify phishing attempts. The solution incorporates multiple curated feeds to detect malicious URLs linked in phishing emails, adds banners to emails from external sources to warn end users about potential threats, and adds post-delivery remediation across multiple tenants allowing phishing emails to be instantly removed from the email system with a single click.
The best way to find out more about the full capabilities of SpamTitan and PhishTitan and how they work is to call the TitanHQ team. A product demonstration can be arranged and you can take advantage of a free trial to see for yourself the difference these solutions make and how they can significantly improve threat detection with Office 365.
by Jennifer Marsh | Jun 28, 2024 | Phishing & Email Spam |
Two new malware distribution campaigns have been detected that deliver dangerous information-stealing malware, both targeting individuals looking to download free and pirated software.
Trojaninized Cisco Webex Meetings App Delivers Malware Loader and Information Stealer
Another malware distribution campaign has been identified that is using trojanized installers for free and pirated software to deploy a malware loader called Hijack Loader, which in turn delivers an information stealer. In the attacks, the victim was tricked into downloading a trojanized version of the Cisco Webex Meetings App, a video streaming app. The user downloaded a password-protected archive (RAR) file, which contained a file called setup.exe. When the victim executed the file, DLL sideloading was used to launch the HijackLoader, which was injected into a Windows binary.
HijackLoader connects with its command-and-control server and downloads another binary, an information stealer called Vidar Stealer. The malware bypasses User Account Control (UAC), escalates privileges, and adds an exception to the Windows Defender exclusion list. Vidar Stealer is used to steal credentials from browsers and deliver additional malware payloads, including a cryptocurrency miner. This campaign primarily targets organizations in Latin America and the Asia Pacific region.
Google Ads Used to Target Mac Users and Deliver Poseidon Malware
An information stealer called Poseidon is being distributed via malicious Google Ads that claim to provide the popular Arc web browser. The campaign targets Mac users and delivers a trojanized version of the Arc browser installer. If the installer is launched, the user gets the browser but is also infected with the malware.
According to an analysis from Malwarebytes, the new information stealer has similar features to the notorious Atomic Stealer, including a file grabber, crypto wallet extractor, and the ability to steal passwords from password managers such as Bitwarden and KeepassXC, passwords stored in browsers, and browser histories. The targeting of password managers makes this malware particularly dangerous, potentially allowing the theft of all passwords. The researchers believe the malware has been set up as a rival to Atomic Stealer
How to Protect Your Business
Protecting against malware requires a defense-in-depth approach to security, where several different security solutions provide multiple overlapping layers of protection. These security measures should include the following:
Antivirus software – Antivirus software is a must. The software will be able to detect malware when it is downloaded onto a device or is executed. The malware is identified by its signature, which means that a particular malware variant must be known and its signature must be present in the malware definition list used by that software. Antivirus software will not detect novel malware variants without behavioral analysis of files.
Web filter – One of the best defenses against malware distributed via the internet is a web filter. The web filter blocks downloads of malicious files by preventing downloads of executable files from the Internet, blocking access to known malicious websites, and limiting the sites that users can visit on their corporate-owned devices. The main advantage of a web filter is the threat is dealt with before any files are downloaded from the Internet.
Security awareness training – Users should be warned about the risks of downloading software from the Internet, be taught how to identify the signs of phishing and malicious emails, and be trained on security best practices. The latter should include carefully checking the domain of the website offering software and making sure it is the official website of the software vendor or a reputable software distributor.
Email security solution – Malware is often delivered via email, usually via a malicious script in an attached file or via a linked web page. An email security solution needs to have antivirus capabilities – signature-based detection and behavioral analysis in an email sandbox. The former will detect known malware variants and email sandboxing is used to detect novel malware variants. Your email security solutions should also include AI-based detection, which can identify malicious messages based on how they differ from standard messages received by your business and perform comparisons with previous malware distribution campaigns.
While TitanHQ does not provide antivirus software, TitanHQ can help with web filtering (WebTitan), email security (SpamTitan), phishing protection (PhishTitan), and security awareness training (SafeTitan). For more information on improving your defenses against malware and TitanHQ’s multi-award-winning cloud-based email security and internet security solutions for businesses and managed service providers, give the TitanHQ team a call today.
by Jennifer Marsh | Jun 27, 2024 | Industry News, Phishing & Email Spam, Security Awareness |
A phishing campaign targeting the Los Angeles Department of Public Health saw more than 50 employee email accounts compromised and the sensitive information of more than 200,000 individuals was exposed.
In this campaign, the threat actor impersonated a trustworthy sender and emailed a link that directed employees to a malicious website where email credentials were harvested. The website had been crafted to appear legitimate and requested they log in. When their credentials were entered, they were captured and used to access the employees’ email accounts. 53 employees fell for the scam. Their email accounts contained highly sensitive information that could be used for identity theft and fraud, including names, dates of birth, and Social Security numbers, as well as financial information and health insurance information. This campaign clearly demonstrates the damage that can be caused by phishing, and how a well-crafted campaign can fool many employees and result in a costly data breach.
While this phishing attack stands out due to the number of email accounts compromised, successful phishing attacks are common in healthcare. Healthcare employees are targeted via email, SMS, and other communication platforms, including over the phone. The Federal Bureau of Investigation and the Department of Health and Human Services recently issued a joint cybersecurity advisory about a campaign targeting IT helpdesk workers at healthcare organizations. Cybercriminals call IT helpdesks and impersonate employees to request password resets and enroll new devices to receive multifactor authentication codes. In this campaign, the attackers seek email credentials and then pivot to systems used for automated clearinghouse (ACH) payments to divert payments to their own accounts.
The Los Angeles Department of Public Health phishing attack serves as a reminder of the importance of conducting regular security awareness training. Employees need to be trained how to recognize phishing attempts. Through regular training, employees can be made aware of the red flags they need to look for in all communications and will be conditioned to be always on the lookout for threats and to report any potential threats to their security team. Healthcare employees who receive regular security awareness are less likely to be tricked by phishing scams. Training data from TitanHQ shows that organizations that conduct regular security awareness training with the SafeTitan security awareness training platform and phishing simulations using TitanHQ’s phishing simulator can reduce susceptibility to phishing scams by up to 80%.
The SafeTitan platform allows healthcare organizations to easily create and automate security awareness training programs and to tailor the training courses to different departments and users, ensuring that the training is relevant and focuses on the cyber threats that each user group is likely to encounter. The platform is modular, with each module taking no longer than 10 minutes to complete, making it easy for busy healthcare workers to fit the training into their workflows. The training content is engaging, fun, and enjoyable, and covers all threats and teaches cybersecurity best practices.
Phishing simulations can be easily conducted to test the effectiveness of training and identify employees who have not taken the training on board, allowing them to be provided with further training. The SafeTitan platform is the only security awareness training platform that delivers training in real-time in response to security mistakes, ensuring additional training is provided instantly at the moment when it is likely to have the greatest impact on changing behavior.
In addition to training, healthcare organizations must implement technical safeguards for HIPAA Security Rule compliance. TitanHQ offers a range of cloud-based security solutions for healthcare organizations to manage risks and achieve Security Rule compliance. These include SpamTitan anti-spam software which incorporates AI and machine learning algorithms to predict phishing attempts and dual antivirus engines and email sandboxing to combat malware. The WebTitan web filter protects against internet-based threats and can be used to block access to malicious and risky websites and block executable file downloads from the Internet to combat malware. Healthcare organizations that use Microsoft 365 can improve phishing protection with PhishTitan – a next-generation AI-based anti-phishing solution that offers unmatched protection against phishing and allows rapid remediation of phishing threats, preventing phishing attempts from compromising multiple email accounts.
All TitanHQ solutions are quick and easy to implement and use and can help healthcare organizations achieve and maintain HIPAA compliance, block more threats, and avoid costly data breaches. Contact TitanHQ today for more information about improving your security posture.
by Jennifer Marsh | Jun 26, 2024 | Website Filtering |
A malvertising campaign has been identified that targets users looking to download popular software such as Google Chrome and Microsoft Teams and delivers a backdoor malware called Oyster. The threat actor has registered lookalike domains that offer the software to download; however, the installer delivers the backdoor, with PowerShell used for persistence. After the malware is executed, the legitimate software is installed. Since the user gets the software they are expecting, they are unlikely to realize that their device has been infected.
The Oyster backdoor has been linked to the Russian threat group behind the infamous TrickBot Trojan. Once installed, the malware connects with its command-and-control server, gathers information about the host, and allows the threat actors to remotely execute code on the infected device. According to researchers at Rapid7 who identified the campaign, the threat actor has been observed delivering additional malware payloads on infected devices.
Malvertising is a common method of malware delivery that takes advantage of a lack of security awareness and attentiveness. Threat actors create adverts on legitimate ad networks for popular software solutions and pay to have their ads appear when users search for the software solutions they are impersonating. Just because an advert appears at the top of the search engine listings on Google or Bing it does not mean that the advert is legitimate. Clicking the link will direct the user to a site that is a carbon copy of the legitimate website that it spoofs, where they can download the software installer. These campaigns can be identified by the domain, which should be carefully checked to make sure it is the website of the official software provider.
Typosquatting is also commonly used, where threat actors register almost identical domains to the company they are impersonating. The domains usually have a transposed or missing letter. If the domain is not carefully checked, the user is unlikely to realize they are not on the official website. Threat actors use black hat search engine optimization techniques to get the websites to appear high up in the search engine listings.
By targeting software downloads, where the user is expecting to download an installer, the threat actor does not need to convince the user to execute the malicious file. If they fail to identify the scam before downloading the installer, their device is highly likely to be infected. Security awareness training should cover the methods used by threat actors to distribute malware over the Internet and should condition employees to always carefully check the domain to make sure it is the legitimate vendor’s website. Rather than develop a security awareness training program from scratch, businesses should consider using a vendor that can provide a comprehensive training platform that is constantly updated with new training content covering new attack methods and scams. A security awareness training program should run continuously, to build awareness, teach security best practices, and ensure that employees are constantly reminded of the importance of security.
In addition to training, technical measures should be implemented. A web filter should be used to prevent access to known malicious web pages and block downloads of executable files from the Internet, with policies implemented that require any software to be provided through or by the IT team. TitanHQ can help to improve your defenses against malware with a suite of cybersecurity solutions, including the SafeTitan security awareness training and phishing simulation platform, the WebTitan web filter to prevent access to malicious websites, SpamTitan email security with sandboxing to block malicious emails, and PhishTitan to improve phishing detection and mediation for businesses that use Microsoft 365.
For more information about these and other cybersecurity solutions from TitanHQ, give the sales team a call. All TitanHQ SaaS solutions are available on a free trial to allow you to test them in your own environment before making a purchase decision, with customer support provided throughout the trial.
by Jennifer Marsh | Jun 24, 2024 | Spam Software |
Email security solutions are used for blocking threats before they reach end users, including phishing and spear phishing emails, malware, spam, and other unwanted emails. Email security solutions have been an essential cybersecurity measure for decades and have been helping businesses to keep inboxes free of threats and to detect and block insider threats such as the theft of sensitive company data and personally identifiable information by employees.
One area where many email security solutions fail to perform well is the detection of malware. Email security solutions traditionally use anti-virus engines for detecting malware threats and they are constantly updated with new signatures when novel malware variants are detected. While these threat intelligence feeds ensure that email security solutions can detect known malware variants, there is a delay between a malware variant being detected and the signature being uploaded to the malware definition list. That delay may be a few minutes, hours, or days and cybercriminals exploit that window of opportunity.
While these signature-based defenses were sufficient for many decades, new malware variants are constantly being released with small changes that are sufficient to defeat signature-based detection methods. Cybercriminals are automating that process and are using large language models (LLMs) to accelerate the release of new malware variants.
Signature-based detection is still essential, but another feature is now required – one that can detect novel malware variants even if they have never been seen before. That feature is email sandboxing. An email sandbox is an isolated environment, often in the cloud, where emails are sent for deep analysis. When an email passes frontline checks and scans using anti-virus engines, they are sent to the sandbox for deep inspection.
The sandbox is designed to appear to be a genuine endpoint to trick the malware that it has reached its intended destination. The malware executes and performs its initial routines, such as connecting to its command-and-control center and reporting system information. Those actions are detected, the malware is quarantined, and the security team is alerted about the attempted attack. If the checks are passed, the email is released and delivered to the intended recipient. Without this vital security feature, many malicious emails will be delivered to end users.
While there are clear benefits to email sandboxing, there is one disadvantage and that is sandboxing message delivery delays. Time must be allowed for deep analysis, especially as some malware variants delay malicious actions to defeat sandboxes. That means that there is a delay in delivering messages that have been sent to the sandbox and are found to be clean. That delay could be around 20 minutes in some cases, which is far from ideal. To reduce delays to a minimum, it is possible to whitelist certain trusted senders to ensure that their messages are never sent to the sandbox and adjust the rules of the email security solution to limit the emails that are sent to the sandbox.
SpamTitan from TitanHQ uses dual anti-virus engines for signature-based detection and a Bitdefender-powered email sandbox for detecting novel malware variants. In addition to performing reputation checks to identify untrusted senders, SpamTitan includes pattern filtering that allows security teams to specify their own terminology for blocking messages, geo-filtering to block emails from certain geographical regions where the company does not operate, and AI and machine learning algorithms for predicting new phishing threats and assessing how emails deviate from standard messages usually received by the business.
SpamTitan is a multi-award-winning email security solution that can be provided as a hosted email filter or as a gateway spam filter to be installed on existing hardware as a virtual appliance. It has been developed to be quick and easy to install and use, works seamlessly with Microsoft 365 to improve protection, and is an ideal email security solution for Managed Service Providers to provide advanced email security to customers.
If you do not have a sandbox for email with your email security solution, now is the time to consider changing to a more advanced email security solution. Give the TitanHQ team a call for more information and to help get you set up on a free trial.
by Jennifer Marsh | Jun 19, 2024 | Internet Security |
Ascension, one of the largest private healthcare systems in the United States, fell victim to a ransomware attack on May 8, 2024, that forced systems offline, including patients’ medical records which were not fully restored for a month. The attack caused massive disruption, and without access to electronic health records, staff were forced to record patient information manually.
Patient care was seriously affected, with delays in diagnosis and treatment, and the lack of access to medical records resulted in medical errors. Without technology to perform routine safety checks, patient safety was put at risk. The investigation into the attack is still ongoing, but evidence has already been found that files containing sensitive data were stolen in the attack. The scale of the data breach has yet to be determined but for a healthcare system as large as Ascension, the breach could be considerable.
The ransomware attack occurred as a result of a simple error by a single employee, who was tricked into downloading a malicious file from the internet. That file provided the attackers with a foothold in the network, from where they were able to launch a devastating ransomware attack. Ascension said it has no reason to believe that the file download was a malicious act and is satisfied that it was an honest mistake by the employee. Sadly, it is the type of mistake that frequently results in ransomware attacks and costly data breaches.
Ascension has not disclosed how the file was downloaded, whether it was from general web browsing, malvertising that directed the employee to a malicious website, or if they clicked a link in a phishing email. Regardless of how the employee arrived at the malicious site, the attack could have been prevented with the right technology in place. It is possible to protect against all of the above-mentioned methods of malware delivery with a web filter. WebTitan from TitanHQ is a DNS-based web filter for businesses to prevent employees from visiting websites hosting malware and to block the web-based component of phishing attacks.
WebTitan is fed threat intelligence to provide real-time protection against malicious websites. As soon as a malicious website is detected, it is added to the database and all WebTitan users are prevented from visiting that URL. WebTitan categorizes and blocks around 60,000 malware and spyware domains each day and if an attempt is made to visit one of those URLs, whether it is via a link in an email, malvertising, or general web browsing, the attempt is blocked and the user is directed to a locally hosted block page.
WebTitan is updated constantly with vast click stream traffic from actively visited URLs from 500 million end users, and the data is used to categorize websites. WebTitan users can then place restrictions on 53 categories of websites that employees can visit on their work devices, eliminating risks from common sources of malware such as torrent and file-sharing sites for which there is no business reason for access. Further, as an additional protection against malware, WebTitan can be configured to block downloads of certain file types from the internet, such as executable files that are commonly used to deliver malware. For the majority of employees, there is rarely a business need to download executable files.
Malware is commonly delivered via email, either via attachments containing malicious scripts and macros or via embedded hyperlinks. It is important to have an advanced email security solution in place to block this method of malware delivery. SpamTitan is a cloud-based anti-spam service that protects against known malware using twin antivirus engines that scan attachments for the signatures of malware. To protect against novel malware threats, SpamTitan incorporates a Bitdefender-powered email sandbox, where suspicious messages are sent for deep inspection. An email sandbox is key to blocking malware threats and essential due to the volume of novel malware variants now being distributed.
While technological solutions are essential, it is also important to provide security awareness training to the workforce to improve awareness of cyber threats and teach security best practices. This is another area where TitanHQ can help. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is proven to reduce susceptibility to phishing attacks that helps businesses develop a human firewall and combat the many threats that target employees.
For more information on improving your defenses against malware and phishing threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are also available on a free trial to allow you to put them to the test before making a purchase decision.
by Jennifer Marsh | Jun 3, 2024 | Phishing & Email Spam, Security Awareness |
Earlier this month, warnings were issued about the Black Basta ransomware group, after an increase in activity in recent weeks. Now a new tactic has emerged to gain initial access to networks that ultimately leads to a Black Basta ransomware attack.
Storm-1811 is a highly sophisticated financially motivated cybercriminal group that was first detected in April 2022. Unlike many cybercriminal groups that start slowly, Storm-1811 conducted more than 100 attacks in its first 7 months. The latest campaign linked to the group is a type of tech support scam and is conducted over the phone through voice phishing (vishing).
The threat actor targets users and uses social engineering techniques over the phone to convince the user that they need to take urgent action to fix a fictitious problem on their computer. The threat actor often impersonates a member of the IT help desk or even Microsoft technical support. This attack leverages Quick Assist – a legitimate Windows app that is used to establish a remote connection to a device.
Quick Assist is a useful tool for providing IT support. If a friend or family member is having difficulty with their computer, they can provide remote access to a more technically skilled family member to sort out the problem remotely. Through Quick Assist, it is possible to view the display, make annotations, and take full control of the connected device.
Any remote access tool can be abused by a threat actor and Quick Assist is no different. If the user is convinced that the request is genuine and access to their device is granted, the threat actor will be able to perform a range of malicious actions. In this campaign, the threat actor installs a range of malicious tools to allow them to achieve their objectives, including remote monitoring and management (RMM) tools such as ScreenConnect and NetSupport Manager, and malware including Qakbot and Cobalt Strike. After gaining access, Storm-1811 actors can steal data and the access will ultimately lead to a Black Basta ransomware attack.
One point where this campaign could fail is convincing a user that they have a problem with their computer that requires remote access to fix. To get around this problem, Storm-1811 threat actors create a problem that needs to be addressed. One of the ways they do this is by conducting an email-bombing campaign. They identify email addresses of employees at the targeted company and bombard them with spam emails by signing them up to various high-volume email subscription services. When they make the call, the user will no doubt be frustrated by the spam emails, and it is easy to convince them that the problem can be sorted via Quick Assist.
The user just needs to press CTRL plus the Windows Key and Q to initiate Quick Assist, and then enter the security code provided by the threat actor and confirm that they want to proceed with screen sharing. The threat actor can then request remote access through the session and, if granted by the user, will be provided with full control of the user’s device. If they get to that point while the user is still on the phone, the threat actor will be able to explain any installation of a program as part of the remediation efforts. The threat actor can then unsubscribe the user from the various email subscriptions to make them believe that the problem has been resolved. Since the tools used by the threat actor can easily blend in, the attack is likely to go undetected until ransomware is used to encrypt files.
There are two easy ways to reduce susceptibility to this attack. The first is for IT teams to block or uninstall Quick Assist if they are not using the tool for remote access. Since other remote access tools may be used in these tech support scams, it is also vital to educate the workforce about tech support scams.
Users should be trained never to provide remote access to their device unless they initiate the interaction with their IT help desk or Microsoft support. Many companies provide security awareness training to the workforce that focuses on email phishing since this has long been the most common method of gaining access to internal networks.
Security awareness training should also educate users about other forms of phishing, including SMS phishing (smishing), vishing, and phishing via instant messaging services. With SpamTitan, creating, automating, and updating training content with the latest tactics used by cybercriminals is easy. The platform includes an extensive range of engaging training modules and is constantly updated with new content based on real-world attacks by cybercriminal groups.
When you train your workforce with SafeTitan, you can greatly reduce susceptibility to the different types of cyberattacks. Give the TitanHQ team a call today for further information or use the SafeTitan link to sign up for a free trial.
by Jennifer Marsh | May 31, 2024 | Internet Security |
Downloading unofficial and pirated software from the Internet carries a significant risk of malware infections. Malware is often packaged with the installers or with the cracks/key generators that provide the serial keys or codes to activate the software.
Cybercriminals use a variety of methods for driving traffic to their malicious websites, including malicious Google Ads, adverts on other third-party ad networks, SEO poising to get their malicious sites appearing high in the search engine listings, and via torrent and warez sites. A warning has recently been issued about the latter by AhnLab Security Intelligence Center (ASEC).
The campaign identified by the researchers distributes Microsoft Office, Microsoft Windows, and the Hangul Word Processor. The pirated software is available through torrent sites and includes a professional-looking installer. The installer for Microsoft Office allows users to select the Office products they want to install in either the 32-bit or 64-bit version and select the language.
If the installer is run, the user will get the software they are looking for; however, in the background, a malware cocktail will be installed. The threat actor behind this campaign is distributing several different malware payloads, including coinminers, remote access trojans (RATs), downloaders, and anti-AV malware.
When the installer is run, an obfuscated .NET downloader is executed which connects to the attacker’s Telegram/Mastadon channels and obtains a Google Drive or GitHub URL from where Base64 encrypted strings are obtained. Those strings are decrypted on the device and are PowerShell commands. Task Scheduler is used to execute the PowerShell commands, which install the malware. The scheduled tasks also allow the threat actor to consistently install other malware variants on the infected device.
By using Task Scheduler, the threat actor can reinstall malware if it is detected and removed, and since an updater is installed, the PowerShell commands can change. Even if the initial URLs are blocked, others will be added to ensure malware can still be delivered.
Initially, the threat actor was installing the updater together with either the Orcus RAT or the XMRig cryptocurrency miner. Orcus RAT provides the threat actor with remote control of an infected device, and has keylogging capabilities, can take screenshots, access the webcam, and exfiltrate data. XMRig is configured to only run when it is unlikely to be detected and will quit when system resource usage is high.
In the latest campaign, the threat actor also installs 3Proxy, which allows abuse of the infected device as a proxy, PureCrypter for downloading and executing additional malware payloads, and AntiAV malware, which disables antivirus and other security software by modifying the configuration files.
While this campaign appears to be targeting users in South Korea, it clearly shows the risks of downloading pirated software. Due to the inclusion of the updater and the installation of PureCrypter, remediation is difficult. Further, new malware variants are being distributed every week to evade detection.
Employees often download software to make it easier for them to do their jobs, and Torrent sites are a common source of unauthorized software. Businesses should therefore implement policies that prohibit employees from downloading software that has not been authorized by the IT department and should also implement controls to prevent Torrent and other software distribution sites from being accessed.
With TitanHQ’s WebTitan DNS filter, blocking access to malicious and risky websites could not be simpler. Simply install the cloud-based web filter and configure the solution by using the checkboxes in the user interface to block access to these categories of websites. WebTitan is constantly updated with the latest threat intelligence to block access to known malicious websites, and it is also possible to block downloads of executable files from the Internet.
For more information on improving Internet security with a DNS-based web filter, give the TitanHQ team a call. WebTitan, like all other TitanHQ products, is available on a free trial, with product support provided to ensure you get the most out of the solution during the trial.
by Jennifer Marsh | May 30, 2024 | Phishing & Email Spam |
Last month, the UK government published the findings of its 2024 cyber security breaches survey. The annual survey was conducted by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office between September 2023 and January 2024 on 2,000 UK businesses, 1,004 registered UK charities, and 430 educational institutions. The survey provides insights into the nature of cyberattacks and data breaches experienced in the UK and confirms that attacks are increasing.
In the past year, 50% of surveyed businesses and almost one-third of charities (32%) experienced at least one cybersecurity breach or attack, with medium-sized businesses (70%), large businesses (74%), and high-income charities with £500,000+ annual income (66%) more likely to experience a cybersecurity breach.
It is often reported that cyberattacks are becoming more sophisticated; however, the most common cyber threats are relatively unsophisticated and are often effective. The most common type of cyberattack was phishing, which was reported by 84% of businesses and 83% of charities, with impersonation of organizations – online and via email – reported by more than one-third of businesses (35%) and charities (37%). Malware was used in 17% of attacks on businesses and 14% of attacks on charities. In terms of prevalence, phishing was by far the most common type of cybercrime. 90% of businesses and 94% of charities that were victims of cybercrime experienced at least one phishing attack.
The costliest type of phishing attack is business email compromise (BEC). BEC covers several types of attacks, with the most common involving criminals accessing work email accounts and using them to trick others into transferring funds or sending sensitive data. For example, a threat actor gains access to an email account of a vendor and uses the account to send an email to a customer containing a fake invoice or a request to change bank account information for an upcoming payment.
The losses to BEC attacks can be considerable. Attacks frequently result in fraudulent transfers of tens of thousands of pounds or in some cases hundreds of thousands or millions. With such large sums involved, criminals put considerable effort into these scams. Targets are researched, phishing is used to compromise an employee email account, internal phishing is used to gain access to the right accounts, the contents of accounts are studied to identify information that can be used in the scam, and the legitimate account holder is impersonated in the attack on the targeted organization or individual.
The goal in these attacks is often to gain access to the email account of the CEO or a senior executive, and that account is used to conduct a scam internally or externally. Since the request comes from a trusted authority figure and uses their legitimate account, the request is often not questioned.
BEC attacks can be difficult to identify by employees but also by email security solutions as trusted accounts are used for the scams and the emails usually do not contain any malicious content such as a URL to a phishing website or malware. These attacks use social engineering and target human weaknesses.
Defending against BEC and phishing attacks requires a combination of measures. Since targets are extensively researched, businesses should consider reducing their digital footprint and making it harder for cybercriminals to obtain information that can be used in convincing phishing and BEC campaigns, especially by reducing the amount of information that is available online about senior staff members.
Anti-spam software is a must for blocking the initial phishing attacks that are used to compromise accounts; however, an advanced solution is required to block sophisticated BEC attacks. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of spam checks for inbound and outbound emails to identify spam, phishing, and BEC content, including reputation checks of domains and accounts, scans of message content, sandboxing to identify malicious attachments, and AI and machine learning analysis to identify emails that deviate from the standard messages typically received by an organization.
PhishTitan is an anti-phishing solution for Microsoft 365 that enhances Microsoft’s anti-phishing measures and catches the phishing threats that Microsoft misses. The solution adds banners to emails to warn employees about potentially malicious content and allows security teams to quickly remediate phishing attempts across the entire email environment.
Since phishing and BEC attacks target human weaknesses, it is vital to provide training to the workforce. The aim should be to improve awareness and condition employees to always be on the lookout for a scam and to err on the side of caution and report suspicious emails to their IT security team. Phishing simulations are useful for helping staff to recognize phishing emails and identify knowledge gaps. TitanHQ’s SafeTitan training platform has all the content you need to run effective training programs to improve defenses against phishing and BEC attacks.
Contact TitanHQ today about these solutions and other ways you can improve your defenses against phishing, BEC, and other types of cyberattacks.
by Jennifer Marsh | May 30, 2024 | Phishing & Email Spam, Security Awareness |
Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.
Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.
The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.
Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.
The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.
If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.
Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.
Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.
If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.
by Jennifer Marsh | May 29, 2024 | Internet Security |
There has been a marked increase in malware distribution campaigns in recent months using fake adverts that direct users to malicious websites where sensitive information such as login credentials or credit card numbers is collected, or malware is distributed. This tactic is called malvertising.
One of the most common types of malvertising is the creation of malicious adverts for software solutions, which are displayed when users search for software in search engines. The reason why software-related malvertising is effective is users are searching for a software solution, which means they will be expecting to download an installer. Software installers are executable files, and malware can be packed into the installers. When the installer is executed, the user will get the software they are expecting but malware will also installed in the background.
There are a variety of defenses against malvertising. Installing an ad blocker will prevent the adverts from being displayed, security awareness training should teach employees to always be wary of adverts and to hover their mouse arrow over the advert to show the destination URL and ensure that the URL matches the software being offered. Another important defense is a web filter, which will block access to the malicious sites that the adverts direct users to. Web filters such as WebTitan can also protect against Internet-based malware distribution that doesn’t use malvertising to drive traffic to malicious websites, and can also block downloads of executable files from the Internet for individuals or user groups.
For example, a campaign has recently been detected that uses booby-trapped websites that generate a fake web browser update warning. The websites have embedded JavaScript code which redirects users to an update page where they can apply important browser security updates. The user proceeds to download what appears to be a zip file that contains the updater; however, the updater is a JavaScript file that will launch PowerShell scripts that will download and execute a malware payload from the threat actor’s remote server. In this campaign, at least two malware payloads are delivered – the BitRAT remote access trojan and the Lumma Stealer information stealer.
Another browser update scam has been identified that involves tricking the user into copying, pasting, and executing a PowerShell command to protect their browser; however, the PowerShell command will deliver and execute malware.
While an ad blocker will block the malicious adverts in these campaigns, it will not block drive-by malware downloads and attacks that use email, SMS, and instant messaging services to distribute malicious links. WebTitan is a more comprehensive web security solution that has multiple curated threat intelligence feeds that block access to a malicious website for all WebTitan users within about 5 minutes of a malicious site being detected anywhere in the world. The solution will also block downloads of executable files and has an easy-to-implement and configure category-based filter, that allows businesses to block access to risky and/or non-work-related websites.
WebTitan adds an extra layer to your security defenses to protect against malware distribution and the web-based component of phishing attacks. Further, being a DNS-based filter there is no latency, and the solution can be used to protect devices on and off the network, with the latter possible by installing a roaming agent on mobile devices.
For further information on malvertising protection, web filtering, and DNS and URL filtering, give the TitanHQ team a call.
by Jennifer Marsh | May 28, 2024 | Internet Security |
Phishing and spam emails are commonly used for malware distribution; however, it has become much harder for malware and malicious scripts to evade email filtering solutions, especially advanced email security solutions with sandboxing and AI and machine learning capabilities. Some threat actors have had greater success using Google Ads to drive traffic to sites hosting trojanized installers for popular software.
Google Ads allows advertisers to bid to place adverts at the top of the search engine listings for key search terms, giving the adverts the most prominent position on the page. While Google has controls in place to prevent malicious ads from appearing, a small number of threat actors successfully circumvent those controls. Some of the most effective uses of malicious Google Ads are for software solutions. If threat actors can direct users to a malicious site that resembles a legitimate software provider, the user is likely to download and run the installer and inadvertently infect their device with malware.
One such campaign was recently uncovered by security researchers at Malwarebytes. While they were unable to identify the final malicious payload, they believe the goal was to deliver an information stealer. An information stealer is a type of malware that runs in the background and gathers information about the system. Information stealers often target login information such as usernames and passwords and can capture keystrokes, take screenshots, search histories, cookies, steal from cryptocurrency wallets, and more.
In this campaign, the threat actors targeted search terms related to the Arc browser for Windows, a freeware web browser that was launched in July 2023 for MacOS. The web browser has many features that set it aside from other web browsers and it has received five-star reviews from reviewers and users since its launch in 2023. The highly anticipated Windows version was released on April 30, 2024, and the malvertising campaign was prepared ahead of the launch.
One potential problem with a campaign such as this is malvertisers need to direct traffic to their own website where the malicious installer is hosted. If you are looking to download Adobe Reader, for example, and the advert displays anything other than the Adobe.com domain, you would know not to click. With Google Ads, malvertisers can display the legitimate domain in the Ad and then redirect the user to their own domain when they click the ad.
In this campaign, like many other malvertising campaigns, the threat actor uses lookalike domains that closely resemble the legitimate domain – Arc[.]net, and the page looks exactly like the legitimate site that it spoofs. If the user clicks to download the installer and executes the file, it will install the Arc browser as well as a malicious script that downloads and executes the malware payload. The malware will then run silently in the background and the user will likely be unaware that anything untoward has happened.
Employees often look for software to allow them to work more efficiently and download software from the web. For businesses, malicious Google Ads are a serious threat and can easily lead to a costly malware infection and data breach. To protect against malware infections via the web, many businesses rely on antivirus software that scans for malware when it has been downloaded. The problem is these solutions are often signature-based and can only detect malware variants if they have the signatures in their malware definition lists. New variants are constantly being released that differ sufficiently to evade signature-based detection mechanisms.
In addition to antivirus software, businesses should consider implementing a web filter such as WebTitan. WebTitan is a DNS-based web filter with no latency, so there is no impact on page load and download speeds. The filter is fed threat intelligence from a network of 500 million end users and is constantly updated with the latest intelligence and will block attempts to visit known malicious sites. If a user attempts to visit a known malicious URL, the attempt will be blocked before a connection is made. WebTitan can also be configured to block certain file downloads from the web, such as executable files. This will stop malware from being installed and will also help to curb shadow IT. WebTitan can also be configured to block third-party adverts on websites to combat malvertising.
In addition to these software solutions, businesses should provide security awareness training to the workforce to explain the risks of malware, teach security best practices, and eradicate risky behaviors. This is another area where TitanHQ can help. TitanHQ has a comprehensive security awareness training platform – SafeTitan – which is the only behavior-driven security awareness solution that delivers security training in real-time in response to security errors by employees. SafeTitan is an effective way of modifying user behavior and building a human firewall of users.
To find out more about web filtering with WebTitan and security awareness training with SafeTitan, give the TitanHQ team a call. Both solutions are also available on a free trial to allow you to test them out before making a purchase decision.
by Jennifer Marsh | May 27, 2024 | Phishing & Email Spam, Security Awareness, Spam Advice, Spam News |
Email phishing is the most common form of phishing, with email providing threat actors with an easy way of getting their malicious messages in front of employees. Phishing emails typically include a URL along with a pressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a button or link text relevant to the lure in the message. Email attachments are often added to emails that contain malicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.
While there are many email security solutions available to businesses, many lack the sophistication to block advanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While these are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at blocking zero-day attacks, business email compromise, and advanced phishing threats.
More advanced features include email sandboxing for detecting and quarantining zero-day malware threats and malicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can assess messages and identify threats based on how they differ from the messages that are typically received by the business. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent tests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than 99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for installation on-premises on existing hardware, serving as a virtual anti-spam appliance.
Microsoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which are EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections are effective at blocking spam and known malware, they fall short of what is required for blocking advanced threats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed PhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam filter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group (APWG) has reported that more phishing attacks were conducted in 2023 than ever before.
Massive Increase in Text Message Phishing Scams
Blocking email phishing attempts is straightforward with advanced email security solutions, which make it much harder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is by switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major increase in SMS-based phishing attempts.
A recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS gateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone numbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The study involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS phishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified 35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even set up URL shortening services on their own domains to hide the destination URLs. With these shortening services, the only way to tell that the domain is malicious is to click the link.
Blocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training. SMS phishing should be included in security awareness training to make employees aware of the threat, as it is highly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform makes creating training courses simple and the platform includes training content on all types of threats, including SMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver training in real-time in response to employee errors to ensure training is provided when it is likely to have the greatest impact – immediately after a mistake is made.
by Jennifer Marsh | May 26, 2024 | Phishing & Email Spam, Security Awareness |
Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.
Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.
The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.
Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.
When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.
Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.
by Jennifer Marsh | May 15, 2024 | Network Security, Phishing & Email Spam, Security Awareness |
The Black Basta ransomware-as-a-service (RaaS) group has been aggressively targeting critical infrastructure entities in North America, Europe, and Australia, and attacks have been stepped up, with the group’s affiliates now known to have attacked at least 500 organizations worldwide. In the United States, the group has attacked 12 of the 16 government-designated critical infrastructure sectors, and attacks on healthcare providers have increased in recent months.
Black Basta is thought to be one of multiple splinter groups that were formed when the Conti ransomware group shut down operations in June 2022. The group breaches networks, moves laterally, and exfiltrates sensitive data before encrypting files. A ransom note is dropped and victims are required to make contact with the group to find out how much they need to pay to a) prevent the publication of the stolen data on the group’s leak site and b) obtain the decryption keys to recover their encrypted data.
The group uses multiple methods for initial access to victims’ networks; however, the primary method used by affiliates is spear phishing. The group has also been observed exploiting known, unpatched vulnerabilities in software and operating systems. For instance, in February 2024, the group started exploiting a vulnerability in ConnectWise (CVE-2024-1709). The group has also been observed abusing valid credentials and using Qakbot malware. Qakbot malware is commonly distributed in phishing emails.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued a cybersecurity alert about Black Basta in response to the increase in attacks. The alert shares indicators of compromise and the tactics, techniques, and procedures used by the group in recent attacks. All critical infrastructure organizations have been advised to implement a range of mitigations to make it harder for Black Basta ransomware affiliates to access internal networks and move laterally. The recommended mitigations will also strengthen defenses against other ransomware groups and should be considered by all businesses and organizations.
Phishing and spear phishing are common access vectors for ransomware groups and the initial access brokers many of the groups work with, including the operators of Qakbot malware. Strengthening phishing defenses should therefore be a priority. TitanHQ offers three products that help improve phishing defenses: SpamTitan Email Security, PhishTitan, and the SafeTitan security awareness training and phishing simulation platform.
SpamTitan is a comprehensive email security and spam filtering service that blocks the full range of threats including spam, phishing, malware, viruses, and other malicious emails. Independent tests have confirmed the solution has a 99.99% spam catch rate, Bayesian autolearning and heuristics defend against advanced email threats, recipient verification using SPF, DKIM, and DMARC, antivirus protection is provided using two leading anti-virus engines, and the solution incorporates sandboxing for deep analysis of suspicious files. The sandbox is capable of detecting threats from their behavior rather than email signatures and is capable of identifying and blocking zero-day malware threats. The solution is regularly rated the best spam filter for business by independent software review sites and is one of the most popular spam filters for MSPs.
PhishTitan is a powerful anti-phishing solution for businesses that use Microsoft 365 that protects against the advanced attacks that Microsoft’s EOP and Defender miss. The solution includes auto-remediation features to help businesses rapidly respond when they are targeted by cybercriminal groups, and integrates seamlessly with Microsoft 365, augmenting Microsoft’s protections to ensure that more phishing threats are identified and blocked. PhishTitan adds banner notifications to emails from external email accounts and warnings about unsafe content, rewrites URLs to show the true destination, provides time-of-click protection against malicious URLs, provides threat data and analytics to help users assess their risk profile, and subjects all emails to AI and LLM analysis, detecting phishing threats with a high degree of accuracy and blocking threats that Microsoft misses. The solution also uses real-time analysis and threat assessments to neutralize business email compromise and spear phishing attacks before they begin.
It is important to train the workforce on how to recognize and report phishing attempts. SafeTitan is a comprehensive security awareness training platform that provides training in bite-sized chunks. The training modules are no longer than 10 minutes and are easy to fit into busy workflows. By providing regular training each month, businesses can develop a security culture and significantly improve resilience to phishing and spear phishing attacks, especially when combined with phishing simulations. The phishing simulator includes templates from real-world ransomware campaigns, and they are regularly updated based on the latest threat intelligence.
As an additional protection, multi-factor authentication should be implemented on all accounts, and phishing-resistant MFA is the gold standard. Since vulnerabilities are often exploited, it is important to ensure that software, firmware, and operating systems are kept up to date with patches applied promptly. Ransomware groups such as Black Basta are quick to exploit known vulnerabilities in their attacks. Remote access software should be secured and disabled if it isn’t used, networks should be segmented to hamper lateral movement, and backups should be regularly made of all critical data, with copies stored securely offsite on air-gapped devices. Further recommended mitigations can be found in CISA’s StopRansomware Guide.
by Jennifer Marsh | May 14, 2024 | Industry News, Phishing & Email Spam |
TitanHQ has announced two new strategic alliances that will improve access to the company’s cybersecurity solutions in the Indian subcontinent and the Middle East. Evanti Tech is a Mumbai-based provider of IT infrastructure, cloud, and security services that helps to protect Indian businesses against cyberattacks, ransomware attacks, and other cybersecurity threats. The new alliance with TitanHQ will see Evanti Tech serve as a value-added distributor, incorporating TitanHQ’s cloud-based email security solutions into its cybersecurity suite to provide its clients with multi-layered protection capable of defending against a constantly evolving cyber threat landscape. The addition of TitanHQ’s email security solutions will allow the company to better protect its clients from email-based threats such as ransomware, malware, phishing, spear phishing, and business email compromise.
TitanHQ has also announced a new alliance with the Dubai, UAE-based cybersecurity managed service (CSMS) provider Nanjgels. Nanjgels protection methodology is based on five pillars of security – Protect, Identify, Detect, Remediate, Respond, with the company providing infrastructure security, user security, network security, data & app security, and security operations and response. Under the new alliance, Nanjgels will be adding SpamTitan email security solutions to its portfolio and will be offering them to all clients in the region to help them improve email security and block spam, phishing, spear phishing, BEC, ransomware, and other email threats.
The SpamTitan suite of products has been developed from the ground up to meet the needs of managed service providers and help them better protect their clients from email-based threats. SpamTitan includes double anti-virus protection to block known malware threats, email sandboxing to identify and block zero-day malware threats, protection against malicious links in emails, and spam detection mechanisms such as SPF, DKIM, DMARC, and greylisting to block more than 99.99% of spam and unwanted emails. The solution scans inbound and outbound emails and includes data loss protection features to combat insider threats.
Multi-award-winning SpamTitan is an ideal solution for protecting Microsoft 365 accounts. Almost 20% of phishing emails circumvent Microsoft 365 Exchange Defender and Microsoft Exchange Online Protection (EOP). SpamTitan integrates seamlessly with Microsoft 365 to augment defenses and block the phishing and malware threats that Microsoft misses. SpamTitan has achieved 36 consecutive VB Bulletin Anti-Spam awards, and recent independent tests have confirmed the solution blocks in excess of 99.95% of malware.
TitanHQ’s multi-tenant solutions are hugely popular with managed service providers as they make it easy to sell, onboard, manage, and deliver advanced security solutions directly to their client base and reduce the amount of time that MSPs need to devote to protecting their clients. TitanHQ offers antispam solutions for MSPs, phishing protection, DNS filtering, email encryption, email archiving, security awareness training, and phishing simulations. If you are a managed service provider looking to improve security, contact TitanHQ to find out more about the TitanShield program and the products you can easily add to your security stack to better protect your clients.
by Jennifer Marsh | Apr 30, 2024 | Email Scams, Network Security, Phishing & Email Spam |
The U.S. government and education sectors are being targeted by cybercriminals looking to steal sensitive data. These sectors hold large volumes of sensitive data that are easily monetized, victims can be extorted, and access to compromised networks can be sold to other cybercriminal groups such as ransomware gangs. These attacks can result in significant data breaches, major financial losses, and reputational damage that is hard to repair.
The campaign uses a combination of two malware variants and vulnerability exploitation, and the attack starts with phishing emails with malicious attachments. The campaign was identified by researchers at Veriti and delivers the notorious Agent Tesla remote access trojan (RAT) and an information-stealing malware called Taskun. Agent Tesla provides attackers with remote access to networks and is often used by initial access brokers for compromising networks, with the access sold on to other cybercriminal groups. Agent Tesla can be used to download additional payloads and has comprehensive information-stealing capabilities. The malware can log keystrokes, take screenshots, and steal credentials from browsers, wireless profiles, and FTP clients.
Taskun malware is spyware that also has information-stealing capabilities. In this campaign, the malware is used to compromise systems and make it easier for Agent Tesla to be installed, establish persistence, and operate undetected for long periods. The campaign involves emails with malicious attachments, with social engineering techniques used to trick employees into running malicious code that exploits unpatched vulnerabilities in operating systems and Office applications. The campaign involves a reconnaissance phase to identify the vulnerabilities that can be exploited to maximize the chance of a highly impactful compromise. The vulnerabilities exploited in this campaign include several Microsoft Office remote code execution vulnerabilities dating from 2010 to 2018 and takes advantage of businesses with poor patch management practices, incomplete inventories of connected devices, and devices running outdated software due to issues upgrading.
Defending against email-based attacks involving multiple malware variants and vulnerability exploitation requires a multi-layered approach to security, with cybersecurity measures implemented that provide overlapping layers of protection. The first line of defense should be advanced spam filtering software to block inbound spam and phishing emails. SpamTitan from TitanHQ is an AI-driven cloud-based email filtering service that is capable of identifying and blocking spam and phishing emails and has advanced malware detection capabilities. In addition to dual antivirus engines, the SpamTitan hosted spam filter includes email sandboxing for behavioral detection of malware threats. In independent tests, SpamTitan was shown to block 99.983% of spam emails, 99.914% of phishing emails, and 99.511% of malware.
It is important to ensure that employees are made aware of the threats they are likely to encounter. Security awareness training should be provided to teach cybersecurity best practices, eradicate risky practices, and train employees to be vigilant and constantly on the lookout for signs of phishing and malware. The SafeTitan security awareness training platform makes it easy to develop and automate comprehensive training and keep employees up to date on the latest tactics used by threat actors. SafeTitan, in combination with TitanHQ’s cloud-based anti-spam service, will help to ensure that phishing and malware threats are identified and blocked.
Cybersecurity best practices should also be followed, such as implementing multi-factor authentication on accounts, ensuring patches are applied promptly, keeping software up to date, installing endpoint antivirus solutions, and network segmentation to reduce the impact of a successful attack. It is also important to ensure there is a comprehensive inventory of all devices connected to the network and conduct vulnerability scans to ensure weaknesses are detected to allow proactive steps to be taken to improve security.
by Jennifer Marsh | Apr 30, 2024 | Email Scams, Phishing & Email Spam, Security Awareness, Spam Advice |
Business Email Compromise (BEC) is one of the most financially harmful cyberattacks. BEC is an attack where a cybercriminal uses social engineering techniques or phishing to gain access to an email account with a view to tricking people into disclosing sensitive and valuable data that can be sold or used in other types of attacks or scams. The goal of many BEC attacks is to trick senior executives, budget holders, or payroll staff into making fraudulent wire transfers, changing account details for upcoming payments, or altering direct deposit information to payroll payments directed to attacker-controlled accounts. When the attack results in a fraudulent wire transfer it is often referred to as Funds Transfer Fraud (FTF).
For the past several years, the biggest cause of losses to cybercrime – based on complaints filed with the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) – was BEC attacks. In 2022, IC3 received reports of losses of $2.7 billion from BEC attacks and $2.9 billion in losses in 2023. A recent report from the cyber insurance provider, Coalition, explored the reasons why claims were made on policies and by far the biggest cause of claims was fraud from attacks that originated in inboxes. More than half of claims were for losses that started with emails, with 28% of claims made for BEC attacks and 28% for FTF. The number of claims related to email-based attacks makes it clear that email security is an important aspect of cyber risk management. If you want to reduce cyber risk, email security is one of the best places to start and this is an area where TitanHQ can help.
TitanHQ’s anti spam software, SpamTitan, is an advanced email security solution for businesses and managed service providers that protects against the full range of email-based attacks by blocking spam, phishing, spoofing, malware, and zero-day attacks. SpamTitan includes dual antivirus engines for detecting known malware threats, sandboxing for behavioral analysis of emails to detect zero-day threats, reputation checks, and AI algorithms to anticipate new attacks. SpamTitan is delivered as a cloud-based anti-spam service or an anti-spam gateway, and is one of the most popular MSP spam filtering solutions.
PhishTitan is a relatively new addition to the TitanHQ cybersecurity portfolio and has been developed to improve Microsoft 365 security and catch the sophisticated phishing and BEC threats that Microsoft 365 misses. PhishTitan augments EOP and Defender and detects phishing threats with unbeatable accuracy and minimal false positives, with the solution adapting to new phishing tactics through comprehensive phishing feeds curated by TitanHQ and feedback from end users. PhishTitan rewrites URLs to show their true destination, provides time-of-click protection against URLs in phishing emails, protects against malware, adds banner notifications to emails to warn end users, makes post-delivery remediation quick and easy, and provides next-generation protection against phishing and BEC attacks.
In addition to solutions that block spam and phishing emails, end user security awareness training is important. Email-based attacks target employees and use social engineering to trick them into disclosing sensitive information, downloading malware, and making fraudulent wire transfers. SafeTitan from TitanHQ is a comprehensive security awareness training and phishing simulation platform for training the workforce to be more security aware, showing employees how to recognize and avoid threats, and keeping them up to date on the latest tactics targeting them. The platform also includes a phishing simulator for conducting fully automated phishing simulations. SafeTitan is the only behavior-driven security awareness solution that delivers security training in real-time in response to errors, ensuring training is delivered when it will have the most impact.
Email will continue to be a major attack vector but with TitanHQ solutions in place, you will be well protected. Give the TitanHQ team a call today for more information about these and other TitanHQ security products. All three of these products are available on a free trial to allow you to test them out for yourself and see the difference they make.
by Jennifer Marsh | Apr 29, 2024 | Phishing & Email Spam, Spam Software |
Phishing typically involves impersonation of a trusted individual or brand. In email phishing, the sender’s email address is often spoofed to make it appear that the messages have been sent from a legitimate domain, the emails often include the spoofed company’s logo, the color scheme used by that company, and the messages themselves are often very similar to the official emails sent by that brand.
It stands to reason that the most commonly impersonated brands are large tech companies, as more people are familiar with those companies and use their products and services. It should not come as a surprise to hear that the most impersonated brand in Q1, 2024 was Microsoft, which was impersonated in 38% of all phishing attacks, according to data from Check Point Research, up from 30% of attacks in the previous quarter. Google was the second most impersonated brand and was impersonated in 11% of phishing attacks, up from 8% in Q4, 2023.
Phishing attacks impersonating Amazon fell from 9% in Q4, 2023 to just 3% in Q1, 2024. The fall in attacks can be explained by fewer online sales after the holiday period, with phishers favoring other brands at the start of the year. There was an increase in attacks impersonating LinkedIn to target job seekers in response to an increase in job hunting in the New Year. LinkedIn rose to third place and was impersonated in 11% of attacks. Another seasonal increase was a rise in attacks impersonating Airbnb, which made it into the top 10 most impersonated brands, likely due to the increase in holiday bookings in the New Year.
Cybercriminals often change tactics and respond to seasonal changes, such as increasing attacks impersonating delivery firms and online retailers in the run-up to the holiday season, and piggyback on the popularity of major news stories and sporting events. This year is an Olympics year, and the European Football championships will be held in Germany in June. Lures related to these events are certain to be used as interest grows over the coming weeks as the events draw closer.
What is clear from phishing data is attacks are becoming more numerous and more sophisticated. According to tracking data by the Anti-Phishing Working Group (APWG), there were more than five million phishing attempts reported in 2023, the highest total ever recorded by APWG. Attacks against social media platforms showed a marked increase as the year drew to an end and accounted for almost 43% of all phishing attacks.
QR code phishing is also increasing. QR codes are used to send traffic to malicious URLs, and they are highly effective for phishing. Email security solutions typically check embedded hyperlinks against lists of known malicious domains, with many following hyperlinks and assessing the sites that users are redirected to. Many email security solutions, however, lack the capability to read QR codes, so the messages often end up in inboxes where they can be opened by end users.
It is not only email phishing that is increasing. Vishing – voice phishing attacks continue to rise and there was a major increase in Business Email Compromise (BEC) attacks, which the APWG data shows increased by 24% compared to the previous quarter. As phishing attacks increase in number and sophistication, businesses need to ensure that their defenses are capable of blocking these threats and that their employees are trained to be on high alert and constantly look for the signs of phishing in all communications.
One of the most important protective measures for businesses is to have an effective Office 365 spam filter. The anti-spam and anti-malware protections put in place by Microsoft and included with all licenses (EOP) are effective at blocking spam and known malware, but it is not so effective at blocking zero-day phishing and malware threats, many of which land in users’ inboxes. The more advanced protection that is provided with Microsoft’s E5 premium license improves phishing detection considerably, yet even this measure does not block many sophisticated phishing attempts. As such, many businesses are keen to improve the Office 365 spam filter and look for a third-party cybersecurity solution.
An increasing number of businesses are signing up for advanced AI- and machine learning-driven protection from TitanHQ to improve protection for Microsoft 365 environments. The engine that powers two of TitanHQ’s most popular cybersecurity solutions – SpamTitan and PhishTitan- has VBSpam+ certification from Virus Bulletin and in Q1, 2024 tests, was found to have a spam catch rate of 99.983%, a phishing catch rate of 99.914%, a malware catch rate of 99.51%, and a false positive rate of 0.00%. Overall, the engine got a 99.983% overall score.
SpamTitan is a cost-effective, easy-to-use email security solution for stopping phishing attacks, spam, malware, and ransomware. The solution features AI-based phishing protection via the newest zero-day threat intelligence, double malware protection with two antivirus engines, a next-generation sandbox for analyzing the behavior of messages to identify zero-day threats, and the solution is easy to integrate with Microsoft 365 to improve protection.
PhishTitan is a cloud-based, next-generation phishing protection and remediation solution that has been developed for use with Microsoft 365 that can identify and block the advanced phishing threats that Microsoft misses. PhishTitan has a high detection accuracy and uses AI to assess the content, tone, and meaning of emails to identify unusual, suspicious, and malicious messages. The solution also adapts to constantly evolving phishing tactics.
URLs in phishing emails are rewritten to identify their true destination, are compared to an extensive range of intelligence feeds, and the solution provides time-of-click protection against malicious links in emails. The solution also learns from user feedback to further improve accuracy and applies banners to emails warning about potentially malicious content and can be used by IT teams to automate the remediation of phishing emails from inboxes.
Phishing attacks are getting more sophisticated and tactics are constantly changing, but with the advanced protection provided by SpamTitan and PhishTitan that significantly improves the Microsoft 365 spam filter, businesses will be prepared. Give the TitanHQ team a call for more information, to arrange a product demonstration, or to sign up for a free trial to put the solutions to the test.
by Jennifer Marsh | Apr 25, 2024 | Email Scams, Phishing & Email Spam |
Many phishing campaigns involve indiscriminate emails that are sent in high volume in the hope that some recipients will respond. These campaigns tend to involve lures that are likely to be opened by as many users as possible such as missed deliveries, security warnings about unauthorized account access, and payments that will soon be applied to accounts. This spray-and-pray tactic is not nearly as effective as more tailored campaigns targeting specific types of users, and to make up for this, the campaigns involve huge volumes of messages. These campaigns are relatively easy for email security solutions to detect.
Phishing campaigns that target employees in a single organization can be much harder to identify. The threat actor tailors the message to the organization being targeted, and even to specific employees in the organization. These campaigns often use compromised vendor email accounts, with the emails being sent from trusted domains. There is a much greater chance of these emails landing in inboxes and the emails being opened by employees. Campaigns such as this can be highly effective and often result in many email accounts in the organization being compromised.
A recent example of this type of attack and the impact it can have comes from California. The Los Angeles County Department of Health Services, an integrated health system that operates public hospitals and clinics in L.A. County, was targeted in a phishing campaign between February 19, 2024, and February 20, 2024. The emails appeared to have been sent by a trusted sender, landed in inboxes, and were opened by many employees. The emails contained a hyperlink that directed users to a website where they were told they needed to enter their login credentials. 23 employees fell for the scam and entered their credentials.
The credentials were captured, and the threat actor was able to access the employees’ email accounts, which contained sensitive patient data such as names, dates of birth, contact information, medical record numbers, dates of service, medical information, and health plan information. While the information exposed in the attack could not be used for identity theft – Social Security numbers were not compromised – the attacker gained access to information that could be used for medical identity theft. The patients affected could also be targeted in very convincing phishing campaigns to obtain further information such as Social Security numbers. Similar attacks have been reported by other healthcare organizations where the email accounts contained vast amounts of data, including tens of thousands of Social Security numbers and sensitive financial information.
After attacks such as this, additional security awareness training is provided to the workforce to raise awareness of the threat from phishing; however, the provision of comprehensive training regularly throughout the year will go a long way toward ensuring that attacks such as this do not succeed and that if they do, the resultant data breach is far less severe.
TitanHQ’s SafeTitan security awareness training platform allows organizations to conduct comprehensive training continuously, and since each training module is a maximum of 10 minutes, it is easy to fit the training into busy workflows. The training platform has a huge range of content, covering a broad range of threats, and when programs are run continuously and employees complete a few training modules a month, susceptibility to phishing drops considerably, especially when the SafeTitan phishing simulator is also used. The simulator includes templates taken from recent real-world phishing campaigns. If a user responds to one of these simulations, they are immediately told where they went wrong and are required to complete a training module relevant to that threat.
End-user security awareness training is an important part of your cybersecurity arsenal, but it is also vital to block as many phishing emails as possible. TitanHQ’s SpamTitan email security is an advanced, AI and machine learning-driven anti-spam solution that blocks more than 99.9% of spam email and phishing threats. The solution includes twin antivirus engines for blocking known malware, and sandboxing for blocking zero-day threats, and is a highly effective spam filter for Office 365. With SafeTitan security awareness training and an advanced Microsoft 365 spam filter from TitanHQ, businesses will be well protected from phishing threats.
All TitanHQ solutions are intuitive, easy to use, and can be set up in just a few minutes and are available on a free trial to allow you to test them out for yourself before making a purchase decision. Independent reviews from genuine users of TitanHQ solutions show SpamTitan is much loved by users. On G2 reviews, SpamTitan is consistently given 5-star reviews by end users, who rate it the best spam filter for Outlook due to its effectiveness, low cost, ease of use, and the excellent customer service from the TitanHQ team.
SafeTitan and SpamTitan are available on a free trial to allow you to test them out for yourself before making a purchase decision. Give the TitanHQ team a call today to take the first step toward improving your phishing defenses.
by Jennifer Marsh | Apr 24, 2024 | Phishing & Email Spam |
Cybercriminals are constantly evolving their tactics for delivering malware and one of the most recent changes concerns the Remcos RAT. Remcos was developed by Breaking Security as a legitimate remote administration tool that can be used for network maintenance, system monitoring, surveillance, and penetration testing; however, the tool has been weaponized to create the Remcos Remote Access Trojan (RAT).
The Remocos RAT has extensive capabilities and has been used by cybercriminals since 2016. The malware allows threat actors to take control of systems and maintain persistent, highly privileged remote access. The malware can be used for a range of purposes, with threat actors commonly using it for credential theft, man-in-the-middle internet connections, and to create botnets of infected devices that can be used for distributed denial of service attacks (DDoS).
The Remcos RAT is distributed in spam email campaigns. Since 2016, the most common method for distributing the malware used spam emails with malicious Office attachments. Social engineering techniques were used to trick users into opening the files and enabling macros; however, campaigns have recently been detected that deliver the malware via weaponized virtual hard disk (VHD) files.
Security awareness training often focuses on teaching users to be careful when opening Office files and other file types commonly associated with malware distribution. The change to a more unusual file type could result in the file being opened, and VHD files are less likely to be identified as malicious by email security solutions.
An analysis of the extracted VHD files revealed a shortcut file that contained a PowerShell command line that executed a malicious script that ultimately delivered the Remcos RAT via a sophisticated multi-stage delivery method designed to evade security solutions. Once installed, the malware can log keystrokes, take screenshots, and exfiltrate data to its command-and-control server. The malware also has mass-mailer capabilities and can send copies of itself via email from an infected device. According to Check Point, the Remcos RAT rose to the 4th most prevalent malware threat in March 2024.
The constantly changing tactics for distributing malware mean network defenders need cybersecurity solutions that can adapt and detect zero-day threats. SpamTitan is an advanced email filtering service with AI and machine learning-driven threat detection which is capable of identifying and blocking novel phishing and malware distribution methods. The machine learning algorithm uses predictive technology to identify previously unseen attacks, emails are scanned using twin antivirus engines, and suspicious file types are sent to a next-generation sandbox for behavioral analysis, ensuring even previously unseen malware variants can be identified and blocked.
SpamTitan scans all inbound emails and also includes an outbound email filter to identify malicious emails that are sent from compromised email accounts and by malicious insiders. SpamTitan also has data loss protection capabilities, allowing IT teams to detect and block internal data loss. If your corporate email filter does not include advanced threat protection including AI-driven detection and sandboxing, or if you rely on Microsoft’s anti-spam and anti-phishing protection, sophisticated threats such as zero-day attacks are unlikely to be blocked and your business will be at risk.
Give the TitanHQ team a call today to find out more about SpamTitan. SpamTitan is delivered as a cloud-based anti-spam service that integrates seamlessly with Microsoft 365 to improve protection, or as a gateway solution for on-premises protection, which can be installed on existing hardware as a virtual anti-spam appliance.
by Jennifer Marsh | Apr 18, 2024 | Email Scams, Network Security, Phishing & Email Spam |
Cybercriminals use a variety of methods for initial access to victims’ networks and tactics are constantly changing. Ransomware groups are increasingly targeting boundary devices such as routers, firewalls, and the virtual private networks that sit between the Internet and business networks, with the first quarter of this year seeing a decline in attacks exploiting vulnerabilities for initial access. According to the ransomware remediation firm Coveware, remote access is now favored by ransomware groups. In Q1, 2024, Remote Desktop Protocol (RDP) compromise was the most commonly identified initial attack vector.
Phishing is still commonly used for initial access, although there has been a fall in phishing-based attacks by ransomware groups; however, it is common for ransomware groups to chain email phishing with RDP compromise and the exploitation of software vulnerabilities for more impactful attacks. What is clear from the data is threat actors are conducting more sophisticated attacks and are taking steps to cover their tracks. Coveware reports that the initial access vector was unknown in around 45% of attacks.
While ransomware groups may be concentrating on non-email attack vectors, phishing attempts by cybercriminals have increased significantly over the past year. A new analysis by researchers at the antivirus company Kaspersky found that phishing attempts increased by 40% in 2023, with threat actors increasingly using messaging apps such as Telegram in their attacks as well as social media networks.
Phishing is also becoming more sophisticated and increasingly personalized. There is growing evidence that threat actors are using generative artificial intelligence engines to craft new lures to use in their campaigns, especially spear phishing attacks. The near-perfect messages that GenAI creates can make it difficult for end users to distinguish phishing emails from genuine communications.
The problem for many businesses is threat actors are constantly evolving their tactics and are conducting increasingly sophisticated campaigns, yet email security defenses are not maintaining pace. Many Microsoft 365 users find that while Microsoft Defender and EOP block a good percentage of spam emails and many phishing threats, more sophisticated threats are not detected. Having a cybersecurity solution such as PhishTitan augments Microsoft 365 defenses and ensures sophisticated threats are blocked. For every 80,000 emails received, PhishTitan catches 20 unique and sophisticated phishing attacks that Microsoft’s expensive E5 premium security misses.
PhishTitan helps with post-delivery remediation, allowing security teams to rapidly remove phishing threats from the email system when a threat is reported, adds a banner to emails warning users about suspicious messages, and rewrites URLs to show the true destination to combat spoofing. The solution also includes time-of-click protection to combat phishing links that are weaponized after delivery, and AI- & LLM-driven anti-phishing analysis to identify previously unseen phishing threats.
The use of malware in email campaigns is also increasing. In 2023, 6.06 billion malware attacks were identified worldwide, up 10% from the previous year, with loaders, information stealers, and remote access trojans (RATs) the most common malware threats. While signature-based detection mechanisms once served businesses well, the rate at which new malware variants are released means many threats are not detected as malware signatures have yet to be uploaded to antivirus defenses. The key to blocking these zero-day threats is email sandboxing.
An email sandbox is an isolated environment where messages that meet certain criteria are sent after scans by antivirus engines have shown the messages to be free from malware. In the sandbox, messages are subjected to deep inspection to identify malware from its behavior rather than signature. Many malware variants have been developed to resist analysis or pass sandbox checks, such as delaying malicious actions for a set period. A slight disadvantage of email sandboxing is a small delay in email delivery, but it is important to ensure that messages are analyzed in detail and anti-sandboxing capabilities are defeated. There are, however, ways to get sandbox protection while minimizing the impact on the business.
Whether you are looking for a gateway spam filter or a hosted spam filter to improve protection against email threats or advanced phishing protection, TitanHQ can help. Give the team a call today for detailed information on TitanHQ products and advice on the most effective solutions to meet the needs of your business. You can take advantage of the free trials of TitanHQ products, which are provided with full support to help you get the most out of the trial.
by Jennifer Marsh | Apr 17, 2024 | Email Scams, Phishing & Email Spam |
A phishing campaign has been running since late March that tricks people into installing a new version of the remote access trojan, JSOutProx. JSOutProx was first identified in 2019 and is a backdoor that utilizes JavaScript and .NET that allows users to run shell commands, execute files, take screenshots, control peripheral devices, and download additional malware payloads. The malware is known to be used by a threat actor tracked as Solar Spider, which mostly targets financial institutions in Central Europe, South Asia, Southeast Asia, and Africa, with the latest version of the malware also being used to target organizations in the Middle East.
The malware has mostly been used on banks and other financial institutions. If infected, the malware collects information about its environment and the attackers then download any of around 14 different plug-ins from either GitHub or GitLab, based on the information the malware collects about its operating environment. The malware can be used to control proxy settings, access Microsoft Outlook account details, capture clipboard content, and steal one-time passwords from Symantec VIP.
Like many other remote access trojans, JSOutProx is primarily delivered via phishing emails. A variety of lures have been used in the phishing emails but the latest campaign uses fake notifications about SWIFT payments in targeted attacks on financial institutions and MoneyGram payment notifications in attacks on individuals, which aim to trick the recipients into installing the malware.
The latest campaign uses JavaScript attachments that masquerade as PDF files of financial documents contained in .zip files. If the user attempts to open the fake PDF file, the JavaScript is executed deploying the malware payload. The main aim of the campaign is to steal user account credentials, gather sensitive financial documents, and obtain payment account data, which can either be used to make fraudulent transactions or be sold to other threat actors on the dark web. Email accounts are often compromised which can be leveraged in Business Email Compromise (BEC) attacks to steal funds from clients. According to VISA, “The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware.”
Since phishing is the main method of malware delivery, the best defense against attacks is advanced anti-spam software and end-user security awareness training. JSOutProx malware is able to bypass many traditional anti-spam solutions and anti-virus software due to the high level of obfuscation. The best defense is an anti-spam solution with AI and machine learning capabilities that can identify the signs of malicious emails by analyzing message headers and message content to determine how they deviate from the emails typically received by the business and also search for the signs of phishing and malware delivery based on the latest threat intelligence.
To identify the malicious attachments, an anti-spam solution requires sandboxing. Any messages that pass standard antivirus checks are sent to the sandbox where behavior is analyzed to identify malicious actions, rather than relying on malware signatures for detection. SpamTitan can extract and analyze files in compressed archives such as .zip and .rar files and in recent independent tests, SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, with a false positive rate of 0.00%. SpamTitan from TitanHQ is delivered as either a hosted anti-spam service or an anti-spam gateway that is installed on-premises on existing hardware. SpamTitan has been developed to be easy to implement and use and meet the needs of businesses of all sizes and managed service providers.
Phishing emails target employees so it is important to teach them how to identify phishing emails. Due to the fast-changing threat landscape, security awareness training should be provided continuously to the workforce, and phishing simulations should be conducted to give employees practice at identifying threats. SafeTitan from TitanHQ can be used to easily create effective training programs that run continuously throughout the year and keep employees up to date on the latest threats and tactics, techniques, and procedures used by malicious actors. SafeTitan also delivers relevant training in real-time in response to security mistakes and phishing simulation failures. Check out these anti-spam tips for further information on improving your defenses against phishing and get in touch with TitanHQ for more information on SpamTitan email security and the SafeTitan security awareness training platform.
by Jennifer Marsh | Apr 16, 2024 | Email Scams, Phishing & Email Spam |
One of the most effective ways of getting employees to open malicious emails is to make the emails appear to have been sent internally and to use a lure related to salaries, as is the case with a recently identified campaign that is used to deliver a Remote Access Trojan called NetSupport RAT.
The campaign was first identified by researchers at Perception Point who intercepted an email that appeared to have been sent by the accounts department and purported to be a monthly salary report. The recipient is told to review the report and get back in touch with the accounts department if they have any questions or concerns about the data. Due to the sensitive nature of the data, the salary chart is in a password-protected document, and the employee is told to enter the password provided in the email if the enable editing option is unavailable. The user is prompted to download the .docx file, enter the password, and then click enable editing, after which they need to click on the image of a printer embedded in the document. Doing so will display the user’s salary graph.
The document uses an OLE (Object Linking and Embedding) template which is a legitimate tool that allows linking to documents and other objects, in this case, a malicious script that is executed by clicking on the printer icon. This method of infection is highly effective, as the malicious payload is not contained in the document itself, so standard antivirus scans of the document will not reveal any malicious content. If the user clicks the printer icon, a ZIP archive file will be opened that includes a single Windows shortcut file, which is a PowerShell dropper that will deliver the NetSupport RAT from the specified URL and execute it, also adding a registry key for persistence.
NetSupport RAT has been developed from a legitimate remote desktop tool called NetSupport Manager which is typically used to provide remote technical support and IT assistance. The malware allows a threat actor to gain persistent remote access to an infected device, gather data from the endpoint, and run commands. While the use of OLE template manipulation is not new, this method has not previously been used to deliver the NetSupport RAT via email.
The threat actor uses encrypted documents to deliver the malware to evade email security solutions, and the emails are sent using a legitimate email marketing platform called Brevo, which allows the emails to pass standard reputation checks. This campaign is another example of how threat actors are increasing the sophistication of their phishing campaigns and how they can bypass standard email security defenses, including Microsoft’s anti-malware and anti-phishing protections for Microsoft 365 environments.
While the lure and the steps users are taken through are reasonable, there are red flags at various stages of the infection process where end users should identify the email as potentially malicious. In order for that to happen, end users should be provided with regular security awareness training. TitanHQ offers a comprehensive security awareness training platform called SafeTitan, which includes training modules to teach employees how to identify the red flags in email campaigns such as this. The platform also includes a phishing simulator, that allows these types of emails to be sent to employees to test the effectiveness of their training. If they fail a simulation, they are immediately shown where they missed the opportunity to identify the threat, with relevant training generated instantly in real time.
Sophisticated phishing attacks require sophisticated anti-phishing defenses to block these emails before they reach end users’ inboxes. While standard antivirus checks can block many malicious payloads, behavioral analysis of attachments and files is essential. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of front-end checks of messages including reputation checks and Bayesian analysis, machine-learning algorithms analyze messages for potentially malicious and phishing content, scan attachments with twin antivirus engines, and messages are sent to a sandbox for deep analysis. In the sandbox, malicious behavior can be identified allowing even sophisticated phishing emails to be blocked by the cloud spam filter.
A hosted email filter is often the best fit for businesses, although SpamTitan is available as a gateway spam filter. The TitanHQ team will be happy to listen to your requirements and suggest the best option to meet your needs. Give the team a call today to find out more about improving your email defenses against sophisticated phishing and malware distribution campaigns and how to provide more effective security awareness training.
by Jennifer Marsh | Apr 15, 2024 | Email Scams, Phishing & Email Spam |
A sophisticated phishing campaign has been detected that is being used to deliver a variety of Remote Access Trojan (RAT) malware, including Venom RAT, Remcos RAT, and NanoCore RAT, as well as a stealer that targets cryptocurrency wallets. The campaign uses email as the initial access vector with the messages purporting to be an invoice for a shipment that has recently been delivered. The emails include a Scalable Vector Graphics (SVG) file attachment – an increasingly common XML-based vector image format.
If the file is executed, it will drop a compressed (zip) file on the user’s device. The zip file contains a batch file that has been created with an obfuscation tool (most likely BatCloak) to allow it to evade anti-virus software. If not detected as malicious, a ScrubCrypt batch file is unpacked – another tool used to bypass antivirus protections – which delivers two executable files that are used to deliver and execute the RAT and establish persistence. This method of delivery allows the malware to evade AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) antivirus protections.
One of the primary payloads is Venom RAT, which establishes a connection with its command and control (C2) server, transmits sensitive information gathered from the compromised device and runs commands from its C2 server. Venon RAT can download additional modules and malware payloads, including a stealer malware that targets folders associated with cryptocurrency wallets and applications including Atomic Wallet, Electrum, Exodus, Foxmail, and Telegram.
The sophisticated nature of this campaign and the obfuscation used to hide the malicious payloads from traditional antivirus software demonstrates the need for advanced email defenses and end-user training. Email security solutions that rely on malware signatures are easily bypassed, which is why it is important to use an anti-spam solution that incorporates sandboxing for blocking malware and AI and machine learning capabilities to identify malicious emails.
SpamTitan uses AI and machine learning algorithms to detect phishing emails that other solutions miss – including Microsoft’s basic and advanced anti-phishing mechanisms for Microsoft 365. SpamTitan includes Sender Policy Framework (SPF), SURBL’s, RBL’s, Bayesian analysis, and more, and the machine learning algorithms can detect email messages that deviate from the typical messages received by a business and can identify header anomalies, address spoofing, and suspect email body content. All inbound messages are subjected to standard and advanced malware checks, including scans using twin anti-virus engines and email sandboxing. If all anti-malware checks are passed, including unpacking and analyzing compressed files, messages are sent to the sandbox for behavioral analysis.
In the cloud-based sandbox, malicious actions are identified such as attempts to deliver additional files as is commonly seen in multi-stage attacks and C2 calls. In recent independent tests (Virus Bulletin), SpamTitan achieved a phishing catch rate of 99.914%, a malware catch rate of 99.511%, and a false positive rate of 0.00%. With phishing attacks becoming more sophisticated you need to have sophisticated defenses. With email security protection provided by SpamTitan and security awareness training delivered using TitanHQ’s award-winning SafeTitan security awareness training and phishing simulation platform you will be well protected from email-based attacks.
Give the TitanHQ team a call today to find out more about how you can improve your defenses against email-based attacks with sandboxing technology and how to add more layers to your defenses to block the full range of cyberattacks.
by Jennifer Marsh | Apr 14, 2024 | Email Scams, Phishing & Email Spam |
A relatively new malware variant dubbed Latrodectus is increasingly being used to gain initial access to business networks. Latrodectus is the Latin for Widow spiders, but the malware was so named because of a line in the code that mentions the word. The malware was first detected in November 2023, and detections have been increasing ever since, especially since February 2024. Analyses of Latrodectus malware have revealed strong similarities with the IcedID remote access trojan (RAT) and malware loader, and the infrastructure that supports the malware was previously used in IcedID campaigns. That strongly suggests that Latrodectus malware is the successor of IcedID and was most likely developed by the same threat actor.
Latrodectus malware is primarily a malware downloader and backdoor that is used to deliver a range of different payloads and execute commands on an infected device. Latrodectus is a modular malware capable of adapting to different environments, has extensive capabilities, is stealthy, and can bypass many cybersecurity solutions. The malware checks for the presence of debuggers, has anti-sandbox capabilities and encrypts communications with its C2 server. The malware gains persistence via auto-run keys and scheduled tasks.
Latrodectus malware is believed to be used by highly capable threat actors that specialize in gaining initial access to networks to sell on to other threat actors such as ransomware groups. The malware is primarily distributed in phishing emails, with the detected emails so far using Microsoft Azure and Cloudflare-themed lures, with either PDF file attachments or URLs embedded in emails. The malware has also been identified as being distributed via contact form spam.
If the PDF files are opened, the user is told that the document has been uploaded to the Microsoft Azure Cloud and they are required to download it. The user is then directed to a fake Cloudflare security check that adds legitimacy but also prevents email security solutions from following the link and prevents in-depth analysis in sandboxes. If the user proceeds, they will download a JavaScript file that appears to be the document indicated in the PDF file. If the file is executed, a script runs that downloads an MSI installer, which drops and executes the Lactrodectus DLL.
Due to the evasive capabilities of the malware, standard email security solutions are unlikely to identify the phishing emails as malicious, and even email sandboxing checks may be passed. An advanced anti-spam service is required that incorporates AI- and machine learning capabilities to identify the malicious nature of the email. SpamTitan Plus is an advanced email security solution with the highest coverage of anti-phishing feeds of any product on the market, incorporating coverage of 100% of all current market-leading anti-phishing feeds. The superior threat intelligence fed into the system and massive clickstream traffic from more than 600 million users and endpoints ensure the URLs used to deliver malware are detected and blocked. The machine learning capabilities of SpamTitan Plus allow the solution to predict and block novel phishing campaigns, including phishing attacks that use personalized URLs when targeting individuals. URLs are followed and are rewritten to identify the destination, and the solution features time-of-click protection to identify and block URLs that are weaponized after delivery.
As an additional protection, businesses should consider a web filtering solution. WebTitan from TitanHQ protects against the web-based component of cyberattacks. While SpamTitan Plus can block attempts to visit URLs embedded in emails and email attachments, WebTitan will block visits to URLs from general web browsing, redirects from malvertising, and non-email communications. WebTitan can also be configured to block downloads of files from the Internet associated with malware – JavaScript files for instance.
End-user training is also important to teach cybersecurity best practices and eliminate risky behaviors. SafeTitan is a comprehensive security awareness training platform with hundreds of training modules that can be easily configured to create and automate training courses relevant to individuals and user groups. The platform includes a phishing simulator for conducting realistic phishing simulations, using messages that have been created from genuine phishing attacks. The platform is the only behavior-driven security awareness training platform that delivers training in real time in response to simulation failures and security mistakes.
As cyber threats increase in sophistication, multiple cybersecurity solutions are required to provide multi-layered protection. TitanHQ solutions will ensure you are well protected from ever-changing cyber threats and sophisticated phishing and malware attacks.
by Jennifer Marsh | Mar 31, 2024 | Industry News, Network Security |
TitanHQ has added a new auto-remediation feature to its Microsoft 365 anti-phishing solution, PhishTitan, to better meet the needs of managed service providers (MSP) and M365 administrators.
According to Statista, more than two million companies worldwide use Microsoft 365, including more than 1.3 million in the United States. Given the number of companies that use Microsoft 365, it is naturally a big target for cybercriminals and nation-state actors. If threat actors can steal M365 credentials, they can access a treasure trove of valuable business data and gain a foothold for more extensive and damaging attacks. Microsoft offers protection against spam, phishing, malware, and business email compromise attacks, but the best level of protection is only available with its costly E5 premium license, which is prohibitively expensive for many small businesses. Even companies that can afford this costly license do not get cutting-edge protection against phishing and BEC attacks.
To consistently block sophisticated phishing attempts, BEC attacks, and zero-day threats, businesses need more advanced protection than Microsoft can offer, and many turn to PhishTitan from TitanHQ – an integrated Cloud Email Security Solution (ICES) that provides cutting-edge protection against the most damaging, sophisticated phishing threats, BEC, account takeover, VIP impersonation, and zero-day attacks. In recent Virus Bulletin Tests, the engine that powers PhishTitan achieved an exceptional spam catch rate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914%, with zero false positives. PhishTitan was shown to outperform Microsoft’s highest level of protection. For every 80,000 emails received, PhishTitan blocks 20 more unique and sophisticated attacks than Microsoft’s E5 filtering option.
The latest update to PhishTitan adds a new auto-remediation feature, which allows administrators to tailor the management of malicious emails based on the severity level. When a threat is detected, a banner is added to the email that warns the user about the threat; however, auto-remediation allows administrators to apply rules to deal with these messages according to the threat level, such as automatically diverting the emails to the junk folder. This feature acts like a virtual SOC and minimizes the risk to end users, especially individuals who tend to ignore email banners.
Auto-remediation is just one of the new features PhishTitan has gained since its launch. PhishTitan has also received an update to protect users from the growing threat of QR code phishing attacks (QRishing). QR codes are problematic for many anti-spam and anti-phishing solutions, as they cannot decipher the URLs in QR codes and check the destination URL, which is why cybercriminals are increasingly using QR codes in their phishing emails. PhishTitan can analyze the URLs encoded in QR codes, assess the risk, and notify end users.
PhishTitan also supports allow-listing, which administrators can use to automatically white-list trusted senders to make sure that their emails are always delivered, and notifications can also be fed into Microsoft Teams. Since administrators can spend a considerable amount of time in the application, a dark mode has been added to improve the user experience, and many more updates are planned and will be rolled out soon.
“We are excited to introduce Auto Remediation, QR code protection, and many additional powerful new features to our valued customers. At TitanHQ, we collaborate closely with partners to develop tailored solutions addressing critical customer IT security challenges,” said TitanHQ CEO, Ronan Kavanagh. “PhishTitan provides MSPs with an unmatched value proposition, featuring effortless deployment and lucrative recurring revenue streams, ultimately delivering a positive return on investment.”
If you want to improve protection against email threats or have any questions about PhishTitan, give the TitanHQ team a call. TitanHQ also offers award-winning DNS filtering, spam filtering, email encryption, email archiving, security awareness training, and phishing simulation solutions, all of which are available on a free trial.
by Jennifer Marsh | Mar 29, 2024 | Phishing & Email Spam, Spam Software |
TitanHQ has claimed a Top 3 position in a recent Virus Bulletin email security test, achieving an exceptional 99.98% spam catch rate and 99.91% phishing catch rate for the cutting-edge filtering engine that powers the SpamTitan (email security) and PhishTitan (phishing protection) solutions, earning TitanHQ the prestigious VBSpam+ certification for the products.
Virus Bulletin is a security information portal and independent testing and certification body that has earned a formidable reputation within the cybersecurity community for providing security professionals with intelligence about the latest developments in the global threat landscape. Virus Bulletin conducts regular tests of security solutions to determine how well they perform at detecting and blocking threats, and for more than 20 years has been benchmarking cybersecurity solutions. Virus Bulletin’s public certifications cover all types of security threat protection, including anti-spam and anti-phishing solutions for enterprises.
In the Q1, 2024 tests, Virus Bulletin assessed nine comprehensive email security solutions, including TitanHQ’s email security suite which comprises SpamTitan and PhishTitan. The email security solutions were put to the test to assess how effective they are at blocking unsolicited and unwanted spam emails and malicious messages of all types. TitanHQ’s solutions achieved exceptional scores at blocking spam and phishing emails, with a spam catch rate of 99.983%, a malware catch rate of 99.511%, and a phishing catch rate of 99.914% with zero false positives. The final score for the Q1, 2024 tests was 99.983, cementing TitanHQ’s position as a leading provider of anti-phishing and anti-spam solutions for managed service providers and businesses.
“This test reaffirms TitanHQ’s unrivaled prowess in spam and phishing protection—we stand as the first choice for combating phishing attempts and spam infiltrations,” said Ronan Kavanagh, CEO at TitanHQ. “Our customers need not settle for anything less. With TitanHQ solutions, they receive unparalleled defense against phishing and spam and experience minimal false positives.
While there are many ways that cybercriminals and nation state actors breach company networks and gain access to sensitive data, phishing is the leading initial access vector. Despite phishing being such a prevalent threat, many businesses lack security solutions that can consistently identify and block these malicious messages, which results in costly compromises, data breaches, and devastating ransomware attacks. According to one study by researchers at CoreView on 1.6 million Microsoft 365 users, 90% lacked essential security protections that can combat threats such as phishing.
While Microsoft has security solutions that can block spam and phishing emails, they are unable to block advanced phishing threats. PhishTitan has been developed to work seamlessly with M365 and catch the phishing threats that M365 misses. Even Microsoft’s most advanced anti-phishing protection, the costly E5 premium security offering, fails to block many advanced threats. Testing has shown that for every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top solution misses, and many businesses cannot afford Microsoft’s top level of protection and are reliant on its basic anti-spam and anti-phishing protection.
If you want to improve your defenses against phishing and malware and block more spam emails, give the TitanHQ team a call and ask about SpamTitan and PhishTitan. Both email filtering solutions are available on a free trial, so you can put them to the test and see for yourself the difference they make.
by Jennifer Marsh | Mar 28, 2024 | Phishing & Email Spam |
A phishing campaign distributing StrelaStealer malware has expanded to Europe and the United States, with the attackers favoring the high-tech, finance, professional and legal services, manufacturing, government, energy, utilities, insurance, and construction sectors.
StrelaStealer malware was first identified in November 2022 and its primary purpose is to extract email account login credentials from popular email clients such as Microsoft Outlook and Mozilla Thunderbird, and exfiltrate them to its command-and-control server. StrelaStealer has previously been used to target companies in Spanish-speaking countries however, targeting has now been expanded to the United States and Europe, with attacks peaking in November 2023 and January 2023 with more than 500 attacks a day on companies in the United States and more than 100 attacks per day in Europe, according to tracking data from Palo Alto Networks Unit 42 team.
The campaign uses email as the initial access vector with the emails typically claiming to be an invoice. Early attacks used ISO file attachments that included a .lnk shortcut and an HTML file, which invoked the rundll32.exe process to execute the malware payload. The latest attacks use a different method, with .zip file attachments favored. These compressed files include Jscript files which, if executed, drop a batch file and base64-encoded file that decodes into a DLL file, which is executed using rundll32.exe to deploy the StrelaStealer payload.
Email sandboxing provides a vital layer of protection against malware, which can be difficult to detect using transitional signature-based email security solutions. Anti-virus solutions are generally signature-based, which means they can only detect known malware. Advanced email security solutions use sandboxing to analyze the behavior of files to identify and block novel malware threats. Suspicious files are sent to the sandbox for in-depth behavioral analysis. The control flow obfuscation technique used in this attack can make analysis difficult, even in sandboxed environments, with excessively long code blocks used that can result in timeouts when executed in some sandboxed environments. While sandboxing can delay email delivery, which is far from ideal for businesses that need to act on emails quickly, it is important to provide enough time to allow attachments to be fully analyzed, as StrelaStealer malware clearly demonstrates. The easiest way for businesses to sandbox email attachments is with SpamTitan Email Security.
StrelaStealer malware is actively evolving, and new methods are being developed to deliver the malware and evade security solutions. Combatting sophisticated phishing attacks such as this, requires a defense-in-depth approach to security, using multiple security solutions that provide overlapping layers of protection such as SpamTitan Email Security, PhishTitan phishing protection, and SafeTitan security awareness training. Give the TitanHQ team a call today for more information on affordable cybersecurity solutions that are easy to use and capable of blocking advanced phishing threats.
by Jennifer Marsh | Mar 27, 2024 | Phishing & Email Spam |
Phishing is one of the most common methods used to gain access to credentials; however, businesses are increasingly implementing multi-factor authentication (MFA) which adds an extra layer of protection and means stolen credentials cannot be used on their own to gain access to accounts. An additional authentication factor is required before access to the account is granted. While any form of MFA is better than none, MFA does not protect against all phishing attacks. There are several popular phishing-as-a-service (PhaaS) platforms that can steal credentials and bypass MFA including LabHost, Greatness, and Robin Banks. For a relatively small fee, any cybercriminal looking to compromise accounts can use the PhaaS platform and gain access to MFA-protected accounts.
A relatively new PhaaS platform has been growing in popularity since its discovery in October 2023 which has been causing concern in the cybersecurity community. Dubbed Tycoon 2FA, the PhaaS platform is being offered through private Telegram groups. Like many other PhaaS platforms, Tycoon 2FA uses adversary-in-the-middle (AiTM) tactics to steal MFA tokens, allowing access to be gained to accounts. The phishing kit uses at least 1,100 domains and has been used in thousands of phishing attacks.
Like most phishing attacks, initial contact is made with end users via email. The messages include a malicious link or a QR code. QR codes are popular with phishers as they communicate a URL to the end user and are difficult for email security solutions to identify as malicious. To ensure that the malicious URLs are not detected by security solutions, after clicking the link or visiting the website via the QR code, the user must pass a security challenge (Cloudflare Turnstile). The web page to which the user is directed targets Microsoft 365 or Gmail credentials. The user’s email address is captured and used to prefill the login page, and when the user enters their password it is captured and they are directed to a fake MFA page.
The phishing kit uses a reverse proxy server that relays the user’s credentials to the legitimate service being targeted in real-time and similarly captures the session cookie when the MFA challenge is passed. The user is unlikely to recognize that their account has been compromised as they are redirected to a legitimate-looking page when the MFA mechanism is passed. According to the researchers, many different threat actors have been using the kit for their phishing campaigns, with the Tycoon 2FA operators having received almost $395,000 in payments to their Bitcoin wallet as of March 2024. The price of the phishing kit is $120 for 10 days of usage which shows how popular the platform is with cybercriminals.
PhaaS platforms allow cybercriminals to conduct sophisticated attacks and bypass MFA without having to invest time and money setting up their own infrastructure they significantly lower the entry barrier for conducting MFA-bypassing phishing attacks. An advanced spam filtering service such as SpamTitan Plus will help to prevent malicious emails from reaching inboxes, and is an ideal spam filter for MSPs looking to provide the best level of protection for their clients. The SpamTitan suite of email security solutions combines phishing, spam, and antivirus filtering and independent tests show a spam block rate of 99.983% and a malware block rate of 99.51%.
PhishTitan from TitanHQ greatly improves protection against more advanced phishing campaigns such as those that use QR codes. Employees should be provided with regular security awareness training to help them identify and avoid phishing messages, and businesses should consider using phishing-resistant MFA rather than more basic forms of 2-factor authentication that use SMS or one-time passwords, which phishing kits such as Tycoon 2FA can easily bypass.
by Jennifer Marsh | Mar 27, 2024 | Phishing & Email Spam |
Business Email Compromise (BEC) attacks may not be as frequently encountered as phishing attacks but the losses to this type of attack are far greater. According to figures from the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3), $2.9 billion was lost last year to BEC attacks – The second most expensive type of cybercrime.
BEC attacks usually involve impersonation, with the attacker posing as a trusted individual. Contact is established and the scammer tricks the victim into divulging sensitive company information or transferring a large sum of money. For instance, the scammer may pose as a contractor and request that bank details are changed for an upcoming payment. The scam is not usually detected until after the transfer has been made and the funds have been withdrawn from the attacker-controlled account.
BEC attacks can be difficult for email security solutions to identify, as the emails are often sent from a known and trusted email account that has been compromised in a phishing attack. BEC scammers research their targets and may have access to past conversations between the victim and the person they are impersonating and can therefore disclose information from past conversations in email exchanges to convince the target that they are who they claim they are. The scams may also be spread across multiple emails, with trust building during the exchanges.
One of the latest BEC campaigns to be identified involves the impersonation of U.S. government entities, such as the U.S. Department of Transportation, Department of Agriculture, and Small Business Association. Initial contact is made via email and a PDF attachment is sent that includes a QR code, which has links about fake bidding processes. The targeted individual is told to use the QR code to find out more information about the bidding process.
The PDF file explains that the QR code is included as complaints have been received that the bid button in the email does not work with some browsers and that the QR code will direct them to a document that should be downloaded as it is required to submit a bid. The emails and the PDF are crafted to appear to have been sent by the spoofed organization, and the website to which the user is directed resembles the official portal used by the spoofed government agency.
If the QR code is scanned, the user will be directed to a phishing site where they will be required to enter their Office 365 credentials, which will provide the attacker with access to their email account. Once access has been gained, the scammers can proceed to the next phase of the attack. They search the email account for messages related to banking or finance and use that information for their BEC attack and send messages to contacts that include fraudulent invoices or payment requests. The emails are sent from a trusted account, so the emails will likely be delivered and there is a good chance that the attack will be successful.
Security awareness training can help to raise awareness of the threat of these attacks with individuals involved in financial transactions in a company, and policies should be in place that require any requested change to banking information to be verified by phone using a previously verified phone number. It is also important to have an email security solution in place to block or flag potential BEC messages.
TitanHQ’s PhishTitan is an ideal choice. PhishTitan can identify and flag sophisticated phishing and BEC emails and can also read and follow the URLs encoded in QR codes. When a suspicious email is detected a banner is added to warn the user, and the emails can be auto-remediated and sent to the junk folder. PhishTitan improves Microsoft’s Office 365 spam filter. Independent tests by Virus Bulletin show the engine that powers T
itanHQ’s SpamTitan spam filter for Office 365 and the PhishTitan 0365 anti-phishing solution has a phishing catch rate of 99.914% with zero false positives. For every 80,000 emails received, PhishTitan identifies and blocks 20 unique, sophisticated phishing attempts that Microsoft’s top anti-phishing solution misses. The solution is also just a fraction of the cost of the average loss to a single BEC attack.
For more information about PhishTitan and how it can protect your business from advanced phishing and BEC attacks, give the TitanHQ team a call.
by Jennifer Marsh | Mar 26, 2024 | Industry News |
TitanHQ has announced it has signed a new partnership agreement with Equinox Technologies which will see TitanHQ’s cybersecurity solutions offered throughout Africa. Equinox Technologies is a pan-African, tech-enabled, business service provider that provides a range of services to more than 40 countries in Africa from its operational hubs in Abuja, Nigeria; Cape Town, South Africa; Nairobi, Kenya; and Tunis, Tunisia. Equinox Technologies helps businesses of all sizes expand and invest seamlessly across international borders through the provision of business-critical administrative, security, and compliance support. The services provided include enterprise mobility management, software engineering, IT operations, digital services, and cybersecurity.
The strategic alliance with TitanHQ will see Equinox Technologies act as a value-added distributor, packaging TitanHQ solutions with other products and services to meet its clients’ cybersecurity and compliance needs and better protect them from the rapidly evolving landscape of cyber threats. Under the new agreement, Equinox Technologies will become the exclusive distributor of TitanHQ solutions in Africa, further expanding TitanHQ’s global footprint.
Equinox Technologies will help its clients improve email security by offering TitanHQ’s cloud-based anti-spam service (SpamTitan), phishing protection solution (PhishTitan), and email encryption solution (EncryptTitan), protection from web-based threats through TitanHQ’s DNS filtering solution (WebTitan), threats that target employees with TitanHQ’s security awareness training and phishing simulation platform (SafeTitan); and help them meet their email retention and compliance obligations through TitanHQ’s email archiving solution (ArcTitan).
“This collaboration signifies Equinox Technologies’ commitment to fortifying its cybersecurity offerings,” said TitanHQ CEO, Ronan Kavanagh. “Together, Equinox Technologies and TitanHQ will be able to shield African companies from the constantly evolving landscape of cyber threats through a comprehensive suite of security solutions.”
by Jennifer Marsh | Mar 20, 2024 | Phishing & Email Spam |
Malware is often distributed via email or websites linked in emails, and advanced email security solutions such as SpamTitan Plus can protect you by preventing the messages from reaching inboxes. SpamTitan Plus uses dual antivirus engines to detect known malware and sandboxing to identify and block zero-day malware threats. SpamTitan Plus also rewrites URLs, uses predictive analysis to identify suspicious URLs, and blocks those URLs to prevent users from reaching the websites where malware is hosted. To get around email security solutions, cybercriminals use other methods for making initial contact with end users, and instant messaging services are a popular alternative.
Researchers at Cybereason recently identified a malware distribution campaign that distributes a Python-based information stealer via Facebook messages. The infostealer has been dubbed Snake and has been developed to steal credentials and other sensitive information. The campaign was first detected in the summer of 2023 and targets businesses. The messages use lures such as complaints and offers of products from suppliers to trick users into visiting a link and downloading a file. As is common with malware distribution campaigns, the threat actor uses legitimate public repositories for hosting the malicious file, such as GitHub and GitLab. The file to which the user is directed is a compressed file and, if extracted, will lead to the execution of a first-stage downloader. The first-stage downloader fetches a second compressed file, extracts the contents, and executes a second downloader, which delivers the Python infostealer.
Three different variants of the infostealer have been identified, all of which gain persistence via the StartUp folder. Each variant targets web browsers, including Brave, Chromium, Chrome, Edge, Firefox, Opera, and the Vietnamese CoC CoC browser, with the latter and other evidence suggesting that the campaign is being conducted by a Vietnamese threat actor. All three variants also target Facebook cookies. The gathered data and cookies are exfiltrated in a .zip file via the Telegram Bot API or Discord.
One way of blocking these attacks is to use a web filter to block access to instant messaging services that are not required for business purposes, including Facebook Messenger. With WebTitan it is possible to block Messenger without blocking the Facebook site, and controls can be implemented for different users to allow users with responsibility for updating the organization’s social media sites to access the platforms while preventing access for other users. It is also a good practice to use WebTitan to block downloads of executable files from the Internet to prevent malware delivery and stop employees from downloading and installing unauthorized software.
by Jennifer Marsh | Mar 14, 2024 | Phishing & Email Spam |
The file hosting service Dropbox is being abused in a novel phishing campaign that exploits trust in the platform to harvest Microsoft 365 credentials. The campaign targeted 16 employees of an organization who received an email from the no-reply[@]dropbox.com account, a legitimate email account that is used by Dropbox. The emails included a link that directed the recipients to a Dropbox-hosted PDF file, which was named to appear as if it had been created by one of the organization’s partners. If the PDF file was opened, the user would see a link that directs them to an unrelated domain – mmv-security[.]top. One of the employees was then sent a follow-up email reminding them to open the PDF file that was sent in the first email. They did, and they were directed to a phishing page that spoofed the Microsoft 365 login page. A couple of days later, suspicious logins were detected in the user’s Microsoft 365 account from unknown IP addresses, which were investigated and found to be associated with ExpressVPN, indicating the attacker was using the VPN to access the account and mask their IP address.
Multifactor authentication was correctly configured on the account but this appears to have been bypassed, with the logins appearing to use a valid MFA token. After capturing credentials, the employee is thought to have unknowingly approved the MFA authentication request which allowed the account to be compromised. The attacker gained access to the user’s email account and set up a new rule that moved emails from the organization’s accounts team to the Conversation History folder to hide the malicious use of the mailbox. Emails were also sent from the account to the accounts team in an apparent attempt to compromise their accounts.
Phishing attacks are becoming increasingly sophisticated and much more difficult for end users to identify. Security awareness training programs often teach users about the red flags in emails they should look out for, such as unsolicited emails from unknown senders, links to unusual domains, and to be wary of any requests that have urgency and carry a threat should no action be taken. Impersonation is common in phishing attacks, but in this case, the impersonation went further with the emails sent from a valid and trusted account. That means that the email is more likely to be trusted and unlikely to be blocked by email security solutions, especially as the emails include a link to a file hosted on a trusted platform. This was also a staged attack, with follow-up emails sent, which in this case proved effective even though the second email was delivered to the junk email folder. The login page to which the user was directed looked exactly the same as the genuine login prompt for Microsoft 365, aside from the domain on which it was hosted.
Many businesses have configured multifactor authentication on their Microsoft 365 accounts, but as this attack demonstrates, MFA can be bypassed. The sophisticated nature of phishing attacks such as this demonstrates how important it is for businesses to have advanced defenses against phishing. TitanHQ’s anti-phishing solutions use AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing and anti-spam software solutions on the market. All emails are scanned – internal and external – for phrases and keywords that are unusual and could indicate malicious intent. All URLs are checked against various threat intelligence feeds to identify malicious URLs, and URLs are rewritten to show their true destination. The solution also learns from feedback provided by users and detection improves further over time. The curated and unique email threat intelligence data is unmatched in visibility, coverage, and accuracy, and TitanHQ’s anti-spam and email security solutions feature sandboxing, where attachments are subjected to deep analysis in addition to signature-based anti-virus scanning. When a malicious email is detected, all other instances are removed from the entire M365 tenant.
If you want to improve your defenses against sophisticated phishing attacks give the TitanHQ team a call. If you are a Managed Service Provider looking for an easy-to-use solution to protect your clients from phishing and malware, look no further than TitanHQ. All solutions have been developed from the ground up to meet the needs of MSPs to better protect their customers from spam, phishing, malware, and BEC attacks.
by Jennifer Marsh | Mar 6, 2024 | Security Awareness |
What would you say is the biggest cybersecurity threat in 2024? Ransomware is certainly a major concern, with attacks being reported with increasing frequency, and phishing attacks continue to cause headaches for businesses; however, a recent survey of Chief Technology Officers (CTOs) by STX Next has revealed the biggest perceived cybersecurity threat is neither of these. When asked about the biggest cybersecurity threat faced by their organization in 2024, 59% of CTOs said human error, 48% said ransomware, and 40% said phishing.
It is possible to implement a range of cybersecurity measures to combat threats such as ransomware and phishing to ensure that these attacks do not succeed. An email security solution can be implemented that will scan all emails for signs of phishing and will prevent the majority of malicious and unwanted messages from being delivered to inboxes. Email security solutions also scan emails for malware to prevent it from reaching employees. Security solutions can detect and block attempts by hackers to breach systems and implementing cybersecurity best practices will ensure that vulnerabilities are addressed before they can be exploited; however, employees are a weak point that many businesses are failing to address, and hackers know all too well that targeting employees is the easiest way to breach a company network.
Hackers can search for and exploit unpatched vulnerabilities in software and investigations of cyberattacks often show highly sophisticated attack methods have been used, but hackers have not required high levels of sophistication in most breaches. It is far easier to use social engineering to trick employees into providing access to accounts and systems and to take advantage of security mistakes by employees. Verizon’s 2023 Data Breach Investigations Report found the human element was involved in 74% of all cybersecurity breaches, with some studies suggesting the figure is closer to 95%.
Human error includes setting weak passwords that can easily be guessed, leaving systems unsecured, disclosing passwords in phishing emails, downloading malware onto their devices, sending emails containing sensitive data to incorrect recipients, installing unauthorized software, and more. It is not possible to stop employees from making mistakes, but if businesses provide security awareness training and teach employees security best practices, it is possible to reduce errors to a low and acceptable level. Security awareness training allows businesses to develop a security culture, where employees are constantly looking for threats and stop and think before they take any action that could potentially open the door to hackers.
The key to successful security awareness training is to provide it regularly. A once-a-year training session is better than nothing, but it won’t create a security culture and employees will not be sufficiently up-to-date on the new tactics that hackers are using to breach business networks. Training needs to be provided continuously throughout the year with employees instructed about the latest tactics hackers are using to target them so they can recognize threats and avoid them.
The SafeTitan Security Awareness Training platform makes it easy for businesses to create effective security awareness training programs. Courses can be developed that run continuously throughout the year, and the training content can be easily tailored to the organization, departments, job roles, and even individuals to ensure it is relevant and tackles the specific threats they are likely to face. The training content covers all aspects of security, teaches best practices, and makes employees aware of the threats they are likely to encounter. SafeTitan is a modular training platform with each computer-based training module lasting no more than 10 minutes, so it is easy to fit training into busy workflows. It is easy for businesses to monitor who is completing training and see how effective the training has been.
In addition to providing training, employees’ knowledge needs to be tested to make sure that the training material has been understood and is being applied. SafeTitan includes a phishing simulation platform that allows businesses to see how employees respond to simulated attacks and identify employees who are making mistakes. Those weak points can then be addressed before they can be exploited by hackers. SafeTitan is the only security awareness training platform that delivers training in real-time in response to employee errors. When an error is detected, such as a phishing test failure, training is delivered to individual employees in real-time when the additional training is likely to be most effective at changing behavior.
Employees are the first line of defense and it is important for the defensive line to be fortified, rather than solely concentrating on technical measures such as anti-spam gateways and spam filtering appliances. To find out more about the SafeTitan platform, give the TitanHQ team a call today. SafeTitan is also available on a free trial so you can see for yourself how easy it is to create and automate your training courses.
by Jennifer Marsh | Mar 5, 2024 | Phishing & Email Spam |
A new phishing kit has been identified that is being used to target employees of the U.S. Federal Communications Commission (FCC) and the cryptocurrency platforms Binance and Coinbase, as well as users of cryptocurrency platforms such as Binance, Coinbase, Caleb & Brown, Gemini, Kraken, ShakePay, and Trezor.
A phishing kit is a set of tools and templates that allows threat actors to conduct effective phishing campaigns. These kits are marketed on the dark web to hackers and allow them to conduct phishing campaigns without having to invest time and money into setting up their own infrastructure. Phishing kits range from simple kits that provide phishing templates and cloned login pages, to more advanced kits that are capable of adversary-in-the-middle attacks that can defeat multifactor authentication. These kits significantly lower the entry barrier for conducting phishing campaigns as they require little technical expertise. Pay a relatively small fee and sophisticated phishing campaigns can be conducted in a matter of minutes.
The new phishing kit is called CryptoChameleon and allows users to create carbon copies of the single sign-on (SSO) pages that are used by the targeted businesses. Employees are used to authenticating through a single solution, through which they authenticate with many business applications. The kit also includes templates for phishing pages to harvest the credentials of cryptocurrency platform users and employees, including pages that impersonate Okta, iCloud, Gmail, Outlook, Yahoo, AOL, and Twitter.
The phishing operation was discovered by researchers at Lookout and more than 100 high-value victims of this campaign have been identified to date. Threat actors using the kit have been contacting users via SMS, email, and phone calls to trick them into visiting a malicious site where their credentials are harvested. Users are redirected to a phishing site but before the content is displayed, they are required to pass an hCAPTCHA check. This helps with the credibility of the campaign, but most importantly it prevents automated analysis tools and security solutions from identifying the phishing site.
In the campaign targeting FCC employees, after passing the hCAPTCHA check, the user is presented with a login page that is a carbon copy of the FCC Okta page. The domain on which the page is hosted – fcc-okta[.com] – differs only slightly (1 character) from the legitimate FCC Okta login page. Login credentials alone are not normally enough to gain access to accounts as many are now protected by MFA. The captured login credentials are used to log in to the real account in real time, and the victim is then directed to the appropriate page where additional information is collected to pass the MFA checks. This could be a page that requests their SMS-based token or the MFA token from their authenticator app. Once the MFA check has been passed and the account has been accessed by the threat actor, the victim can be redirected anywhere. For instance, they could be shown a message that the login has been unsuccessful and they must try again later.
To target cryptocurrency platform users, messages are sent about security alerts such as warnings that their account has been accessed. These messages are likely to attract a rapid response due to the risk of substantial financial losses. In the campaign targeting Coinbase, the user is told they can secure their account and if they log in they can terminate suspicious devices. A similar process is used to obtain the credentials and MFA codes needed to access the account as the FCC campaign.
This is just one of many phishing kits offered on the dark web. Protecting against these phishing kits requires a combination of measures including an advanced spam filter, web filter, and security awareness training. For further information on cybersecurity solutions capable of combatting advanced phishing attempts, give the TitanHQ team a call.
by Jennifer Marsh | Feb 29, 2024 | Network Security |
Phobos ransomware may not be the most prolific ransomware group, but the group poses a significant threat, especially to municipal and county governments, emergency services, education, and healthcare organizations. The group issues ransom demands for millions of dollars and the group’s attacks have caused hundreds of millions of dollars in losses. Phobos is a ransomware-as-a-service operation where the infrastructure to conduct attacks and encrypt files is provided to affiliates – individuals who specialize in breaching company networks – in exchange for a percentage of any ransom payments they can generate. The affiliates benefit from being able to concentrate on what they do best, and the ransomware group makes up for the loss of a percentage of the ransom by conducting many more attacks than would be possible on their own.
The group engages in double extortion tactics involving data theft and file encryption. Threats are issued to publicly leak stolen data on the group’s data leak site and payment is required for the keys to decrypt data and prevent data exposure. Several ransomware variants are connected to Phobos based on the tactics, techniques, and procedures (TTPs) used in attacks, including Elking, Eight, Devos, Faust, and Backmydata ransomware. The latter variant was recently used in an attack in Romania that affected around 100 hospitals.
Affiliates use several methods to gain initial access to victims’ networks, with phishing one of the most common. The phishing attacks conducted by the group usually involve spoofed email attachments with hidden payloads, with one of the favored payloads being the Smokeloader backdoor trojan. Smokeloader gives the group initial access to victims’ networks, from where they use a variety of methods and legitimate networking tools for lateral movement, credential theft, privilege escalation, and data exfiltration. These include 1saas.exe or cmd.exe for privilege escalation, Windows shell functions for control of systems, and built-in Windows API functions to bypass access control and steal authentication tokens. Open source tools such as Bloodhound and Sharphound are used to enumerate the Active Directory, Mimikatz for obtaining credentials, and WinSCP and Mega.io for file exfiltration. Other methods used for initial access include the use of legitimate scanning tools such as Angry IP Scanner to search for vulnerable RDP ports, and then open source brute-forcing tools are used to guess weak passwords.
To improve defenses against Phobos ransomware attacks, businesses should follow the guidance in the recently published security alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), which includes latest Indicators of Compromise (IoCs) and TTPs observed in recent attacks. The guidance can be found in the #StopRansomware section of the CISA website.
Mitigations are concerned with improving defenses against the initial access vectors – phishing and remote access software. An email security solution is required to block phishing emails, consider disabling hyperlinks in emails, and adding banners to emails from external sources. An email security solution should be used that has both signature and behavioral threat detection capabilities to identify malicious files. End user training should be provided to improve resilience to phishing attempts, web filtering to block malicious file downloads, phishing-resistant multi-factor authentication to prevent the use of compromised credentials from granting access, strong password policies to improve resilience to brute force attacks, and strict controls on RDP and other remote desktop services. Robust backup processes are required, including maintaining offline backups of data, and an incident response policy for ransomware attacks should be developed and tested to ensure the fastest possible recovery in the event of an attack.
by Jennifer Marsh | Feb 29, 2024 | Network Security |
A coordinated law enforcement operation – Operation Cronos – headed by the UK National Crime Agency (NCA) and coordinated by Europol seized the infrastructure of the notorious LockBit ransomware group earlier this month. 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, along with 200 cryptocurrency wallets, and the keys to decrypt the data of some of the group’s victims. Two LockBit actors were also arrested in Poland and Ukraine, and three arrest warrants and five indictments were issued by judicial authorities in France and the United States. The decryption keys allowed an automated decryptor to be developed, which was added to the No More Ransom website.
The group’s affiliate portal was seized along with its data leak sites and messages were uploaded for affiliates warning them that names and locations were known and they could receive a visit from law enforcement very soon. The NCA threatened to release the name of the group’s figurehead, LockBitSupp, and even added a countdown timer to the data leak site, as LockBit would do when adding victims to the leak site. However, the NCA did not disclose the details and instead added a statement confirming LockBitSupp’s real name, location, and financial worth were known. The NCA also added that LockBitSupp has engaged with law enforcement.
LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks using LockBit ransomware. As payment for those attacks, affiliates receive a percentage of any ransoms they generate. LockBit engaged in double extortion tactics, where sensitive data was stolen in addition to file encryption. Payments are required to prevent the release of the stolen data on the group’s data leak site and to obtain the keys to decrypt data. LockBit then moved to triple extortion, where in addition to data theft and file encryption, Distributed Denial-of-Service (DDoS) attacks are conducted on victims to pile on the pressure and get them to pay the ransom.
LockBit has been in operation since September 2019 and rapidly became a major player in the RaaS market. At the time of the takedown, LockBit was behind 25% of all ransomware attacks and had around 180 affiliates conducting attacks. The next biggest player is Blackcat with an 8.5% market share. The LockBit group has extorted more than $120 million from organizations around the world and its attacks have caused billions of dollars of damage.
The law enforcement operation was significant and a major embarrassment for the group, potentially causing significant damage to the group’s reputation. However, it did not take long for LockBit to respond. A few days after the announcement about the law enforcement action, LockBit created a new data leak site and populated it with the names of 12 recent victims. A note was also added explaining that the FBI most likely exploited an unpatched PHP bug, which hadn’t been addressed out of laziness, which allowed access to be gained to its servers. LockBit claimed the takedown was conducted when it was because data was going to be released from an attack on Fulton County in Georgia, where one of Donald Trump’s lawsuits is being heard, and the release of that data could affect the upcoming Presidential Election.
Typically after a successful law enforcement operation, ransomware gangs rebrand but LockBit appears to be defiant and looks set to continue under the same name. LockBitSupp claimed that the attacks could not stop as long as he was alive, and the group would be updating its infrastructure to make it harder for any future law enforcement operations to succeed. A little more than a week after the law enforcement announcement, the LockBit group appears to be conducting attacks again using new infrastructure, a new data leak site, a new negotiation site, and a new encryptor. It is unclear how many affiliates have been retained but the group has announced that it is recruiting again and is looking for new pen testers, indicating some have decided to leave the operation. What is clear is the group is back and remains a significant threat.
by Jennifer Marsh | Feb 29, 2024 | Network Security |
There is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks, specifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place. There are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a blackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT but without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business email compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often found in these emails.
It is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how these tools can help them gain initial access to targeted networks. Recently published research from Microsoft and OpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their malicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for translation, finding coding errors, running basic coding tasks, and querying open-source information. While it does not appear that they are using LLMs to generate new methods of attack or write new malware variants, these tools are being used to improve and accelerate many aspects of their campaigns.
The threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to improve its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that the hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The North Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering campaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated in its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon and Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional geopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says it has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their activities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take action to prevent malicious uses of their tools.
It should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and the effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of concern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to combat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning capabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise attacks and better defend against AI-0assisted email campaigns.
With fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide their workforce with comprehensive training to help employees recognize email and web-based attacks. The SafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training and phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows susceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing simulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given the quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices are followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take action now and proactively improve your defenses, as malicious uses of AI are only likely to increase.
by Jennifer Marsh | Feb 28, 2024 | Phishing & Email Spam |
Cybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled malware developers can concentrate on writing their malware and making it available for others to use for a fee, ransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware attacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services benefit all parties and allow even more attacks to be conducted.
Phishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers, who leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing email, not including the time it takes to set up all the necessary infrastructure to send the email and steal credentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.
With phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription and will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails, they just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting sophisticated attacks simple and significantly lowers the bar for conducting campaigns.
Take LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial institutions and banks in North America and Canada. Since this new functionality was included in the first half of 2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a turnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating phishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per month to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also target 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting credentials or a variety of other companies, including music streaming sites, delivery services, and telecommunications companies.
Important to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing kit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows adversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to usernames and passwords. That means the additional security processes on the online portals of banks can be circumvented. The platform also allows SMS-based attacks to be conducted.
PhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct. Further, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for humans and security solutions to detect, and even MFA and other security measures can be bypassed.
Defending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all attacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection. Cybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security solution with AI and machine learning capabilities for identifying novel phishing threats. SpamTitan blocks known malware through AV controls and unknown malware through sandboxing. The message sandboxing feature uses pattern filtering to identify malware from its behavior, which allows zero-day malware threats to be identified and blocked. Malware sandboxing is vital for email security since so many novel malware threats are now being released. SpamTitan is also capable of identifying even machine-crafted phishing content.
End user training is also vital, as no email security solution will block all email threats without also blocking an unacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report phishing emails. The SafeTitan security awareness training platform makes security awareness training simple, and the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing simulations on the workforce to reinforce training and identify knowledge gaps.
Given the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA on accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor authentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to block adversary-in-the-middle attacks that can be conducted through PhaaS.
If you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a call to discuss your options.
by Jennifer Marsh | Feb 26, 2024 | Phishing & Email Spam |
A massive email spamming campaign has been detected that is generating up to 5 million emails per day that direct recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and domains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes. Companies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.
Email security solutions perform a range of checks on inbound emails, including reputation checks on the senders of emails. If a domain is trusted and has not previously been associated with spamming, these checks – using SPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use of these legitimate domains also makes it harder for end users to determine whether the messages are genuine. Security awareness training programs often teach end users to check the sender of the email and make sure that it matches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely to think that the communication is genuine. These emails include links to websites that generate fraudulent ad revenue, and often several redirects occur before the user lands on the destination scam or phishing site.
The ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains typically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for domains that use the ‘include’ configuration option that points to external domains that are no longer registered. Those domains are then registered by the threat actor and the SPF records are changed to authorize the use of their own email servers. When those servers are used to send emails, they appear to have been sent by the targeted brand, such as eBay.
With CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records that point to external domains that are no longer registered. The threat actor then registers those domains, SPF records are injected, and emails can be sent from their email servers to show that they have been sent by a legitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct massive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000 domains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique IPs. The researchers developed a tool to allow domain owners to check whether their own domains have been hijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set from these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for identifying spam emails.
by Jennifer Marsh | Feb 26, 2024 | Security Awareness |
One of the fundamental security awareness training errors made by many businesses is failing to check the effectiveness of their training. A training course is purchased or developed internally, employees receive training, and the training is provided again each year, but there are no assessments performed to determine whether the training has actually worked. It is often only when there is a successful phishing attack that training is discovered to have failed, and many businesses then blame the employee for falling for the phishing attempt, when the fault may lie with the employer.
The aim of security awareness training is to change users’ behavior, and that is achieved by teaching security best practices, making employees aware of the threats they are likely to encounter, showing them what they should be doing to identify and avoid those threats, and teaching them to report those threats to the security team. The process should not end there, as it is also necessary to determine whether the training has worked. Many employees will take the training on board, will change their behavior, and will become security Titans. Others may struggle to grasp certain concepts and require further training or different training approaches. If there is no monitoring or assessments, weak points will not be identified and risk will not be reduced.
Tips for Assessing the Effectiveness of Security Awareness Training
Assessing the effectiveness of security awareness training can be challenging, as there is no single metric that can be measured that provides a complete picture. The best approach is to use multiple metrics for measuring the effectiveness of a security awareness training program.
First, you need to have a baseline against which you can measure progress. You need to know the level of security awareness before training starts and you can measure progress over time. Pre-training assessments are useful and can be conducted via a questionnaire covering all security topics you intend to cover during training. These questionnaires will also allow you to develop training courses appropriate to each individual to ensure that specific knowledge gaps are addressed.
It is important to monitor participation and completion rates to see how whether employees are engaging and taking training seriously. If participation is poor, the importance of training may not have been conveyed, or employees may not have the time to fit training into busy workflows, and these factors will need to be addressed. If training content is not being completed, the training may be too long, not engaging enough, and boring. If employees are not engaged, then the training will not be effective.
Quizzes should be conducted after each training module to see if employees have understood the topic. If questions are answered incorrectly, then the employees concerned have not understood the training and need more help. These quizzes allow targeted intervention to address issues with individual employees on specific topics. These quizzes should be repeated over time to test knowledge retention. A quiz directly after a training session may be passed but testing again in a few weeks or months will allow you to measure whether information has been retained.
One of the most important tools is a phishing simulation platform. These platforms are used to send realistic but fake phishing emails to the workforce to test whether training is being applied. Phishing simulation data is one of the most important metrics for measuring the effectiveness of a training campaign through open rates, click rates, and reporting rates. These simulations should be conducted before training to get a baseline and after training to determine the effectiveness of security awareness training over time. If the click rate is falling and the reporting rate is increasing, then the training is working. Phishing simulations also allow you to identify knowledge gaps and provide targeted training specific to the threat that was incorrectly identified. It gives employees practice at applying their new knowledge so that when a real threat is encountered, it is more likely to be correctly identified.
You should also seek feedback on the training from your employees. The best approach is to provide anonymous questionnaires and to encourage employees to provide honest feedback. These questionnaires should include security questions to gauge understanding of security best practices, questions to determine how the employees feel about the training, any problems they have, and if they feel the training has been effective and relevant to their role. While the questionnaire should be anonymous, it is useful to know which departments the employees work in to allow you to tailor your training course appropriately.
Security Awareness Training from TitanHQ
Monitoring the effectiveness of security awareness training is easy with the SafeTitan security awareness training and phishing simulation platform. The platform allows users to conduct pre-training assessments, assessments after each training module, and further assessments over time. The phishing simulation platform allows simulations to be automated and provides detailed metrics that demonstrate the effectiveness of the training and show the return on your investment. The phishing simulator will also trigger additional training in response to a failed test, which is delivered immediately to explain the error that has been made and provide the necessary training at the point when the training is most likely to be taken on board.
Through the use of the SafeTitan platform and phishing simulator, businesses can not only improve resilience to threats, they can get detailed metrics to show just how effective training has been. Data from users shows that resilience to phishing can be improved by up to 80%. Get in touch with the TitanHQ team today to find out more and to arrange a free trial of the platform to see for yourself how easy it is to create training campaigns, run phishing simulations, and measure the effectiveness of security awareness training. TitanHQ also offers DNS filtering, email encryption, phishing protection, and email archiving solutions, and a cloud-based anti-spam service with unrivaled accuracy.
by Jennifer Marsh | Feb 26, 2024 | Phishing & Email Spam |
Cybercriminals are constantly devising new email campaigns for distributing malware. These campaigns usually impersonate a trusted entity and advise the email recipient about a pressing issue that requires immediate attention. The emails often have an attached file that must be opened to find out further information about the issue detailed in the email.
One recently detected campaign impersonates travel service providers such as booking.com and advises the recipient about a problem with a recent booking. One of the intercepted emails explains that an error has occurred with a booking that has resulted in a double charge to the user’s credit card which requires immediate attention. The email has a PDF attachment which needs to be opened for further information. PDF files are increasingly being used in email campaigns for distributing malware. The PDF files often contain a script that generates an error message when the file is opened that tells the user that the content of the file cannot be displayed, and they are provided with an option to download the file.
In this campaign, the PDF file contains a script that generates a fake popup message. If clicked, a connection is made to a malicious URL and a download of an obfuscated JavaScript file is initiated. The script downloads the next stage PowerShell payload, and on execution, drops a malicious DLL file on the device. The DLL file searches for certain critical system processes and attempts to forcibly stop them, makes changes to the registry that affect the Windows Antimalware Scan Interface (AMSI) and ensures that the malware is executed without being detected by security solutions. An analysis of the DLL file by researchers at Forcepoint shows the file is from the Agent Tesla malware family. Agent Tesla is a remote access trojan (RAT) that first appeared in 2014 and grew in popularity during the COVID-19 pandemic. Agent Tesla is provided under the malware-as-a-service model and is popular with initial access brokers, who specialize in gaining access to devices and accounts and then sell that access to other cybercriminals such as ransomware gangs.
Agent Tesla allows commands to be run on compromised systems and is capable of stealing sensitive information, such as login credentials stored in browsers. The malware can also take screenshots, log keystrokes, and perform other malicious actions. The malware uses multiple layers of obfuscation to ensure it is not detected by antivirus solutions. The malware is commonly used to gain initial access to business networks, primarily through phishing campaigns. In this campaign, by impersonating a popular travel service company there is a reasonable chance that the user may have used the service in the past or have a current booking and will therefore open the email. However, since the emails reference a charge to a credit card, that may be sufficient to get the user to open the attachment.
To protect against this and other malware distribution campaigns, businesses should ensure that they protect all endpoints with email security and antivirus solutions that are capable of behavioral analysis of files, as Agent Tesla and many other popular malware variants use obfuscation to bypass signature-based security solutions. Web filtering solutions provide added protection as they block connections to the malicious URLs that host malware and they can be configured to block downloads of executable files from the Internet. It is also important to provide security awareness training to the workforce to raise awareness of cyber threats and conduct phishing simulations to test the effectiveness of training.
TitanHQ offers a range of cybersecurity solutions for businesses and managed service providers to help them defend against cyber threats delivered via email and the Internet, including spam filtering with email sandboxing, web filtering, and security awareness training. Give the team a call today to find out more about improving your defenses against phishing and malware. All TitanHQ solutions are available on a free trial to allow you to test the products and see for yourself the difference they make.
by Jennifer Marsh | Feb 23, 2024 | Email Scams |
Small- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service provider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer communication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain access to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming, and scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to send phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security solutions, especially as the compromised accounts will have been used to send communications in the past. SendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are also likely to be trusted by end users.
In this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor authentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access. The users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if credentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and evaded email security solutions because the SendGrid was trusted.
SendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid directly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid detected the malicious activity linked to customer accounts that were being used for phishing, and its fraud, compliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users are advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from granting access to user accounts.
The campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies provide security awareness training to their employees that teaches cybersecurity best practices and trains employees on how to recognize and avoid phishing. It is important to include these types of emails in training material, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run through an ESP.
With SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is easy. The training content is regularly updated with new phishing templates based on real-world attacks and the latest phishing trends, and phishing simulations can be conducted on employees to test how they respond to phishing attempts outside of the training environment. SafeTitan is the only security awareness training platform that delivers targeted training automatically in response to bad security practices by employees, ensuring training is provided at the moment when it is most likely to be taken on board.
by Jennifer Marsh | Feb 22, 2024 | Phishing & Email Spam |
A massive malware distribution campaign has been detected that uses phishing emails for initial contact with businesses and Google Cloud Run for hosting the malware. A variety of banking trojans are being distributed including Astaroth, Mekotio, and Ousaban. The campaign primarily targets countries in Latin America, and as such the majority of the phishing emails are in Spanish, but Italian versions have also been detected and there are indications that the campaign is spreading to other regions including Europe and North America.
The phishing emails used in this campaign appear to be legitimate invoices, statements, and communications from government and tax agencies and include a link that the recipient must click to view the attached invoice, statement, or demand. The link directs the user to services on Google Cloud Run, which is a popular service for hosting frontend and backend services and deploying websites and applications without having to manage infrastructure. Google Cloud Run has been used for hosting malware throughout 2023 but there was a massive spike in activity that started in September 2023 and has continued through January and February.
Over the past few months, Google’s service has been proving popular with cybercriminals for hosting malware as it is both cost-effective and is generally not blocked by security solutions. If a user clicks the email link, an MSI file is downloaded onto their device. MSI files are executable files, which in this case include embedded JavaScript that downloads additional files and delivers one or more banking trojans.
The banking trojans achieve persistence through LNK files in the startup folder that execute a PowerShell command on boot that runs the infection script. The banking trojans are capable of keylogging, clipboard monitoring, screenshots, credential theft, and traffic manipulation to direct users to cloned websites of financial institutions to capture banking credentials. The Astaroth banking trojan alone targets more than 300 financial institutions as well as cryptocurrency exchanges.
To protect against this and other malware distribution campaigns, businesses need to adopt a defense-in-depth approach and should implement multiple layers of protection. The first line of defense is a spam filter or email security solution to block the initial phishing emails. SpamTitan Plus is a leading-edge anti-spam service that provides maximum protection against malicious emails. The solution has better coverage, faster phishing link detections, and the lowest false positive rate of any product, which makes it the best spam filter for businesses and an ideal MSP spam filtering solution In addition to including all leading phishing feeds to ensure the fastest possible detection of new phishing threats, SpamTitan Plus uses predictive analysis to identify suspicious URLs that have not yet been detected as malicious.
A web filter, such as WebTitan, can be used to control access to the Internet. For example, blocks can be placed on websites and certain categories of websites down to the user level, the solution prevents access to all known malicious URLs, and can be configured to block file downloads from the Internet, such as MSI files and other executable files that are often used for malware delivery.
Cybercriminals often host malware on legitimate hosting platforms which are usually trusted by security solutions, which means malicious emails may be delivered to end users. It is therefore important to provide security awareness training for the workforce. Security awareness training raises awareness of the threats that employees are likely to encounter and teaches them security best practices to help them identify, avoid, and report cyber threats. Combined with phishing simulations, it is possible to greatly reduce susceptibility to phishing and malspam emails. Data from companies that use the SafeTitan security awareness training platform and phishing simulator shows susceptibility to phishing threats can be reduced by up to 80%.
If you are looking to improve your defenses against phishing and malware, give the TitanHQ team a call to find out more about these products and to help get you set up for a free trial to put these solutions to the test in your own environment.
by Jennifer Marsh | Feb 21, 2024 | Phishing & Email Spam |
A recent report from the Computer Emergency Response Team (CERT-EU) has provided insights into how EU organizations are being targeted by nation-state-sponsored actors and cybercriminal groups. The majority of nation-state activity has been linked to hacking groups in the Russian Federation and the People’s Republic of China, and while it is not always possible to determine the motives behind cyberattacks and intrusions, the majority of nation-state hacking activity is believed to be conducted to achieve cyberespionage objectives. The aim of these campaigns is to gain access to accounts/emails or servers where sensitive data is stored. Around 73% of all attacks within the EU are believed to be conducted for espionage purposes, with 16% of attacks conducted by hacktivists. Some of the hacktivism incidents are thought to be a front for nation-state activity.
In contrast to the United States, cybercriminal activity accounts for a low percentage of all malicious activity, with only 7% of intrusions attributed to cybercrime. CERT-EU reports that only a very limited number of cybercrime actors are conducting attacks within the EU, and the majority of that activity comes from ransomware groups. These groups gain access to internal networks, steal sensitive data, and encrypt files then demand payment to prevent the publication of the stolen data and for the keys to decrypt data.
In 2023, CERT-EU identified 55 ransomware operations that were active within the EU, and 906 victims were identified from data leak sites and open sources. It should be noted that not all ransomware attacks are reported and many companies quietly pay the ransom, so the true total could be substantially higher. Many of these attacks appeared to be opportunistic in nature rather than targeted. While there are many different ransomware groups, the most active in the EU were LockBit, Play, and BlackBasta, although in Q4, 2023 there was a large increase in attacks by the 8Base group, with NoEscape also highly active in the second half of the year. Ransomware groups attacked a wide range of sectors, with manufacturing the worst affected with 24% of attacks, followed by legal/professional services (14%), and construction/engineering (12%).
A variety of methods were used to gain access to targeted networks. 104 software products were targeted with these attacks often exploiting vulnerabilities in internet-facing products, involving trojanized software, fake software, and abuse of public repositories used for programming languages. Some of the most significant attacks of the year involved networking products, such Fortinet, Cisco, and Citrix products, as well as password managers such as 1Password or LastPass, content management and collaboration tools such as WordPress and Altassian Confluence, and cloud services. While many attacks used these methods for initial access, by far the most common method was spear phishing for both cybercriminal and nation-state threat actors.
Spear phishing attacks include malicious links to websites where credentials are harvested or malicious attachments. There was a significant increase in spear phishing attacks that used lures related to EU affairs, with it common to include decoy PDF files that were originally internal or publicly available documents related to EU policies, for example, documents relating to the Swedish Presidency of the Council of the European Union, EU – Community of Latin American and Caribbean States (CELAC) Summit, and the Working Party of Foreign Relations Counsellors (RELEX). These campaigns were directed at individuals and organizations involved in EU policies, and the emails often impersonated staff members of union entities or the public administration of EU countries to add credibility. Public administration entities were the most targeted, followed by entities in diplomacy, defense, transport, finance, health, energy, and technologies. While spear phishing is usually performed via email, CERT-EU notes some diversification of communications, with attacks also conducted via social media networks, instant messaging services, and SMS messages.
Entities in the EU should implement layered defenses against the most common initial access vectors. An advanced email security solution should be implemented that is capable of signature and behavioral analysis of emailed files, with extensive threat intelligence feeds, and AI/machine learning capabilities. SpamTitan anti-spam software has all of these features and more and will protect your business from all types of email-based attacks. SpamTitan is offered as a cloud-based anti-spam service or can be provided as an anti-spam gateway for on-premises environments. A web filter such as WebTitan will protect against the internet-based component of cyberattacks by blocking access to malicious sites, and security awareness training and phishing simulations should be conducted on the workforce using a solution such as SafeTitan. To protect against unauthorized account access, multi-factor authentication should be implemented and software should be kept up to date with the latest updates and patches applied promptly.
by Jennifer Marsh | Feb 20, 2024 | Phishing & Email Spam |
There has been a marked increase in email campaigns using malicious PDF files to distribute malware, rather than the typical uses of PDF files for obtaining sensitive information such as login credentials.
Increased security measures implemented by Microsoft have made it harder for cybercriminals to use macros in Office documents in their email campaigns, with PDF files a good alternative. Malicious links can be embedded in PDF files that drive victims to web pages where credentials are harvested. By using PDF files to house the links, they are less likely to be blocked by email security solutions.
Over the past few months, PDF files have been increasingly used to distribute malware. One of the currently active campaigns uses malicious emailed PDF files to infect users with DarkGate malware. DarkGate malware is offered under the malware-as-a-service model and provides cybercriminals with backdoor access to infected devices. In this campaign, emails are sent to targets that contain a PDF attachment that displays a fake image from Microsoft OneDrive that suggests there was a problem connecting which has prevented the content from being displayed. The user is given the option to download the PDF file; however, the downloaded files will install DarkGate malware.
In this campaign, clicking the link does not directly lead to the malware download, instead, the click routes through an ad network, so the final destination cannot be identified by checking the link of the download button. Further, since the ad network uses CAPTCHAs, the threat actors can make sure that the destination URL is not revealed to email security solutions. If the CAPTCHA is passed, the user will be redirected to the malicious URL where they can download the file. This is often a compressed file that contains a text file and a URL file, with the latter downloading and running JavaScript code which executes a PowerShell command that downloads and executes the malicious payload.
PDF files have been used in many other malware campaigns, including those that distribute the Ursnif banking Trojan and WikiLoader malware. Recent campaigns distributing these malware variants have used parcel delivery lures with PDF file attachments that contain a link that prompts the user to download a fake invoice. Instead of the invoice, a zip file is downloaded that contains a JavaScript file. If executed, the JavaScript file downloads an archive, extracts the contents, and executes the malware payload. Another campaign uses PDF files to install the Agent Tesla remote access trojan using Booking.com-related lures.
Not only do PDF files have a greater chance of evading email security solutions, they are also more trusted by end users than Office file attachments. Security awareness campaigns are often focused on training employees about the risks of phishing, such as clicking links in unsolicited emails and the risks of opening unsolicited office files. Malicious email campaigns using PDF files arouse less suspicion and end users are more likely to be tricked by these campaigns.
It is important for businesses to incorporate PDF files into their security awareness training and phishing simulation campaigns to better prepare employees for this growing threat. With SafeTitan, adding new content in response to the changing tactics, techniques, and procedures of threat actors is a quick and easy process. Get in touch with the TitanHQ team today to find out more about the SafeTitan security awareness training and phishing simulation platform and discover the difference the solution can make to your organization’s security posture.
by Jennifer Marsh | Feb 18, 2024 | Phishing & Email Spam |
A large-scale phishing campaign has been identified that has already targeted many thousands of organizations in the United States and could be expanded geographically. The purpose of the campaign is to distribute Bumblebee malware, a malware loader that was first identified in 2022 and is thought to be a replacement for the widely used BazarLoader malware loader. Bumblebee malware is used for gaining initial access to networks and has been used in many successful cyberattacks. The malware is rented out to cybercriminals or access to compromised networks is sold to cybercriminal groups such as ransomware gangs. The malware has been linked to several high-profile threat actors and notorious ransomware gangs, including the now-defunct Conti ransomware group.
Over the past four months, Bumblebee malware has not been detected but it has now returned with a massive campaign. A variety of lures are used in phishing emails, which incorporate social engineering techniques to trick the recipients into downloading and executing the malware. For instance, the latest campaign included thousands of emails using the subject Voicemail February, with messages indicating the user had missed a voice call. The emails instructed the recipient to download the recording, the opening of which triggered the infection process. Other emails used in the campaign have used Word documents with malicious macros with the emails spoofing trusted companies, such as the electronics firm Humane. Rather than include the document attached to the email, a OneDrive link was provided in the email from which the document could be downloaded. This was an effort to prevent detection by email security solutions, as OneDrive is a legitimate and trusted service. Previous campaigns have used DocuSign branded emails that trick users into downloading a zipped ISO file from OneDrive.The group is known to hijack email threads to make it appear that the emails are responses to previous conversations with contacts.
Multiple threat actors are believed to rent out the malware, including the initial access brokers who work with ransomware gangs. Bumblebee malware infections are often accompanied by other payloads, including Cobalt Strike, Meterpreter, Sliver, and shellcode, and often lead to ransomware attacks. To combat Bumblebee malware infections, businesses should implement robust defenses against phishing. An advanced email security solution is required with AI and machine learning capabilities that can detect novel phishing attempts. SpamTitan Plus uses a machine learning algorithm that can identify emails that deviate from those typically received by a business, links are rewritten and followed and the destination URL is assessed. All emails are subjected to antivirus scans and suspicious attachments are sent to a Bitdefender-powered sandbox for behavioral analysis.
Security awareness training should be provided to the workforce to improve resilience to phishing attempts by teaching security best practices and how to identify phishing attempts. SafeTitan is a comprehensive security awareness training platform and phishing simulator that is updated with new content regularly in response to changing phishing tactics, including those used in Bumblebee campaigns. It is also recommended to implement multi-factor authentication on accounts, perform daily backups and store them offline, implement next-generation antivirus technology on endpoints, and implement network hierarchy protocols and network segmentation to prevent lateral movement.
by Jennifer Marsh | Feb 18, 2024 | Network Security |
If disaster strikes and you discover your network has been encrypted with ransomware and sensitive data has been stolen, you are faced with two choices. Pay the ransom and hope that the attackers are true to their word and will delete the stolen data and provide the decryption keys to allow you to recover your data or attempt to recover from the attack on your own.
There will be several factors that will influence that decision. One of the first questions that must be answered is whether a viable backup exists of your encrypted data, and ideally, one that allows you to recover individual files rather than restoring systems to the date of the most recent backup. Backups are often created but are not tested, and it is only when they are needed that an organization discovers that the backups cannot be used to restore data. Restoring data from backups may result in significant data loss.
If files can be recovered, then it may not be necessary to pay the ransom; however, this is why many ransomware gangs steal data in addition to encrypting files. The exposure of data – publication on a data leak site – or the sale of that data is often far more damaging to a company than the losses due to file encryption. Data leaks can cause significant reputational damage and put organizations at risk of costly lawsuits and regulatory penalties. Determining what data has been stolen is critical to the decision about whether or not to pay the ransom.
For many companies, especially critical infrastructure entities, the ransom demand is far lower than the cost of downtime during the incident response and recovery phase. Backups may allow files to be recovered but that does not mean a quick recovery and extended downtime can be hugely expensive. Paying the ransom may be the most cost-effective option as recovery will often be far quicker.
Companies with cyber insurance policies may be able to claim the ransom payment; however, many insurers now exclude ransomware attacks so it is important to determine, as far as possible, whether the insurance company will pay out and how much will be paid. Some insurers have restrictions in their policies and paying the ransom may invalidate the insurance policy. Cyber insurance is expensive and if a claim against a policy is successful, it is likely that future premiums will increase.
The threat actor that conducted the attack may be on a sanction list, which means that payment may not be permitted. In the United States, the Office of Foreign Asset Control (OFAC) has sanctioned several individuals who have conducted ransomware attacks, and OFAC prohibits payments to sanctioned individuals. If a company makes a ransom payment to a sanctioned individual it is a serious criminal offence, punishable with a severe financial penalty and custodial sentences.
Law enforcement agencies generally advise against paying a ransom for several reasons. If ransoms are paid it encourages ransomware gangs to conduct more attacks and gives them the funds they need to continue and expand their malicious activities. There is also no guarantee that the ransomware group will provide the decryption keys, which means payment may be made and data will remain encrypted. Around 90% of all companies that pay a ransom following a ransomware attack are unable to recover all of their data, and less than a third are able to recover half of their data. Data is often corrupted and decryption keys often do not work.
Paying a ransom to prevent the publication of stolen data may result in your company being removed from a publicly accessible data leak site but it does not mean that the data will be deleted. It may still be sold or misused. There is also a risk that after paying the ransom, another ransom demand will be issued. Any company that is willing to make a payment could face further extortion attempts and multiple ransomware attacks. A study by Cybereason found that 78% of companies that paid a ransom went on to suffer a second attack, with 36% of those attacked by the same threat actor and 42% attacked by a different threat actor.
The decision about whether to pay a ransom is not straightforward, and all factors must be carefully evaluated, but paying a ransom is a gamble and it is one that may not pay off. It should therefore only be considered as the last resort when all other options have been explored and ruled out.
The best approach as far as ransomware is concerned is to take proactive steps and prepare for an attack. You must ensure that you have robust data backup systems in place, with backups stored securely where they cannot be encrypted. Those backups must be tested to make sure file recovery is possible in the event of an attack to keep all options on the table.
Given the number of attacks that are now being conducted, it is important to make sure you have robust defenses in place to protect against all initial access vectors, and that is an area where TitanHQ can help. TitanHQ has a suite of cybersecurity solutions that can improve your security posture and help you recover from an attack should disaster strike. Give the team a call today for advice on how you can improve your defenses against ransomware attacks.
by Jennifer Marsh | Jan 31, 2024 | Phishing & Email Spam |
Phishing has long been the most common way that cybercriminals gain initial access to business networks. A successful attack allows a threat actor to steal credentials and gain a foothold in the network, providing access to sensitive data and giving them the access they need to conduct a range of nefarious actions. Phishers must develop campaigns that are capable of bypassing email security solutions and use lures that are likely to fool end users into disclosing their credentials or opening malicious email attachments. In recent years, the entry barrier for conducting phishing campaigns has been significantly lowered through phishing-as-a-service (PhaaS), which has proven popular with would-be cybercriminals.
Phishing kits are offered that provide everything needed to launch successful phishing campaigns, without having to spend hours setting up the infrastructure, creating convincing emails, and incorporating anti-detection measures to ensure emails land in inboxes. A relatively new phishing kit is proving to be particularly popular. The Greatness phishing kit has been available since mid-2022 and lowers the bar for starting phishing campaigns, requiring a payment of just $120 a month to use the kit. The Greatness phishing kit allows emails to be customized to suit the hacker’s needs and add attachments, links, or QR codes to the emails. The kit makes it easy to generate and send emails and create obfuscated messages that can bypass many cybersecurity solutions and land in inboxes. The kit also supports multi-factor authentication (MFA) bypass by performing a man-in-the-middle attack to steal authentication codes and can be integrated with Telegram bots.
The kit has an attachment and link builder that creates convincing login pages for harvesting Microsoft 365 credentials and even pre-fills the victim’s email address into the login box, only requiring them to enter their password. The kit also adds the targeted company’s logo to the phishing page along with a background image that is extracted from the targeted organization’s M365 login page. As such, the Greatness phishing kit is aimed at individuals looking to target businesses and can be easily purchased through the developer’s Telegram channel. There were several spikes in Greatness phishing kit activity in 2023, with the latest detected in December 2023 and the increased activity has continued into 2024. Phishing kits such as Greatness significantly lower the barrier for entry to cybercrime and make it as easy as possible to start phishing, and the low cost of the kit has made it an attractive option for would-be cybercriminals. This phishing kit is used to target Microsoft 365 users, and the emails can be convincing and are likely to fool many end users.
The key to defending against phishing attacks is to implement layered defenses to ensure that a failure of one defensive measure does not leave the business unprotected. TitanHQ has developed a suite of cybersecurity solutions for businesses and the MSPs that serve them to improve their defenses against phishing, including AI-generated phishing emails and sophisticated phishing kits capable of stealing passwords and MFA codes.
TitanHQ’s PhishTitan provides advanced phishing protection and remediation for Microsoft 365. TitanHQ’s proprietary machine-learning algorithm integrates directly with Microsoft 365 and catches and remediates sophisticated phishing including AI-generated phishing emails, business email compromise, spear phishing, and phishing attacks that bypass MFA. The solution augments rather than replaces EOP and Defender and catches the phishing attempts that those defensive measures often miss.
PhishTitan uses AI and a large language model (LLM) with proprietary threat intelligence currently not found in any other anti-phishing solution on the market, and will scan attachments for malicious links and malware, rewrite URLs, apply banner notifications, and block malicious links. PhishTitna also provides time-of-click protection to combat the weaponization of links after delivery. The solution uses machine learning algorithms to scan the message body to assess email content and identify words, phrasing, and formatting of emails indicating a phishing attempt, and will learn over time and become even more effective.
PhishTitan is suitable for businesses of all types and sizes and has been developed from the ground up to meet the needs of MSPs. The solution can be set up in less than 10 minutes, and MSPs can add new clients in less than 6 minutes and start protecting them from highly sophisticated phishing attacks. For maximum protection, TitanHQ also offers WebTitan DNS filter to protect against web-based attacks, ArcTitan email archiving for security and compliance, EncryptTitan for email encryption, SafeTitan for security awareness training and phishing simulations, and the SpamTitan Suite of email security solutions. All products are available on a no-obligation, 100% free trial and product demonstrations are available on request. For more information on PhishTitan and other TitanHQ solutions, give the TitanHQ team a call today.
by Jennifer Marsh | Jan 30, 2024 | Phishing & Email Spam |
Phishing is most commonly associated with email; however, there are a variety of ways that cybercriminals can make contact with end users and other forms of phishing are becoming much more common. Smishing is the use of SMS messages for phishing which targets users via their smartphones, which tend to have far weaker security controls than laptops and PCs. Voice phishing is also common, where malicious actors trick people into disclosing sensitive information or installing malware over the phone. Phishing can also take place via social media networks and video conferencing platforms such as Microsoft Teams.
A campaign has recently been identified that uses Microsoft Teams group chat requests for phishing. A threat actor appears to be using a compromised account to send Teams group chat invites to thousands of individuals. The compromised User’s Teams account is likely to have been compromised in a phishing, credential stuffing, or brute force attack. This campaign aims to install malware on users’ systems – a malware variant called DarkGate. DarkGate malware was first identified in 2018 and is a remote access Trojan that can install a hidden virtual network computing (hVNC) module to provide remote access to a victim’s device. The malware has keylogging and information-stealing capabilities and can steal cookies and information stored in browsers, Discord tokens, and cryptocurrency wallets. The malware can also download other payloads such as ransomware.
In this campaign, if a user accepts the group chat request, the threat actor uses social engineering techniques to trick them into downloading a file to their device. The user is tricked into thinking that they are downloading a PDF file, but they download an executable file. The file – Navigating Future Changes October 2023.pdf.msi – has a double extension. On Windows systems, which are typically configured to hide known file extensions, the file will be displayed as Navigating Future Changes October 2023.pdf. If the user double-clicks on the file, the malware will be installed and will connect to its command-and-control server, giving the treat actor control over the user’s device.
Microsoft Teams has become a popular target for threat actors for malware distribution. There are around 280 million monthly users, and the default settings allow Microsoft Teams users to receive chat requests from external Microsoft Teams users. While most users will have antivirus software on their devices for detecting malware, DarkGate malware is stealthy and often evades antivirus software. There are several steps that businesses can take to combat these attacks. The most important of which is to disable External Access in Microsoft Teams unless it is absolutely necessary for day-to-day business use. This will ensure that users can only receive chat requests internally, which will greatly reduce risk.
Another important measure is to provide regular security awareness training to the workforce. Employees should be taught cybersecurity basics such as how to recognize a phishing attempt and should be made aware of the latest tactics used by cybercriminals in attacks on employees. Training should be provided continuously, with short training sessions conducted every month. When new phishing techniques are identified, short training modules can be pushed out to employees to make them aware of the threat. With the SafeTitan security awareness training platform this is easy. The platform has a wide range of CBT content, with training modules lasting no more than 10 minutes so they are easy to fit in to workflows.
If you do not currently provide regular security awareness training to your workforce, contact TitanHQ about SafeTitan. Product demonstrations can be arranged on request, and you can test the product for yourself in a free trial.
by Jennifer Marsh | Jan 29, 2024 | Phishing & Email Spam |
Alarmingly, 71% of Microsoft business users report that they suffer at least one compromised account each month. The biggest cause of account compromises is phishing. Phishing is the fraudulent practice of making contact with an individual and tricking them into taking an action that the attacker wants, which is usually to disclose their credentials to allow an attacker to remotely access their account. Phishing attacks usually involve impersonation, where the attacker claims they are an authority figure, such as the CEO of the company, a friend or colleague, or a representative of a reputable company.
The capturing of credentials usually occurs on a website with initial contact with the individual usually occurring via email, although phishing attacks are also conducted via SMS messages (smishing), telephone (vishing), social media networks, and instant messaging services.
Phishing targets members of the workforce, including employees and board members, and it is the responsibility of security teams and managed service providers to block as many phishing attempts as possible and ensure that if phishing attempts do bypass defenses, end users have been trained to recognize phishing attempts and report them. Security teams naturally concentrate on the former, as phishing will only succeed if an attacker can make contact. The problem is that cybercriminals are developing highly sophisticated phishing campaigns that are difficult for traditional email security solutions to identify and block.
Cybercriminals target Microsoft 365 credentials as they provide access to a wealth of sensitive data and to email accounts which can be used to conduct further phishing attacks internally and on the company’s customers and vendors. Once credentials have been obtained, they can be used for a much more extensive attack on a company. TitanHQ has received feedback from its managed service provider (MSP) customers that Microsoft 365 phishing is the number one problem to solve in the email security community.
TitanHQ already has products that can protect against phishing. There is the SpamTitan suite of products for email security, WebTitan for protecting against web-based attacks, including blocking access to the websites where credentials are obtained, and the SafeTitan security awareness and phishing simulation platform for educating the workforce on cybersecurity threats and testing resilience through simulated phishing emails.
What was needed, however, was a new solution that is specifically focused on phishing. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists,” said TitanHQ CEO, Ronan Kavanagh. “We are pleased to be able to meet the market’s needs with a product that delivers.”
PhishTitan has been developed to help MSPs and businesses improve their phishing defenses for Microsoft 365, as Microsoft’s defensive measures – EOP and Defender – are failing to identify and block many phishing attempts. PhishTitan is a next-generation phishing protection and remediation solution for Microsoft 365, which integrates TitanHQ’s proprietary machine-learning algorithm directly with Microsoft 365 to augment EOP and Defender and catch and remediate the sophisticated phishing attacks that EOP and Defender miss.
PhishTitan has been developed from the ground up to meet the needs of MSPs and allow them to block more phishing attempts on their clients and remediate phishing attempts rapidly, without having to commit extensive resources to managing email security for each client.
PhishTitan is functionally rich, offering multiple integration options, and has granular policy controls, a full reporting suite, and provides comprehensive protection. Businesses can set up the solution themselves in around 10 minutes, and MSPs can add new clients in just 6 minutes.
PhishTitan Features
- AI-driven solution that is capable of identifying and blocking zero-day threats
- Scans and blocks malicious links
- Scans and neutralizes malware
- Detects unique and sophisticated phishing and BEC attacks over and above those detected by EOP and Defender
- Rewrites URLs and applies banner notifications
- Time of click protection to combat links that are weaponized after delivery
- Protection against data leakage of sensitive company information
- Instant remediation across an entire tenant
- Real-time visibility and reporting suite on emerging threats
- Phishing intelligence data that is unmatched in visibility, coverage, and accuracy.
If you are struggling to block phishing attacks on your M365 accounts or are a managed service provider who wants to improve phishing protection for your customers, give the TitanHQ team a call to find out more about how PhishTitan works and how it can improve your defenses against phishing. Product demonstrations can be arranged on request and PhishTitan is available on a free trial.
by Jennifer Marsh | Jan 26, 2024 | Phishing & Email Spam |
There has been a change in the distribution method of PikaBot malware, which is now being pushed in a malvertising campaign. Previously PikaBot was only distributed via phishing emails. PikaBot malware was first identified in early 2023 and is a modular malware Trojan that consists of two components: a loader and a core module. The malware allows the operator to gain remote access to compromised systems and execute a range of commands, including shell commands and fetching and running EXE or DLL files. The malware also allows downloads of additional malware payloads and post-compromise tools. The malware is known to be used by a prolific threat actor tracked as TA577, with infection leading to the deployment of Cobalt Strike.
The malvertising campaign uses Google Ads for AnyDesk, a remote desktop application popular with businesses. Google has security checks in place to prevent malicious adverts from being displayed and these are being bypassed by using a tracking URL with a legitimate marketing platform, with the custom domain for the redirect protected by Cloudflare. The malicious adverts are displayed when users search for popular software such as Zoom, Advanced IP Scanner, and WinSCP.
If the Ad is clicked by a user, they are directed to a spoofed AnyDesk download site that will deliver an MSI installer hosted on Dropbox. Checks are also performed before redirection to the malicious site, with redirection not occurring if fingerprinting checks determine the request is originating from a virtual machine. Before the MSI download is initiated, another check is performed to test whether the request is coming from a virtual environment. On download, Pikabot uses an injector to run anti-analysis tests and will only decrypt and inject the core module payload if these checks are passed, otherwise, execution is aborted.
The use of malvertising in malware campaigns is increasing and this initial access vector is often successful as most security awareness training programs concentrate on phishing. It is important to ensure that malvertising is covered in security awareness training sessions and that employees are told about the risks of downloading software and are made aware of the checks they should perform to make sure the source of the software is legitimate.
Businesses can further protect themselves against malware distribution via the internet with a DNS filter. The WebTitan DNS filter can be used to control the web pages that can be accessed by employees. Access can be restricted to whitelisted sites, and websites can be easily blocked by category. WebTitan is constantly updated by multiple threat intelligence feeds and will block access to all URLs known to be used for malware distribution. While this malvertising campaign involves many checks to determine if a web filter is accessing the content, which may result in the content being accessible, WebTitan can be configured to block the downloading of certain files from the Internet, including executable files such as MSI files. Not only will this help to prevent malware downloads, it will also allow IT teams to curb shadow IT – unauthorized software downloads by employees – which are a security risk.
The WebTitan DNS Filter and the SafeTitan Security Awareness Training Platform are both available on a free trial and product demonstrations can be arranged on request. For further information give the TitanHQ team a call.
by Jennifer Marsh | Jan 26, 2024 | Phishing & Email Spam |
Ransomware attacks hit record levels in 2023 and are set to increase further along with the phishing attacks that provide ransomware groups with initial access to business networks.
The ransomware remediation firm Coveware reports that ransomware groups are now much less likely to receive ransom payments, with only 29% of victims choosing to pay up to obtain the keys to decrypt their data and prevent their data from being added to data leak sites. At the start of 2019, 85% of victims of ransomware attacks paid the ransom.
There are several reasons for the fall in payments. First, businesses are better prepared and have incident response plans for attacks that minimize disruption and more effective backup strategies that allow them to restore data themselves. While they are unable to prevent the leaking of sensitive data if they choose not to pay the ransom, there is widespread mistrust that paying the ransom will actually prevent data from being leaked or sold.
Falling revenues from attacks mean ransomware actors need to increase the number of attacks they conduct in order to maintain their incomes. NCC Group reports an 84% increase in attacks between 2022 and 2023, and 2024 is likely to continue to see high numbers of attacks and the UK’s National Cyber Security Centre (NCSC) has warned that ransomware attacks are likely to increase.
The NCSC predicts that by 2025, and perhaps sooner, generative AI and large language models will be extensively used by cybercriminals and will allow them to craft phishing and spear phishing emails and develop new social engineering tactics to conduct more effective phishing campaigns. Since phishing is one of the most common initial access vectors in ransomware attacks, the NCSC predicts that AI will contribute to the global ransomware threat in the near term and other types of cybercrime that rely on phishing and social engineering.
The use of AI will make it more difficult for security professionals to identify and block phishing emails and social engineering attempts and it will be much harder for end users to differentiate between genuine emails and AI-generated phishing attempts. Generative AI tools also lower the barrier for would-be cybercriminals looking to conduct phishing and ransomware attacks, allowing novice and less skilled threat actors to conduct attacks successfully. This has already been the case with ransomware-as-a-service (RaaS), and generative AI-as-a-service may also start to be offered. Generative AI tools are also allowing threat actors to process and analyze the data stolen in these attacks more efficiently.
“Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing, and coding,” explained NCSC. “Enhanced access will likely contribute to the global ransomware threat over the next two years.”
The NCSC paints a bleak picture but while AI tools can be used for offensive purposes, they can also be used by network defenders. TitanHQ’s cybersecurity solutions already use AI and machine learning tools for identifying phishing and other email threats. These tools are able to identify novel phishing threats, including those that are created using generative AI tools.
If you want to improve your defenses against malicious use of AI, speak with TitanHQ about how you can add advanced AI-driven detection capabilities to your cybersecurity arsenal and better defend your networks and data from increasingly sophisticated cyberattacks.
by Jennifer Marsh | Jan 25, 2024 | Phishing & Email Spam |
QR codes are a convenient way of transmitting information, especially URLs. They can be scanned with a smartphone and direct the user to a website. They are on flyers, posters, and other marketing material to quickly direct users to a website to find out more information, greatly improving the response to marketing campaigns. Use of these codes has grown and they are now found everywhere, even in restaurants to direct diners to menus. Unfortunately, QR codes are also perfect for scammers for stealing sensitive information and distributing malware, and QR codes are now being extensively used in phishing campaigns (quishing) in place of embedded URLs. The advantage of this is that they make it hard for users to check the destination of the URL before clicking and email security solutions are now designed to follow QR codes. According to Check Point, there was a 587% increase in QR code phishing attacks between August and September 2023 and recently detected 20,000 instances of QR code-based attacks over a 2-week period.
Campaigns have recently been detected that incorporate conditional redirection based on the user’s device, browser, screen size, and many other parameters, tailoring each attack to the individual via the same QR code. In one of these campaigns, users were directed to a credential harvesting page, with the redirection chain adjusted based on the fingerprinting of the user’s device. Similar campaigns are conducted to direct users to malware distribution sites. QR codes have also been used to direct users to deep fake YouTube videos, where celebrities appear to be endorsing investment schemes, usually related to cryptocurrency, where people are tricked into investing with a promise that they can rapidly double their money or get even better returns.
Email security solutions are designed to assess messages for phishing content, check embedded URLs to determine if they link to malicious websites, and scan email attachments to check for malware, but they are not suited to checking QR codes to determine where the user will be directed. Further, QR codes move the threat to a different device. QR code phishing emails are likely to be received on a company-owned laptop or PC, but the user is then required to switch to their mobile phone to scan the QR code, and mobile devices typically lack the same level of protection making it more likely that the attack will go undetected.
The best defense against these attacks is user education. Security awareness training should cover quishing to make employees aware of this increasingly popular tactic and the threat that QR codes pose. With SafeTitan it is easy to add new training content to your security awareness training programs and push out these training modules to all users. When any new threat is detected, you can add educational content to your training program and push that content out to all users, user groups, or individuals. All training modules last a maximum of 10 minutes, so they are easy to fit into busy workflows. SafeTitan also includes a phishing simulator that allows you to send out fake quishing emails to the workforce to see who opens the emails and responds.
For further information on security awareness training with SafeTitan and how you can improve your defenses against all types of cyberattacks, give the TitanHQ team a call.
by Jennifer Marsh | Jan 16, 2024 | Phishing & Email Spam |
Phishing is the fraudulent practice of sending messages, typically emails, that trick the recipient into doing something that they normally would not do, such as disclosing sensitive information or installing malware on their device. Phishers often include a link to a website that spoofs a well-known brand and victims are tricked into disclosing sensitive data or malicious files are attached to emails. Email security solutions are now much better at detecting malicious hyperlinks, and advanced email security solutions such as SpamTitan Plus can detect all known malware and have email sandboxing for behavioral analysis of suspicious emails to identify and block zero-day malware threats.
Cybercriminals Turn to Callback Phishing to Evade Cybersecurity Solutions
The first goal of a phishing attack is to get a message, be that an email, SMS, or instant message to an end user, and one of the ways that this is achieved is by sending emails with no malicious content – no hyperlinks or email attachments. Instead, the messages have a realistic call to action that requires immediate attention, and a phone number is provided in the email that the recipient must call to address the pressing problem that is outlined in the email. The phone line is manned by the threat actor who then talks the user through performing certain actions that provide remote access to their device.
Callback phishing typically involves an email warning the recipient about a charge for a product that is about to be taken, such as the expiry of a free trial or the end of a subscription term. The charge is excessive and the number provided in the email must be called to stop the charge. One such campaign that has recently been uncovered involves a fictitious charge for an antivirus subscription. In one of these attacks, the threat actor spoofs the antivirus software provider Norton. The email advises the recipient that the subscription period has come to an end and a charge for the next subscription period will be applied – $349.95. Naturally, such a high charge for a product would prompt many people to call the number to block it.
As with other callback phishing campaigns, the attacker tricks the recipient into downloading a program to their device that they are told is necessary to prevent the renewal of the subscription. The program gives the attacker remote access to the user’s device. Once access has been gained, the attacker can conduct a variety of nefarious activities.
Victim Transferred $34,000 to Attacker’s Account
In one of these scams, after access was gained to a victim’s device, the attacker transferred $34,000 from the user’s account. After providing the attacker with remote access to their laptop, the victim was instructed to perform other actions, one of which was entering their credentials into a phishing page. The victim was told that the payment for the antivirus software had already been taken, so a refund needed to be processed. The attacker then told the victim that an error had been made and a refund of $34,000 had been deposited in his account and immediate action was required to correct the error to avoid legal trouble.
The attacker remained on the phone while the victim called his bank, and while the victim was on the phone, the attacker transferred $34,000 from the victim’s Money Market account to his checking account. When the victim saw the $34,000 deposit, he assumed it to be the refund from Norton, and arranged the transfer to the bank account provided by the attacker. The attacker told the victim that in order not to arouse suspicion at the bank, he should inform the bank that the payment was for a vehicle. The victim was unable to see the malicious activity as the attacker had overlayed a blue screen on his laptop.
In this case, suspicions were raised and the funds were put into a suspense account at the recipient bank. U.S. Secret Service Special Agent Iris Joliff was able to obtain a seizure warrant from a judge allowing the money to be recovered; however, scams such as these are often only detected when the transferred funds have been withdrawn from the attacker-controlled account.
Improve Resilience to Callback Phishing with SafeTitan
Email security solutions may be effective at blocking malicious attachments and hyperlinks in emails, but they can rarely identify callback phishing scams as it is difficult to determine if a phone number is malicious. The most effective way that businesses can combat callback phishing is through security awareness training. Callback phishing should be covered in security awareness training sessions and also added to phishing simulation campaigns, to test whether the training has been understood and is being applied. SafeTitan from TitanHQ makes this easy, as callback phishing modules can easily be added to training courses and SafeTitan also includes a phishing simulator with phishing templates to test resilience to callback phishing and identify individuals who require further training in this area.
For further information on the SafeTitan platform and advice on how to further improve your defenses against phishing, give the TitanHQ team a call.
by Jennifer Marsh | Jan 14, 2024 | Industry News, Phishing & Email Spam |
TitanHQ is proud to announce the addition of a new solution to its cybersecurity portfolio that helps businesses combat the growing threat of phishing. PhishTitan provides powerful phishing protection for Microsoft 365 that is capable of catching and remediating sophisticated phishing attempts, including spear phishing attacks, business email compromise, phishing emails generated by artificial intelligence tools, and zero-day phishing threats that Microsoft’s native defenses for M365 fail to detect and block. It is these threats that pose the biggest threat since they are missed by Microsoft’s email security defenses and are difficult for employees to identify as malicious since they lack many of the red flags that employees are taught to look out for in security awareness training programs.
PhishTitan incorporates TitanHQ’s proprietary machine-learning algorithm, which integrates directly with M365. PhishTitan performs an AI-driven analysis of inbound emails (internal and external) which includes textual analysis, link analysis, and attachment scanning. Links are analyzed via multiple curated feeds that constantly update the solution to allow malicious websites linked to phishing and malware distribution to be identified and blocked. Phishing emails often include links that have been masked to hide the true destination URL. PhishTitan rewrites URLs to show the true destination. One tactic used by phishers to bypass email security solutions is to only weaponize links in emails after delivery. To protect against this tactic, PhishTitan checks inbound emails before delivery to inboxes and also offers time-of-click protection against malicious links in emails.
Attachments are scanned with twin antivirus engines, and suspicious email attachments are sent to the sandbox for behavioral analysis. Machine learning detection models scour the body of emails looking for tell-tale signs of phishing and adapt to constantly changing phishing tactics. The machine learning algorithms also learn from reports of phishing attempts by end users, which they can report with a single click using a TitanHQ-supplied Outlook add-in. PhishTitan can also be configured to apply banner notifications to external emails and protect against the leakage of sensitive company information.
The solution has been designed to meet the needs of businesses of all types and sizes and has been developed from the ground up to meet the needs of managed service providers (MSPs) to allow them to easily add advanced phishing protection to their service stacks. It takes around 10 minutes to set up the solution, and around 6 minutes for MSPs to onboard new clients.
The solution was trialed across the TitanHQ user database of more 12,000 customers and 3,000 MSPs in Q4, 2023, with TitanHQ customers reporting that the solution outperforms their existing anti-phishing solutions. TitanHQ is now pleased to start offering the new product to new customers. For more information on PhishTitan phishing protection Microsoft 365 contact TitanHQ today. PhishTitan is available on a 14-day free trial and product demonstrations can be arranged on request to show you how easy the product is to use and exactly what it can do.
“A staggering 71% of MS business users suffer at least one compromised account monthly. With this in mind, the overwhelming feedback from our customer base has been that phishing is the number one problem to solve in the email security community,” said TitanHQ CEO, Ronan Kavanagh. “We therefore allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists. We are pleased to be able to meet the market’s needs with a product that delivers.”
by Jennifer Marsh | Dec 28, 2023 | Network Security, Phishing & Email Spam, Security Awareness |
The cyber threat landscape is constantly changing, with cybercriminals and nation-state actors developing new tactics, techniques, and procedures for use in attacks on businesses to steal intellectual property and sensitive customer data, and for extortion. Threat actors gain access to internal networks by exploiting human weaknesses through social engineering and phishing, exploiting vulnerabilities such as unpatched and misconfigured software, and using malware for remote access.
The latter has seen an increase in 2023, with Kaspersky reporting in its end-of-the-year statistics report that malicious file detections have increased by 3% from 2022, with an average of 411,000 malicious files detected each day. The biggest increase was malicious desktop files such as Word documents, Excel spreadsheets, and PDF files, which are used for distributing malware. More than 125 million malicious desktop files were detected in 2023, with documents such as Word files and PDF files seeing the biggest increase, up 53% from 2022.
The company attributed the large increase to the number of email phishing attacks using malicious PDF files. PDF files have become more popular due to the steps Microsoft has taken to block email attacks using Office documents and spreadsheets. In the summer of 2022, Microsoft started blocking Visual Basic Applications (VBA) macros in Office apps by default to stop malicious actors from using them to deliver malware. Macros are now blocked by default in all Office documents that are delivered via the Internet. Threat actors responded by switching to other file formats for delivering malware such as LNK, ISO, RAR, ZIP, and PDF files, with the latter commonly used to hide links to malicious websites from email security solutions. These links direct users to malicious websites where drive-by malware downloads occur and also to phishing sites that steal credentials. The most common malware types in 2023 were Trojans such as Magniber, WannaCry, and Stop/Djvu, with a notable increase in backdoors, which provide threat actors with remote access to victims’ devices and allow them to steal, alter, and delete sensitive data and download other malware variants such as ransomware.
These email-based attacks usually require some user interaction to succeed, such as opening a malicious file or clicking a link. Threat actors are adept at social engineering and trick users into taking the action they need but the availability of artificial intelligence tools has made social engineering even easier. AI has significantly lowered the entry barrier into cybercrime and can be used by anyone to create convincing phishing lures and social engineering tricks. Artificial intelligence tools are also being leveraged to develop new malware variants faster than before, which allows threat actors to defeat signature-based antivirus and antimalware solutions.
With cyberattacks increasing in both number and sophistication, businesses need to ensure they have appropriate defenses in place. To defend against attacks, businesses need to take a defense-in-depth approach to security and implement multiple overlapping layers of protection. Should one single component fail to detect a threat, others will be in place to provide protection. Endpoint detection solutions such as antivirus software are essential. These solutions work after malware has been delivered and can detect and neutralize the threat; however, multiple layers of security should be in place to make sure threats are not delivered, especially due to the increase in zero-day malware threats – novel malware variants that have yet to have their signatures added to the malware definition lists used by these solutions.
TitanHQ offers three layers of protection through SpamTitan Email Security, Web Titan Web Filtering, and SafeTitan Security Awareness Training. SpamTitan is an advanced email security solution that protects against all email threats, including known and zero-day threats. SpamTitan offers protection against malicious links in emails, and features dual antivirus engines and email sandboxing to protect against malware threats, with the latter used to detect previously unseen malware variants. SpamTitan also uses artificial intelligence and machine learning to predict new attacks.
WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks. The solution blocks access to known malicious websites, and high-risk websites, and can be configured to block the file types that are commonly used for malware delivery, such as executable files. SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience to the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, with training sessions triggered immediately when bad behaviors are detected. This ensures that training is delivered when it is likely to have the biggest impact.
To improve protection against the full range of cyber threats, give the TitanHQ team a call today. You can discuss your needs and explain the current security solutions you have, and the TitanHQ team will be more than happy to talk about the TitanHQ solutions that can plug the security gaps. All solutions are competitively priced and are available on a free trial to allow you to test them thoroughly before making a purchase decision.
by Jennifer Marsh | Dec 23, 2023 | Phishing & Email Spam |
A new callback phishing campaign has been detected that uses Google Forms to add credibility to the campaign. Callback phishing involves sending an email and tricking the recipient into calling a customer service helpline, where they are convinced to download software that provides the attacker with remote access to their device. Since the emails contain no malicious content, only a phone number, these emails are usually delivered to inboxes.
A typical campaign involves an email about an impending charge for a subscription for software or a service, payment for which is about to be taken shortly. The user is told that they must respond within 24 hours if they have any dispute and that the subscription will auto-renew if no action is taken. Companies typically impersonated in these attacks include Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad.
The impending charge is excessive, typically $50 to $500, and the only way to prevent the payment is to call the customer service number included in the email. Subscriptions for software, streaming platforms, and other services are often set to auto-renew by default, and many people end up paying for another term even if they have discontinued using that service. The lure is therefore plausible, and since the charge is excessive, the recipient is likely to make the call.
The phone number is manned by the threat actor who pretends to be customer support and helps the user block the charge; however, in order to do so, software must be downloaded onto the user’s device. The user is convinced to install the software, the threat actor appears to remove the offending software, and the payment issue is resolved; however, the threat actor has installed malware that provides access to the user’s device.
In late 2020/ early 2021, this method was used in BazarCall attacks, so named because they were conducted to deliver BazarLoader malware. The malware is used to download additional malware payloads to the user’s device, such as ransomware. A new version of this campaign has recently been detected that employs Google Forms to add legitimacy to the campaign. Google Forms is free to use and allows forms to be easily created for surveys and quizzes, which can be integrated with websites or shared. In the latest BazarCall campaign, Google Forms is used to create details of a fake transaction, complete with invoice number, payment method, payment date, and information about the product or service.
Google Forms includes the option for a response receipt in the settings, so when a form is completed, it is submitted to the entered email address – that of the target. Google sends the completed form from its own servers, which adds legitimacy to the campaign and increases the probability of the form reaching an inbox. Email security solutions trust the sender (noreply@google.com) and the messages contain no malware or phishing links, the email is guaranteed to be delivered. The form instructs the recipient to call the number within 24 hours if they have any dispute about the charge.
Google is aware of the campaign and is taking steps to improve detection and said that the campaign has so far been used for a small number of users; however, it is worthwhile updating your security awareness training to include this new method of attack. That is quick and easy to do and roll out with the SafeTitan security awareness training platform. SafeTitan also allows you to easily add this method of phishing to the phishing simulator, to see if your employees are likely to fall for callback phishing scams.
by Jennifer Marsh | Dec 18, 2023 | Phishing & Email Spam |
In the summer of 2023, a multinational law enforcement operation caused major disruption to the botnet and malware known as QakBot, aka Qbot & pinkslipbot. Now the malware is back and being used in a campaign targeting the hospitality industry.
QakBot was first detected in 2008 and was primarily a banking Trojan which was used to steal financial information from infected devices; however, the malware has evolved over the years and its capabilities have been significantly enhanced. Check Point researchers have described the malware as “a Swiss army knife” due to its extensive capabilities. QakBot can steal financial information, browser data, and has keylogging capabilities, allowing it to steal credentials and other sensitive information. Infected devices are added to a botnet that can be used for a range of nefarious activities, and the malware also serves as a downloader and can deliver other malicious payloads, including ransomware. QakBot has previously partnered with major ransomware groups including Egregor, REvil, Conti, and ALPHV/BlackCat.
At the time of the takedown, QakBot had been installed on more than 700,000 computers worldwide. According to the U.S. Department of Justice, the August takedown was “the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.” The law enforcement operation resulted in access being gained to the botnet’s encryption keys that were used for malware communication The botnet was hijacked and a custom Windows DLL was pushed out to all infected devices, which terminated the malware and disabled the botnet. These takedowns are, unfortunately, only temporary. As was the case with the takedown of the Emotet botnet, the threat actors simply rebuild their infrastructure.
QakBot malware is primarily distributed via phishing emails and the first QakBot malware campaign since the takedown was detected on Monday. The latest campaign uses an Internal Revenue Service (IRS) themed lure, where an IRS employee is impersonated. As is common in these campaigns, there is little body text in the emails, apart from the IRS logo and contact information. The emails contain a PDF attachment called GuestListVegas.pdf, and the subject line is “clients information”.
The recipient is told that they cannot preview the PDF file and must download it; however, the file they download is an MSI installer that will launch QakBot in the memory. Microsoft confirmed that this version of QakBot has not been seen before. While this appears to only be a relatively small campaign, distribution is expected to be significantly ramped up. In addition to this method of distribution, the QakBot operators have previously used OneNote files, Office files with malicious macros, Windows shortcut files, ISO attachments, and other executables, some of which have been known to exploit unpatched vulnerabilities.
Defending against attacks requires a combination of measures to block the initial access vector, the most important of which are an advanced spam filter – such as SpamTitan – security awareness training, and phishing simulations. A spam filter will block the majority of malicious emails to reduce the number of threats that are delivered to inboxes. By providing ongoing security awareness training to the workforce, employees will learn how to recognize, avoid, and report potential threats. Phishing simulations are an important part of the training process and allow employees to be tested to determine whether they are applying their training. When a phishing simulation is failed it can be turned into a training opportunity. With the SafeTitan platform, training is automated and delivered in real-time in response to failed phishing simulations.
For more information on advanced spam filtering and workforce cybersecurity training, give the TitanHQ team a call.
by Jennifer Marsh | Dec 16, 2023 | Email Archiving, Industry News, Security Awareness, Spam Software, Website Filtering |
TitanHQ products have received four “Top Solution Awards” from Expert Insights in Q4, 2023 in the Email Security, Web Filtering, Security Awareness Training, and Email Archiving categories.
Expert Insights is a leading business software review website that is used by IT decision-makers for researching the best business software solutions. The platform has more than 1 million readers a year and helps more than 85,000 businesses each month with their software purchase decisions. The website includes honest and impartial technical reviews and helpful guides to allow IT decision-makers to purchase with confidence.
Each Quarter, Expert Insights recognizes the world’s best B2B technology solutions through its awards program. The awards are based on Expert Insights’ independent technical analysts and editorial team, customer feedback, and industry recognition. In Q4, 2023, Expert Insights issued awards in over 40 categories, from authentication to zero trust security.
“We are thrilled to unveil our list of the ‘Top Solutions’ for Winter 2023, highlighting the extraordinary innovation in the B2B technology landscape,” said Craig MacAlpine, CEO and Founder of Expert Insights. “These awards celebrate leading solutions across more than 40 product categories, based on our own technical analysis and the engagement of thousands of enterprise tech professionals that use Expert Insights to research solutions each month.”
TitanHQ’s cybersecurity solutions were recognized and were named top solution in four categories:
- Email Security – SpamTitan
- Web Filtering -WebTitan
- Security Awareness Training – SafeTitan
- Email Archiving – ArcTitan
SpamTitan is a cutting-edge email security solution for blocking spam and protecting against email threats. The solution has artificial intelligence and machine learning capabilities and can block all known malware, zero-day malware threats, and phishing, spear phishing, and business email compromise attacks.
WebTitan is a leading DNS filtering solution that allows businesses to carefully control the web content that can be accessed via wired and wireless networks and allows businesses to restrict access to certain websites to improve productivity, reduce legal risk, and protect against phishing, malware, ransomware, and other online threats.
SafeTitan is a comprehensive security awareness training and phishing simulation platform for teaching employees security best practices and improving resilience against the full range of cybersecurity threats. The platform provides training in real-time in response to poor security behaviors, which are triggered immediately when those behaviors are detected to ensure that training is delivered when it is likely to have the biggest impact.
ArcTitan is an easy-to-implement “set-and-forget” email archiving solution that helps businesses meet their legal responsibilities for data retention and ensures that no email is ever lost, with lightning-fast search and retrieval.
“Our team is truly honored by Expert Insights’ acknowledgment of TitanHQ as the ‘Top Solution’ Provider in their Q4 2023 Awards.,” said TitanHQ CEO, Ronan Kavanagh. “This recognition across multiple categories underscores our commitment to empowering our partners and MSPs with cutting-edge technology, enabling them to deliver advanced network security solutions to their clients.”
by Jennifer Marsh | Nov 26, 2023 | Phishing & Email Spam, Spam Advice |
A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.
DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.
Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.
The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.
The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.
With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.
An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.
by Jennifer Marsh | Nov 24, 2023 | Phishing & Email Spam |
You may be able to grab a bargain on Black Friday and Cyber Monday but you need to be extra vigilant for Black Friday phishing attacks and Cyber Monday scams. Cybercriminals are waiting to take advantage of unwary online shoppers on Black Friday and scams are rife throughout the holiday season.
Black Friday and Cyber Monday are two of the busiest shopping days of the year. Many people take advantage of the deals on offer and delay major purchases to try to get a Black Friday or Cyber Monday bargain, and savvy shoppers get started on their Christmas shopping early and try to grab the best gifts while they are available, often at a sizeable discount. On Black Friday, Cyber Monday, and throughout the holiday season, cybercriminals are hard at work. It is the perfect time for them to fill their pockets before the Christmas break. There are huge numbers of people looking to make purchases online, and cybercriminals are more than happy to offer the bargains and special deals that they seek.
During this shopping frenzy, people who delay making a purchase often miss out due to limited product availability. That means it is the perfect time to conduct a phishing attack offering a high-value product at a rock-bottom price, as it is exactly what consumers are expecting and hoping to find. The whole retail event plays into cybercriminals’ hands. People are made to think that they need to act fast and make a quick purchase when what they need to do is stop and think about whether the offer being presented is really what it seems.
Last year, UK residents lost more than £10 million to cybercriminals over the festive shopping period, according to the UK National Cyber Security Centre, with each victim losing an average of £639 to scams between November 2022 and January 2023. This year, the outlook looks even bleaker due to the ease at which artificial intelligence can be used to create convincing scams. While phishing attempts, scam emails, and malicious websites often contain red flags that indicate all is not what it seems, those red flaws are often missing from AI-generated content. Cybercriminals are leveraging large language models, such as ChatGPT, to create convincing emails, scams, fake adverts, and fraudulent websites. The aim of these attacks is to get unsuspecting consumers to disclose their usernames and passwords, provide their credit card and bank details, make purchases for non-existent products, or download malware. AI allows cybercriminals to conduct these scams on an increasingly large scale.
Tips for Avoiding Black Friday Phishing Scams and Online Fraud
AI tools allow cybercriminals to generate phishing emails with perfect grammar and no spelling mistakes and even generate convincing lures targeted at specific groups of people, but the same social engineering techniques are used in these phishing attempts as human-generated phishing emails. With phishing attempts, there is a sense of urgency. Phishing emails have a call to action and only a limited time to respond and there will usually be a threat of negative consequences if prompt action is not taken. With Black Friday phishing scams, product scarcity or a special offer expiring are often how cybercriminals get urgent action to be taken, or there may be a threat of pending costs, charges, or account closures if the email is ignored. Another common ploy is to generate a security alert about unauthorized account access or a potentially fraudulent purchase that has been made, with immediate action required to block the charge or protect the account. Everyone needs to be extra vigilant during the holiday season and should carefully check the sender of the email and stop and think before taking any action suggested in an email.
With so many purchases being made at this time of year, it is the perfect time for phishing lures warning about unsuccessful deliveries. Most people will be expecting packages to be delivered over the next few days and weeks. If you are notified about a failed delivery attempt, make sure that the message has been sent from the domain of the company that claims not to be able to deliver the package. If the email claims to have been sent by FedEx, UPS, DPD, Yodel, or Evri, check it has been sent from the official domain used by that company and watch out for hyphenated domain names, spelling mistakes, and transposed letters.
While email scams are common, so are scams on social media platforms. Malicious advertisements are posted offering products that are never dispatched. According to the Federal Trade Commission, $2.7 billion has been lost in the United States to social media scams over the past 2 years. While there may be genuine offers on social media sites, any vendor should be carefully vetted before making a purchase through an advert and checked to make sure they are who they claim to be and that they are a reputable retailer. It is also far better to use a credit card for any purchases, as credit card companies offer much greater protection against fraud than banks do for debit cards.
While non-delivery scams are common, and credit card theft is rife, many Black Friday and Cyber Monday scams try to obtain access to accounts. In addition to being extra vigilant, it is important to ensure that accounts are properly protected, which means setting a strong, unique password for each account and ensuring multifactor authentication is enabled. If passwords are reused across multiple sites, if that password is obtained, all accounts that use the same password will be put at risk. Multifactor authentication will provide greater protection for accounts should passwords be guessed or otherwise obtained. A password alone is not sufficient to gain access to an account, as an additional form of authentication must be provided.
by Jennifer Marsh | Nov 23, 2023 | Network Security, Spam Software |
Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.
Email-based Cyberattacks are Increasing
Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).
The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.
Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.
To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.
Malware Sandboxing for Email
Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.
SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.
With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?
by Jennifer Marsh | Nov 20, 2023 | Network Security, Spam Software |
Implementing your own sandboxing technology for email can be complex and costly. SpamTitan Email Security has an inbuilt sandbox, so all the hard work is done for you. You get the full cybersecurity benefits of a sandbox at a very low cost.
What are the Benefits of an Email Sandbox?
Email sandboxing is no longer a ’want’ it is now a ‘must-have.’ Cybercriminal groups are conducting huge numbers of attacks, nation-state actors are targeting businesses to steal their proprietary data, and these attacks are getting far more sophisticated and can easily evade standard security solutions. The consequences of a successful cyberattack are severe. IBM’s 2023 Cost of a Data Breach Report indicates that the average cost of a successful attack and data breach has risen to $4.45 million in the United States. It is no surprise that many small to medium-sized businesses fold within 6 months of a successful attack.
As has been the case for many years, one of the easiest ways to gain initial access to a company’s network is via email. Employees are targeted as they can be tricked into disclosing their credentials or installing malware. Email security solutions such as spam filters and secure email gateways are capable of blocking many threats, but they are failing to block zero-day malware threats. Traditional email security solutions are reliant on signature-based detection methods for blocking malware. When a malware threat is detected and analyzed by security researchers, the signature for that malware variant is added to the definition list. Email security solutions use signature-based detection methods to block 100% of known malware.
The problem comes with new malware, for which no signature has been defined. Without a signature, malware will not be identified as malicious if it is encountered. If a novel malware variant is attached to an email, the email will most likely be delivered and can be opened by an end user and new malware variants are now being released at an incredible rate. While signature-based detection has served businesses well, additional protection is now required – email sandboxing.
With an email security solution that has an email sandbox, inbound messages will first be subjected to standard checks. An email sandbox is then used to safely analyze the behavior of files in an environment where no harm can be caused. If malware is executed, it will be detected based on its behavior rather than a signature. The threat will then be blocked, and no harm will be caused.
SpamTitan Email Sandboxing Technology for Email
With SpamTitan, the initial checks include AI-based and machine-learning detection, which is capable of detecting previously unseen phishing threats. All attachments are scanned with two antivirus engines to ensure 100% of known malware threats are detected and blocked. The sandbox provides an extra layer of protection. When initial checks are passed, suspicious messages are sent to the sandbox for deep analysis. File attachments are safely detonated, their behavior is analyzed, and the results are checked against an extensive array of online repositories. The process usually takes just a few minutes, or in some cases, a maximum of 20 minutes.
If a threat is detected it is reported to the Bitdefender Global Protective Network – Bitdefender’s cloud threat intelligence service. If that threat is detected again by SpamTitan or any device connected to the network, it will not need to be sent to the sandbox again and all devices will be protected against that threat. The latest malware variants often include code that checks for running security solutions and whether it has landed on a real endpoint. If a virtual environment is detected and the malware determines it is in a sandbox, it will not perform its malicious actions and may delete itself to prevent analysis. To get around this, the email sandbox emulates a real endpoint and analyzes files by leveraging purpose-built, advanced machine-learning algorithms. The sandbox incorporates anti-evasion and anti-exploit techniques and performs aggressive behavior analysis. Every evasion attempt by malware is properly marked and the files are flagged.
The sandbox analyzes a broad range of targets, including documents, spreadsheets, and executable files, and is capable of identifying and blocking polymorphic malware and other threats that have been developed for undetectable attacks. With email-based cyberattacks increasing in number and sophistication, businesses need to ensure they have advanced defenses. With SpamTitan sandboxing technology for email you get advanced threat protection at an affordable price. To find out more, call the TitanHQ team today or take advantage of a free 14-day free trial of SpamTitan.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?
by Jennifer Marsh | Nov 15, 2023 | Network Security, Spam Software |
What is Sandboxing in Cybersecurity?
Sandboxing in cybersecurity terms refers to an isolated virtual machine that is used for testing code and analyzing files. Since the sandbox is isolated from other systems and networks, unverified code, untested programs, email attachments, and files downloaded from the Internet can be executed or detonated safely. Code is executed and files are opened and their behavior is analyzed to determine if they are safe or if they may cause damage to data or systems. In the sandbox, the activities that can be performed are restricted so they can’t cause any real damage. If code is executed in the sandbox and it is determined to be malicious, it will be deleted or quarantined for further analysis. Sandboxing is also used for checking URLs. For instance, some web browsers will first open a URL in a sandbox where permissions are set to the lowest privilege levels. If any attempt is made to perform an action that is not permitted, access to the URL will either be blocked or the user will receive a warning.
Why is Sandboxing Important?
In software development, new code may have unintended consequences, such as causing other systems to malfunction, which in a production environment could cause unacceptable and costly downtime. A sandbox allows code to be fully tested to ensure it is safe. A security sandbox protects against malicious code that has been deliberately written to cause damage and/or provide access to systems and data. For example, ransomware is malicious code that encrypts files to prevent them from being accessed. A threat actor then demands payment for the keys to decrypt files. If that code was allowed to execute on the network, data could be permanently lost, or a ransom would need to be paid to recover files.
Cyberattacks on businesses have been increasing and are now being conducted more frequently than ever before. The average ransom demand in data theft and ransomware attacks is now more than $1.5 million, and data from Rapid7 suggests more than 1,500 organizations fell victim to ransomware attacks in the first half of 2023, with more than 20 new ransom groups emerging. Cybercriminals also still use backdoors, keyloggers, banking trojans, and information stealers to gain access to networks and steal sensitive data. To make matters worse, new malware and ransomware variants are constantly being released and these evade security solutions that rely on signature-based detection. It is vital that all files and applications are thoroughly tested before being allowed anywhere near the network and sandboxing allows even previously unseen malicious files to be identified and neutralized.
Email Sandboxing
Email security solutions often use sandboxing for attachments and URLs. With email attachments, they will first be scanned using standard anti-virus engines to determine if they contain known malware or malicious code. These AV checks will only detect known malware. New malware variants that have not been encountered before cannot be detected, as standard AV solutions search for signatures of known malware. Email sandboxing is used to detect new malware, often referred to as zero-day threats. Files that are determined to be clean after AV scanning are sent to the sandbox for behavioral analysis. Email security solutions may also use a sandbox for testing embedded URLs in messages and will follow the links and check the destination and assess whether it contains any threats.
Email Sandboxing from TitanHQ
SpamTitan is a multi-award-winning email security solution from TitanHQ that offers advanced threat protection at an affordable price. SpamTitan blocks phishing, malware, spam, viruses, and other malicious email threats and includes a Bitdefender-powered email sandbox. Emails that pass the initial barrage of checks, including antivirus scans, are sent to the sandbox where they are safely detonated, and their behavior is analyzed. The SpamTitan sandbox combines the latest threat analysis with powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, ensuring businesses are protected against zero-day threats. For more information on SpamTitan Email Security, give the TitanHQ team a call today.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?
by Jennifer Marsh | Nov 10, 2023 | Network Security, Spam Software |
Sandboxing is the use of a virtual environment for testing code and safely opening untrusted files. The sandbox is an isolated and secure environment that emulates a legitimate endpoint; however, there are no connections to the business network, the sandbox environment contains no real data, and if dangerous code is executed, no harm will be caused.
Advantages of Email Sandboxing
Sandboxing is important because of the sheer number and complexity of threats faced by businesses. Cybercriminal groups are conducting increasing numbers of attacks, new groups are constantly being formed, and their attacks are becoming much more sophisticated. The cost of these attacks and the resultant data breaches are also spiraling. According to the 2023 Cost of a Data Breach Report from IBM, on average, data breaches cost $4.45 million to resolve in the United States and $10.93 million for a healthcare data breach.
Many of these threats come from email. Emails are used to send attachments containing malicious code that downloads malware that provides a cyber actor with access to the network. Links to malicious websites are also distributed via email where malware is downloaded. While businesses have a degree of protection if they have anti-virus software installed, most anti-virus solutions can only detect known malware variants – Malware that has previously been analyzed and had its signature added to the solution’s malware definition list. Antivirus solutions will not detect new malware variants nor fileless malware, which is executed in the memory with no files downloaded to the disk.
Sandboxing provides an additional layer of protection against zero-day malware and ransomware attacks and will allow malicious files to be identified, detected, and quarantined before they can do any harm, even if they have not previously been encountered. In the sandbox, malware is identified by the actions it tries to perform, not by any signature.
Disadvantages of Email Sandboxing
While there are clear benefits, there are some disadvantages of email sandboxing. Businesses may want to add email sandboxing to their cybersecurity arsenal, but email sandboxes can be complicated to set up and run, and they can require a considerable amount of resources and can be expensive to run. Another of the disadvantages of email sandboxing is analyzing file attachments takes time and messages cannot be delivered until all checks have been performed. It is therefore inevitable that there will be email delivery delays.
As with any cybersecurity solution, there is the potential for false positives. An email attachment may be determined to be malicious when it is actually harmless. In such cases, important business emails may be blocked or deleted. The last main disadvantage is malware often contains code that determines if it has landed on the targeted endpoint or if it is in a virtual environment. If the latter is detected, the malware may delete itself or not perform any of its programmed malicious actions. Considering the cost of a successful cyberattack, the advantages of email sandboxing outweigh the disadvantages, provided the right sandboxing solution is chosen.
SpamTitan Email Security with Sandboxing
SpamTitan is an award-winning email security solution from TitanHQ that provides advanced threat protection at an affordable price. The solution is easy to implement and use and protects thousands of SMBs and managed service providers (MSPs) by blocking spam, viruses, malware, ransomware, and links to malicious websites from your emails. SpamTitan’s ATP defense uses inbuilt Bayesian auto-learning and heuristics to defend against advanced threats and evolving cyberattack techniques and features an integrated email sandbox tool that is part of Bitdefender’s Global Protective Network.
SpamTitan uses advanced intelligent technologies, such as AI, to predict and prevent advanced threats and the sandbox accurately mimics a real endpoint to trick malware into determining it has reached its intended target. As with any sandbox, there are delays in delivering emails but this is kept to a minimum. SpamTitan has multiple layers of security and sophisticated sandbox technology, which means only specific and dangerous emails will be sandboxed. Even if a legitimate email lands in a sandbox, the delivery delay will be, at most, twenty minutes. While there may be false positives on occasion, no emails are deleted. They are quarantined to allow administrators to check the validity of the results.
If you want to improve security and get the advantages of email sandboxes while eliminating the disadvantages, give the TitanHQ team a call today. SpamTitan is also available on a free 14-day trial to allow you to test the product and sandbox in your own environment before making a purchase decision.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?