Holiday Season Scams Aplenty as Black Friday Draws Closer

Thanksgiving weekend sees Americans head on line in the tens of millions to start online Christmas shopping in earnest and this year the holiday season scams have already started.

Black Friday and Cyber Monday are the busiest online shopping days, but some retailers are kickstarting their promotions early this year and have already started offering Black Friday deals. Amazon.com for example launches its first Black Friday offers tomorrow, well ahead of the big day on 25th November.

It is no surprise that retailers are trying to get ahead. 41% of shoppers start their holiday shopping in October according to a recent National Retail Federation survey. 41% of shoppers wait until November. 82% of shoppers like to make an early start, and this year so are the scammers.

A popular tactic used by cybercriminals is typosquatting – the registration of fake domains that closely match the brand names of well-known websites. Phishers use this tactic to obtain login credentials and credit card numbers. In recent weeks, there has been an increase in typosquatting activity targeting banks and retailers.

A fake domain is registered that closely matches that of the targeted website. For instance, the Amaz0n.com domain could be purchased, with the ‘o’ replaced with a zero. Alternatively, two letters could be transposed to catch out careless typists. A website is then created on that domain that closely matches the targeted website. Branding is copied and the layout of the genuine site is replicated.

There is another way that scammers can take advantage of careless typists. Each country has its own unique top level domain. Websites in the United States have .com. Whereas, websites registered in the Middle Eastern country of Oman have the .om domain. Scammers have been buying up the .om domains and using them to catch out careless typists. In the rush to get a holiday season bargain, many users may not notice they have typed zappos.om instead of zappos.com.

Visitors to these scam websites enter their login credentials as normal, yet all they are doing is giving them to the attackers. The scammers don’t even need to spoof an entire website. When the login fails, the site can simply redirect the user to the genuine site. Users then login as normal and complete their purchases. However, the scammers will have their login credentials and will be able to do the same.

However, many websites now have additional security features to prevent the use of stolen login credentials. If a login attempt is made from an unrecognized IP address, this may trigger additional security features. The user may have to answer a security question for example.

Some scammers have got around this problem. When a user attempts to login on a scam site, a login session is automatically opened on the genuine website. The information entered on the scam site is then used by the attackers on the genuine site. When the unusual IP address triggers an additional security element, this is then mirrored on the scam site with the same question forwarded to the user. The question is answered, and an error message is generated saying the login was unsuccessful. The user is then redirected to the genuine site and repeats the process and gains access. Chances are they will be unaware their account details have been compromised. Hours later, the scammers will login to the genuine site using the same credentials.

Businesses must also exercise caution at this time of year and should take steps to reduce the risk of employees falling for holiday season scams. Employees keen to get the latest bargains will undoubtedly complete some of their purchases at work.

Email scams increase at this time of year and business email accounts can be flooded with scam emails. Offers of discounts and special deals are likely to flood inboxes again this year. Email holiday season scams may not be about stealing login credentials. Given the increase in malware and ransomware infections in 2016, this holiday season is likely to see many holiday season scams infect businesses this year. A careless employee looking for an online bargain could all too easily click a link that results in a malware download or ransomware infection.

As holiday season fast approaches, the scammers will be out in force. It is therefore important for both businesses and consumers to take extra care. If you want to find out how you can protect your business from malware and ransomware, contact the TitanHQ team today and find out more about our security solutions.

Malicious Spam Email Volume Increases Again

Spam email volume has reduced over the past couple of years following the takedown of key botnets – and individuals – behind some of the biggest spamming campaigns. It was starting to look like the super-spamming days of the early 2010s were a thing of the past. However, spam email volume has been increasing in recent months.

Necurs botnet activity has increased and last month the Tofsee botnet came back to life after years of dormancy. Both of these botnets had previously been used to send annoying but relatively harmless spam emails offering cheap pharmaceuticals and offers of beautiful Russian brides. However, the increase in activity is also coupled with the move to malicious email attachments containing malware and ransomware.

These and other botnets such as Helihos are also growing in size at alarming rates and spam email volume is soaring. Some reports suggest spam email volume has increased from around 200,000 spam emails per second to 450,000 emails per second over the past couple of months.

But what are these malicious email attachments, and how big is the risk?

97% of Malicious Spam Email Attachments Contain Locky Ransomware

Locky ransomware first appeared in February 2016. It has since become one of the biggest email threats. The ransomware is being sent in massive spam campaigns and increasingly sophisticated social engineering techniques are used to infect end users.

To put these email campaigns into some perspective, historically, the volume of spam email used to deliver malware, ransomware, and other email nasties stood at around 2% of the total spam email volume. By around April this year, two months after Locky first appeared on the scene, malicious spam emails containing the ransomware accounted for around 18% of total spam email volume.

The Quarterly Threat Report issued by ProofPoint earlier this month suggests the volume of spam email containing malicious attachments or links reached record levels in quarter 3, 2016. The vast majority of those emails contained Locky. According to the report, 97% of captured spam emails with malicious attachments were used to deliver Locky. That’s a 28% increase from Q2, and a 64% increase since Q1.

Since its release, Locky ransomware has been infecting users via Word documents containing malicious macros, JavaScript files, executable HTML files (HTA), and more recently Windows Script Files (WSF) hiding the Nemucod downloader. Now, another change has been detected. Earlier this month, researchers at the Microsoft Malware Protection Center discovered the actors behind Locky ransomware had made another change to the way they infect computers and made the switch to shortcut files (LNK) containing PowerShell commands.

This discovery coincided with a drop in detection and a relatively quiet period for the past two weeks. However, Locky is back with a vengeance. On Monday this week, three new campaigns were detected, one of which was massive and involved 14 million messages in around half a day. 6 million of those messages were sent in a single hour!

The risk from Locky is considerable. Locky is capable of deleting Windows Shadow Files and encrypting a wide range of data, including data on portable storage devices and network drives. Resolving an attack can prove extremely costly. It is therefore essential to improve defenses to prevent attacks.

Ransomware and Malware Protection

Larger botnets and the move to malicious messages means organizations need to be prepared and take steps to ensure that these messages are effectively blocked.

Protecting your organization from email attacks is critical. It is therefore essential to employ a robust enterprise spam filtering solution. SpamTitan blocks 99.7% of spam email, preventing malicious email attachments and links from being delivered to your end users. This reduces reliance on training programs to educate end users on email threats.

Preventing ransomware infections requires a multi-layered approach. There is no silver bullet that will offer total protection against ransomware infections, but there are security products that can greatly reduce risk.

Protecting against exploit kits and malvertising requires a web filtering solution. By blocking websites known to contain malware or exploit kits, and carefully controlling the website content that can be accessed by employees, organizations can effectively protect against web-borne infections. WebTitan offers that protection and can be used to block malicious websites and reduce the risk from infections via malvertising.

Along with intrusion detection systems, firewalls, antivirus and anti-malware solutions, it is possible to defend against ransomware and malware attacks and keep your data secured.