Recently Discovered Spambot Contains 711-Million Email Addresses

A Netherlands-based spambot has recently been discovered that is being used to send massive volumes of spam email containing ransomware and malware. What sets this spambot aside from the many others in use is the scale of the spamming operations. Paris-based cybersecurity firm Benkow says the spambot contains an astonishing 711,000,000 email addresses.

To put that absurdly high figure into perspective, it corresponds to the entire population of Europe or two email addresses for every resident in the United States and Canada.

The spambot – called Onliner – is being used as part of a massive malware distribution network that has been distributing Ursnif banking malware. Not only are these email addresses being used for spamming and malware distribution, the passwords associated with many of those accounts are also publicly available on the same server. Malicious actors could access the data and use the information to gain access to the compromised accounts to search for sensitive information.

All of the email addresses in the list have now been uploaded to HaveIBeenPwned. Troy Hunt of HaveIBeenPwned recently explained in a blog post that this is the single largest set of email addresses that has ever been uploaded to the database. Hunt said it took 110 separate data breaches and more than two and a half years for the site to amass a database of that size.

Hunt explained that an analysis of some of the email addresses in one of the text files were all present in the data from the LinkedIn breach, another set related to the Badoo breach and another batch were all in the exploit.in list, suggesting this massive collection of email addresses has been amalgamated from past data breaches. That shows data is being extensively bought and sold on forums and darknet marketplaces. However, not all of the email addresses were already in the database, suggesting they came either from previously undisclosed breaches and scrapes of Internet sites.

Some of the lists obtained contained email addresses, corresponding passwords, SMTP servers and ports, which allow spammers to abuse those accounts and servers in their spamming campaigns. Hunt says the list includes approximately 80 million email servers that are being used in spamming campaigns.

The problem is these are legitimate accounts and servers, which the spammers can abuse to send massive amounts of spam and even defeat some spam filters, ensuring malicious messages get delivered. Hunt says authorities in the Netherlands are currently attempting to shut down Onliner.

As a precaution, everyone is recommended to visit HaveIBeenPwned to check if their email addresses/passwords have been added to the database. If they are present, it is important to update the passwords for those email accounts and never to use those passwords again.

Defray Ransomware Used in Targeted Attacks on Healthcare and Education Sectors

Defray ransomware is being used in targeted attacks on organizations in the healthcare and education sectors. The new ransomware variant is being distributed via email; however, in contrast to many ransomware campaigns, the emails are not being sent out in the millions. Rather than use the spray and pay method of distribution, small campaigns are being conducted consisting of just a few emails.

To increase the likelihood of infection, the criminals behind Defray ransomware are carefully crafting messages to appeal to specific victims in an organization. Researchers at Proofpoint have captured emails from two small campaigns, one of which incorporates hospital logos in the emails and claims to have been sent by the Director of Information Management & Technology at the targeted hospital.

The emails contain an Microsoft Word attachment that appears to be a report for patients, relatives and carers. The patient report includes an embedded OLE packager shell object. If clicked, this executable downloads and installs Defray ransomware, naming it after a legitimate Windows file.

The ransom demand is considerable. Victims are asked to pay $5,000 per infected machine for the keys to unlock the encryption, although the ransom note does suggest the attackers are prepared to negotiate on price. The attackers suggest victims should backup their files to avoid having to pay ransoms in the future.

There is no known decryptor for defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to maintain file integrity. In addition to encrypting files, the ransomware variant can cause other disruption and will delete volume shadow copies to prevent the restoration of files without paying the ransom.

The developers of the ransomware have not given their malicious code a name and in contrast to most ransomware variants, the extensions of encrypted files are not changed. Proofpoint named the variant Defray ransomware from the C2 server used by the attackers.

A second campaign has been identified targeting the manufacturing and technology sector. In this case, the email appears to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments differ, although the same OLE packager shell object is used to infect end users.

The attackers have been sending these malicious emails to individuals, user groups and distribution lists. Attacks have occurred in both the United States and United Kingdom and are likely to continue.

Protecting against these targeted attacks requires a combination of spam filtering technology and end user training. Organizations in the healthcare, education, technology and manufacturing sectors should consider sending an email alert to end users warning of the risk of ransomware attacks, instructing end users to exercise caution and not to open email attachments from unknown senders and never to click to enable content on email attachments.

Beware of Hurricane Harvey Phishing Scams

Scenes of the devastation caused by Hurricane Harvey are all over the newsstands and Internet. Videos of the devastation are being broadcast around the globe. The hurricane hit the Texas coast two days ago, forcing tens of thousands of Texas residents to flee their homes. While the hurricane has now been downgraded to a tropical storm, meteorologists are predicting the heavy rainfall will continue at lease for a couple more days and flood waters are continuing to rise.

Following any natural disaster, email scams are rife and extra care must be taken. Hurricane Harvey is no exception. While homeowners were preparing for the worst, cybercriminals were developing Hurricane Harvey phishing scams to fool the unwary into revealing their sensitive information or downloading malware.

Just as looters take advantage of abandoned homes, scammers take advantage of interest in the disaster and send malicious emails that direct users to phishing websites and exploit kits that silently download malware. Scammers capitalize on interest in disasters to conduct malicious activities.

The expected deluge of malicious emails has prompted US-CERT to issue a warning about Hurricane Harvey phishing scams, urging Americans to be extra vigilant. Similar warnings have also been issued by the Better Business Bureau and Federal Trade Commission (FTC).

Hurricane Harvey phishing scams are likely to have eye-catching subject lines offering updates on Hurricane Harvey and stories relating to the disaster or relief efforts. The scam emails contain malicious hyperlinks that will direct users to phishing websites and sites where malware is downloaded. Malicious email attachments are also used to install malware and ransomware.

Users should be extremely wary about opening any emails relating to Hurricane Harvey, especially emails sent from unknown senders. The best advice is not to click on any hyperlink in an email relating to Hurricane Harvey and not to open email attachments sent in those messages.

While email is favored by many scammers, Hurricane Harvey phishing scams can be found on social media sites. Facebook posts and tweets may direct users to phishing websites where credit card details can be obtained or to fake charity websites where donations can be made.

How to Give to Charity to Support the Victims and Avoid Being Scammed

A natural disaster such as this causes devastation for tens of thousands of families. Homes and businesses are lost and families are forced to take refuge in shelters. Displaced families need support and many charities are accepting donations to help the victims.

However, all may not be as it seems. Scammers spoof legitimate charities and set up bogus websites where donations can be made. Oftentimes, legitimate charities are spoofed and donations never make it to the victims.

The advice offered by the Federal Trade Commission is to be wary of any request for donations to support the victims of Hurricane Harvey. Rather than respond directly to email and social media requests for donations, visit the charity webpage directly and independently verify the charity is legitimate.

The Better Business Bureau is maintaining a list of BBB-accredited charities that are accepting donations to support the victims of Hurricane Harvey, as is Guidestar. By checking the legitimacy of the charity, users can make sure their donations reach the victims of the hurricane and do not end up lining criminals’ pockets.

If you are considering donating to a charity that is not on either list, before making a donation, check that the charity is registered by contacting the National Association of State Charity Officials.

Biggest Cybersecurity Threat? Employees, Say 100% of Survey Respondents!

What is biggest cybersecurity threat currently faced by organizations? According to a recent survey of government IT professionals, the biggest cybersecurity threat is employees. 100% of respondents to the survey said employees were the biggest cybersecurity threat faced by their organziation.

The survey, conducted by Netwrix, explored IT security and compliance risks at a wide range of organizations around the globe, including government agencies.

Government agencies are an attractive target for cybercriminals. They store vast quantities of sensitive data on consumers and cybersecurity protections are often inferior to private sector organizations. Consequently, cyberattacks are easier to pull off. In addition to a treasure trove of consumer data, government agencies hold highly sensitive information critical to national security. With access to that information, hackers can take out critical infrastructure.

There are plenty of hackers attempting to gain access to government networks and oftentimes attacks are successful. The Office of Personnel Management breach in 2015 resulted in the Social Security numbers of 21.5 million individuals being compromised. In 2015, there was also a 6.2 million record breach at the Georgia Secretary of State Office and 191 million individuals were affected by a hack of the U.S. voter database.

The survey revealed 72% of government entities around the world had experienced at least one data breach in 2016 and only 14% of respondents felt their department was well protected against cyberattacks.

Employees Are the Biggest Cybersecurity Threat

Last year, 57% of data breaches at government entities were caused by insider error, while 43% of respondents from government agencies said they had investigated instances of insider misuse. Given the high percentage of security incidents caused by insiders – deliberate and accidental – it is no surprise that insiders are perceived to be the biggest cybersecurity threat.

How Can Employees be Turned from Liabilities into Security Titans?

Employees may be widely regarded as liabilities when it comes to information security, but that need not be the case. With training, employees can be turned into security titans. For that to happen, a onetime security awareness training program is not going to cut it. Creating a security culture requires considerable effort, resources and investment.

Security awareness training needs to be a continuous process with training sessions for employees scheduled at least twice a year, with monthly updates and weekly security bulletins distributed to highlight the latest threats. Training must also be backed up with testing – both to determine how effective training has been and to provide employees with the opportunity to test their skills. Phishing simulations are highly effective in this regard. If an employee fails a simulation it can be turned into a training opportunity. Studies by security training companies have shown susceptibility to phishing attacks can be reduced by more than 90% with effective training and phishing simulation exercises.

However, fail to invest in an effective security awareness program and employees will remain the biggest cybersecurity threat and will continue to cause costly data breaches.

How to Reduce Exposure to Phishing and Malware Threats

With the workforce trained to respond correctly to phishing emails, employees can be turned into a formidable last line of defense. The defensive line should be tested with simulated phishing emails, but technological solutions should be introduced to prevent real phishing emails from being delivered to end users’ inboxes.

The majority of malware and ransomware attacks start with a phishing email, so it is essential that these malicious messages are filtered out. An advanced spam filtering solution should therefore be at the heart of an organization’s email defenses.

SpamTitan is a highly effective enterprise-class spam filtering solution that blocks malicious messages and more than 99.9% of spam email, helping organizations to mount an impressive defense against email-based attacks. Dual anti-virus engines are used to identity and block malware and ransomware, with each email subjected to deep analysis using Sender Policy Framework (SPF), SURBL’s, RBL’s and Bayesian analysis to block threats.

If you want to improve your defenses against phishing and email-based malware attacks, SpamTitan should be at the heart of your email defenses. To find out more about SpamTitan and how it can prevent your employees having their phishing email identification skills frequently put to the test, contact the TitanHQ team today.

2017 Spam Study Reveals Majority of Malicious Messages Sent During Office Hours

The busiest day of the week for email spam is Tuesday and spammers concentrate on sending messages during working hours, Monday to Friday, according to a 2017 spam study conducted by IBM X-Force.

The study was conducted over a 6-month period from December 2016 to June 2017. The study analyzed more than 20 million spam messages and 27 billion webpages and images a day. The researchers also incorporated data provided by several anti-spam organizations, making the 2017 spam study one of the largest ever conducted.

The 2017 spam study showed the majority of spam emails – 83% – were sent to arrive in inboxes during office hours with Tuesday, Wednesday, and Thursday the spammiest days. Spam volume was much lower on Mondays and Fridays.

While spam is sent 24/7, the busiest times are between 1am and 4pm ET. If an email arrives at an inbox when a worker is at his/her desk, it is more likely to be opened. Spammers therefore concentrate their messages during office hours.

Malicious spam messages increase around the holidays and during tax season when email scams are rife. The increase in numbers of individuals heading online to shop for goods means rich pickings for spammers. Spam volume also increases during sporting events such as the Olympics, the Super Bowl and the Football World Cup, with sports-themed spam messages capitalizing on interest in the events.

Malicious messages aim to get email recipients to reveal their banking credentials, logins and passwords and install malware. The researchers found 44% of spam emails contained malicious code, and out of those emails, 85% were used to spread ransomware.

While the majority of spam messages are automated, the IBM researchers point out that spammers work at their campaigns. There is also considerable manual work required to control botnets and spam mailers. The process is not entirely automated. Considerable work is put into malicious messages that spread ransomware and malware, with these campaigns requiring the highest level of manual control. These campaigns also involve extensive planning to maximize the number of victims.

Spam is sent from countries all around the world, although the biggest percentage hails from India, which sends 30% of all spam emails. South America and China also send a high percentage of global spam. Only 7% of spam emails are sent from the United States and Canada.

Companies are getting better at filtering out spam emails and preventing the messages from reaching inboxes. Spam filtering technology has improved enormously in recent years, meaning fewer messages are being delivered; however, spam is still the main method of distributing malware and phishing scams are rife. Spammers are also getting much better at masking their malicious messages and they frequently change delivery vehicles develop new methods of hiding malicious code to avoid detection.

The researchers say spam email volume has increased fourfold over the past 12 months and malicious messages are now being increasingly targeted at organizations and individuals, rather than being sent randomly in huge spamming campaigns. Targeting allows the attackers to send carefully crafted campaigns which are more likely to result in the recipients taking the desired action.