The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.
Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.
Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.
Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.
TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.
The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.
The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.
There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.
The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ. You can Register Your Place Here
Threat actors seized the opportunities provided by the pandemic and conducted many phishing campaigns using COVID-19 themed lures. These campaigns took advantage of global interest in the novel coronavirus and preyed on fears of contracting COVID-19 to get people to open the emails, click on malicious hyperlinks, or open attachments that downloaded malware and ransomware payloads. Now that a large percentage of the population has been vaccinated, employers are opening up their offices again and employees are returning to the workplace.
The return to offices has presented another opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices. The emails appear to be a message from the CIO welcoming employees back to the workplace and claims to provide information about post-pandemic protocols and the procedures that have been put in place to accommodate returning workers to reduce the risk of infection.
The emails have been crafted to make them appear as if they have been sent internally, and include the logo of the targeted company and are signed by the CIO. The emails include a hyperlink that directs employees to a fake Microsoft SharePoint page that hosts two documents, both of which have the company’s branding. The documents are a COVID-19 factsheet and an implementation letter that includes steps that the company has taken based on updates provided by the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health officials.
Most phishing campaigns would simply direct people to a landing page that hosts a phishing form where they are asked to enter their Office 365 credentials. This campaign is more sophisticated and includes an additional step. Nothing happens when an employee lands on the page. They are first required to click to open a document before the phish is activated. When the document is clicked, a fake Microsoft login prompt appears and credentials must then be entered in order to view the documents.
If credentials are entered, a message is then generated advising the employee that their account or password is not correct, and they are made to reenter their credentials several times before they are finally redirected to a genuine Microsoft page and are given access to the documents on OneDrive, most likely unaware that their credentials have been phished.
This COVID-19 phishing scam, like many others conducted throughout the pandemic, has a plausible lure. In this case, the emails have been well written and have been targeted for specific companies, making them very believable and likely to fool a great many employees. It is unclear what aims the attackers have once credentials have been harvested. They could be used to plunder sensitive information in Office 365 email accounts, would give the attackers a foothold in the corporate network for a more extensive compromise, or they could be sold to other threat groups such as ransomware gangs.
The best way to counter the threat is to prevent the malicious emails from arriving in inboxes, which requires an advanced spam filtering solution such as SpamTitan. With SpamTitan in place, phishing threats such as this will be identified and blocked at the gateway to ensure that employees’ phishing email identification skills are not put to the test.
If you want to improve your security posture and block more phishing threats, give the TitanHQ team a call today to discover how SpamTitan Email Security and the WebTitan DNS Filter can improve cybersecurity in your organization.
Phishing is the leading cause of data breaches and 2020 saw phishing-related data breaches increase again. The recently released Verizon 2021 Data Breach Investigations Report shows there was an 11% increase in phishing attacks in 2020, with work-from-home employees extensively targeted with COVID-19 themed phishing lures.
Phishing attacks are conducted to steal credentials or deliver malware, with the former often leading to the latter. Once credentials have been obtained, they can either be used by threat actors to gain access to business networks to steal data and launch further attacks on an organization. Credentials stolen in phishing attacks are often sold to other threat groups such as ransomware gangs. From a single phishing email, a business could be brought to its knees and even prevented from operating.
The fallout from a phishing attack can be considerable, and it is therefore no surprise that many businesses fail after a successful cyberattack. According to ID Agent, 60% of companies go out of business within 6 months of a cyberattack – The cost of recovery and the damage to the company’s reputation can simply be too great.
Considering the potentially devastating consequences of a phishing attack it is surprising that many businesses fail to implement appropriate protections to block attacks and do not make sure their employees are able to recognize and avoid phishing threats.
A recent study conducted by the phishing simulation vendor KeepNet Labs highlighted just how often employees fall for these scams. In a test involving 410,000 simulated phishing emails, more than half of the emails were opened, 32% of individuals clicked a (fake) malicious link or opened an attachment, and 13% of individuals provided their login credentials in response to the emails.
How to Defend Against Phishing Attacks
It is vital for the workforce to be prepared, as phishing emails can easily end up in inboxes regardless of the security protections in place to block the messages. Fortunately, through regular security awareness training, employees can be trained how to spot a phishing email. Following security awareness training, phishing email simulations are useful for identifying weak links – employees that need further training. Over time, it is possible to significantly improve resilience to these damaging and incredibly costly cyberattacks.
The importance of solid technical email security defenses cannot be overestimated as even with training, phishing emails can be very difficult for employees to identify. Phishing emails often have plausible lures, the email messages can be extremely well written, and often appear to have come from trusted sources. It is common for the emails to impersonate trusted companies and include their color schemes and logos and the websites that users are directed to are often carbon copies of the genuine websites they spoof.
There are three technical solutions that can be implemented in addition to the provision of training that can greatly improve the security posture of an organization against phishing attacks. These three solutions provide three layers of defenses, so should one fail to detect and block a threat, the others will be in place to provide protection.
3 Essential Technical Phishing Controls for Businesses
The most important technical control against phishing is a spam filter. A spam filter will block the majority of phishing and spam emails and will stop them reaching inboxes, but the percentage of emails blocked can vary considerably from solution to solution. Most spam filters will block 99% or more of spam and phishing emails, but what is needed is a solution that will block more than 99.9% of spam and malicious emails. SpamTitan for instance, has an independently verified catch rate of 99.97%, ensuring your inboxes are kept free of threats.
An often-neglected area of phishing protection is a web filter. Web filters are extensively used by businesses and the education sector for blocking access to inappropriate web content such as pornography. Web filters are also an important anti-phishing measure for blocking the web-based component of phishing attacks. When an employee clicks a link in an email that directs them to a phishing page, the web filter will block access. WebTitan Cloud is constantly updated with new malicious URLs as they are created via multiple threat intelligence feeds. WebTitan blocks malware downloads from the Internet and can be configured to block access to risky websites that serve no work purpose.
The last measure that should be implemented is multi-factor authentication for email accounts. In addition to a password, MFA requires another form of authentication to be provided before access is granted. Without that additional factor, the account cannot be accessed. This is an important security measure that kicks in when credentials have been stolen to block unauthorized account access.
If you want to improve your defenses against phishing, these three technical controls along with end user training will keep your business safe. To find out more, and how little these protections cost, give the TitanHQ team a call today!
TitanHQ has announced the release of a new version of WebTitan Cloud that includes new security features, easier administration, and the introduction of WebTitan OTG (on-the-go) for Chromebooks for the education sector.
One of the main changes introduced with WebTitan Cloud version 4.16 is the addition of DNS Proxy 2.06, which supports filtering of users in Azure Active Directory. This is in addition to on-premise AD and directory integration for Active Directory. The support for Azure Active Directory will make it easier for customers to enjoy the benefits of WebTitan Cloud, while making management easier and less time-consuming. Support for further directory services will be added with future releases to meet the needs of customers.
Current WebTitan customers do not need to do anything to upgrade to the latest version of WebTitan, as updates to WebTitan Cloud are handled by TitanHQ and users will be upgraded to the latest version automatically to ensure they benefit from improved security, the latest fixes, and new functionality.
The latest WebTitan Cloud release has allowed TitanHQ to introduce a new solution specifically to meet the needs of clients in the education sector – WebTitan OTG (on-the-go) for Chromebooks.
The use of Chromebooks has grown significantly over the past year, which corresponds with an increase in student online activity. WebTitan OTG for Chromebooks allows IT professionals in the education sector to ensure compliance with federal and state laws, including the Children’s Internet Protection Act (CIPA), and ensure students can use their Chromebooks safely and securely.
WebTitan OTG for Chromebooks is a DNS-based web filtering solution that requires no proxies, VPNs or any additional hardware and since the solution is DNS-based, there is no impact on Internet speed. Once implemented, filtering controls can be set for all Chromebook users, no matter where they connect to the Internet. The controls will be in place in the classroom and at home and all locations in between.
Administrators can easily apply filtering controls for all students, different groups of students, and staff members, including enforcing Safe Search. The solution will block access to age-inappropriate content, phishing web pages, malicious websites used for distributing malware, and any category of website administrators wish to block. Chromebooks can also easily be locked down to prevent anyone bypassing the filtering controls set by the administrator.
WebTitan OTG for Chromebooks delivers fast and effective user- and device-level web filtering and empowers students to discover the Internet in a safe and secure fashion. Reports can be generated on demand or scheduled which provide information on Chromebook user locations, the content that has been accessed, and any attempts to bypass filtering, with real-time views of Internet access also possible.
“This new release comes after an expansive first quarter. The launch of WebTitan Cloud 4.16 brings phenomenal new security features to our customers,” Said TitanHQ CEO, Ronan Kavanagh. “After experiencing significant growth in 2020, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
Further information on the Azure AD app is available here.
Further Information on WebTitan OTG for Chromebooks is available here.
Following on from a supply chain attack that saw the software update feature of the Passwordstate password manager hijacked the threat group developed a convincing phishing campaign targeting enterprise users of the password manager solution.
The supply chain attack was used to infect users of the password manager with malware dubbed Moserpass. Between April 20 and April 22, users of the password manager who downloaded an update through the In-Pass Upgrade mechanism may have had a malicious file downloaded – a malformed Passwordstate_upgrade.zip file.
Downloading the file started a chain of events that resulted in Moserpass being installed, which collected and exfiltrated information about the computer, users, domains, running services and processes, along with password data from the Passwordstate app. The malware also had a loader module, so could potentially download other malware variants onto victims’ devices. Since passwords were potentially compromised, affected users have been advised to reset all of their passwords.
The attack only lasted 28 hours before it was identified and blocked, but in order to remove the malware from customers’ devices, Click Studios, the developer of the password app, emailed customers and encouraged them to apply a hotfix to remove the malware.
Some customers who received the email from Click Studios shared a copy of the message on social media networks. The threat group behind the attack were monitoring social media channels, obtained a copy of the genuine Click Studios email about the hotfix, and used the exact same email for a phishing campaign. Instead of directing users to the hotfix to remove Moserpass malware, the phishing email directed users to a website not under the control of Click Studios which installed an updated version of Moserpass malware.
Since the Passswordstate breach notification emails were virtual carbon copies of genuine communications from Click Studios they were very convincing. Users who followed the instructions in the email would likely think they were removing malware, when they were actually installing it. The fake versions of the emails do not have a domain suffix used by Click Studios, request the hotfix is downloaded from a subdomain, and claim an ‘urgent’ update is required to fix a bug, but it is easy to see how these messages could fool end users.
Click Studios supplies its password manager to around 29,000 enterprises and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be concerned about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and taken the requested action.
Phishers often use fake security warnings as a lure, and data breach notifications are ideal for use in phishing attacks. This Passswordstate breach notification phishing campaign highlights the importance of carefully checking any message for signs of phishing, even if the email content seems genuine and the message includes the right branding, and the risks of posting copies of genuine breach notification letters on social media networks.
Many phishing attacks are sophisticated, and it can be difficult for employees to differential between genuine and malicious messages, which is why advanced spam and phishing defenses are required. If you want to improve your defenses against phishing, get in touch with TitanHQ and discover how SpamTitan Email Security can improve your security posture and better protect your organization from phishing and other email-based threats.