Blog

SpamTitan 7.11 Release Includes New Geo-blocking Email Security Feature

TitanHQ has released a new version of its award-winning email security solution that includes a new security feature – Geo-blocking email filtering, as well as several other security updates and fixes to improve usability.

Geo-blocking is a feature that has been requested by customers and has now been included in the product at no additional cost to users. Geo-blocking, as the name suggests, allows SpamTitan users to block or allow emails originating from certain geographical locations, based on either IP address or country. This feature allows businesses to add an extra layer of protection to block geographic threat vectors and stop malware, ransomware, and phishing emails from reaching inboxes.

The new feature allows businesses and organizations to block emails coming from any country. This extra control is important, as most malware-containing emails come from a handful of overseas countries – Countries that most small- to medium-sized businesses do not normally work with. Blocking emails from those countries eliminates threats, without negatively impacting the business.

Activating the geo-blocking feature could not be any easier. SpamTitan users can click to restrict emails from any country in the SpamTitan Country IP Database and all emails coming from those countries will be blocked. There will naturally be instances where things are not so cut and dry, but that is not a problem. Geo-blocking can be activated for a specific country, and IP addresses, domains, or email addresses of trusted senders within those countries can simply be whitelisted to ensure their messages are delivered.

“Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can,” said TitanHQ CEO Ronan Kavanagh. “After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”

Several other security enhancements have been made to further improve the already excellent threat detection and blocking mechanisms within SpamTitan. SpamTitan 7.11 includes an upgraded sandboxing feature to provide even greater protection against malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs embedded in emails. These enhancements also provide more detailed information into new threats to help SpamTitan users mitigate risk.

As always with a new release, recently reported bugs have been fixed, and SpamTitan has been further improved with enhanced email rendering in Mail Viewer. Users also now have the ability to remove quarantine report token expiry and improve domain verification, to name but a few of the enhancements.

SpamTitan is delivered either as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing hardware. Existing SpamTitan Cloud customers need do nothing to upgrade to the new version of the solution, released on September 14, 2021. SpamTitan Cloud is automatically updated to the latest version.

Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.

A full description of the latest updates in SpamTitan 7.11 is available here.

New Hampshire Town Loses $2.3 Million to BEC Scammers

Ransomware attacks are being conducted at alarming rates, but even though the cost of these attacks is considerable, they are not the leading cause of losses to cybercrime. According to figures from the Federal Bureau of Investigation (FBI), business email compromise attacks are the costliest type of cyber fraud. In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 complaints about business email compromise scams. $1.8 billion was lost to these sophisticated email scams in 2020 and many of these scams are never reported.

Business email compromise (BEC) scams, also known as email account compromise (EAC) scams, involve business email accounts being compromised by attackers and then used to send messages to individuals in the company responsible for making wire transfers. The goal of the attacks is to compromise the email account of the chief executive officer (CEO) or the chief financial officer (CFO), and to use that account to send messages to others in the company asking them to make a wire transfer to an attacker-controlled account.

Attacks are also conducted on vendors and their accounts are used to send requests to change payment methods or the destination account for an upcoming payments. In addition to requesting wire transfers, the scammers are also known to request sensitive data such as W2 forms, the information on which can be used to submit fraudulent tax returns to claim tax refunds. BEC scammers are also known to request gift cards or request changes to payroll direct deposit information.

BEC scams can result in major losses. Recently, a town in New Hampshire (Peterborough) was targeted by BEC scammers who successfully redirected multiple bank transfers before the scam was uncovered. The attackers sent forged documents to staff members in the Finance Department of the town to make changes to account information for various payments. The scam was sophisticated, and the scammers participated in multiple email exchanges between staff members. The attackers had conducted extensive research to find out about the most valuable transactions to redirect.

The scam was uncovered when the ConVal School District notified the town when they failed to receive a $1.2 million transfer of funds. Peterborough officials confirmed that the transfer had been made, with the investigation revealing the bank account details had been changed. Further investigation revealed two large bank transfers to the contractor used for the Main Street Bridge Project had also been redirected to attacker-controlled accounts. In total, $2.3 million was lost to the scammers and there is little hope of any of the funds being recovered.

BEC attacks are sophisticated, the attackers are skilled at what they do, and it is all too easy for employees in the finance department to be fooled into thinking they are conversing with the CEO, CFO, or a vendor via email, since the genuine email account is being used. The attackers also study the style of emails sent by the owner of the account and copy that style so as not to arouse suspicion.

There are steps that organizations can take to block the initial attack vector and to identify scams in time to stop any fraudulent transfers of funds. The primary defense against BEC attacks is a spam filtering solution, which will block the initial phishing emails used to obtain the credentials for internal email accounts. SpamTitan incorporates a range of features to detect and block these phishing emails, including machine learning technology that can identify email messages that deviate from the normal messages usually received by individuals. Outbound scanning is also incorporated, which can detect phishing attempts as the attackers try to use employee email accounts to compromise the accounts of their final target – the CFO or CEO. Rules can also be set to flag attempts to send sensitive data – such as W-2 forms – via email.

In addition to spam filtering, it is important for organizations to raise awareness of the threat of BEC attacks with the workforce, especially employees in the finance department. Policies and procedures should also be put in place that require any change to payment details to be verified by telephone using previously confirmed contact information. Implementing these simple measures can be the difference between blocking an attack and transferring millions of dollars directly to the attackers’ accounts.

If you want to improve your defenses against BEC and phishing attacks, give the TitanHQ team a call. Demonstrations of SpamTitan can be booked on request, and the full product – including full technical and customer support – is available on a free trial to allow you to see the solution in action and test it within your own environment before making a decision about a purchase.

OnePercent Ransomware Delivered via Phishing Emails

Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.

Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against.  The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems.  A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.

Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.

The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.

As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.

Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.

It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.

While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.

Ransomware and BEC Attacks Often Start with a Phishing Email: Are Your Phishing Defenses Good Enough?

Ransomware attacks can be incredibly expensive and business email compromise (BEC) scams can result in transfers of millions of dollars to attackers, but these breaches often start with an email.

Phishing emails are sent to employees that ask them to click on a link, which directs them to a webpage where they are asked to provide their login credentials, for Microsoft 365 for example. Once credentials are entered, they are captured and used to access that individual’s account. The employee is often unaware that anything untoward has happened.

The stolen credentials give an attacker the foothold in the network that is needed to launch a major cyberattack on the business. The phisher may use the email account to send further phishing emails to other employees in the company, with the aim being to gain access to the credentials of an individual with administrative privileges or the credentials of an executive.

An executive’s account can be used to send emails to an individual in the company responsible for making wire transfers. A request is sent for a wire transfer to be made and the transfer request is often not recognized as fraudulent until the funds have been transferred and withdrawn from the attacker’s account. These BEC scams often result in tens of thousands of dollars – or even millions – being transferred.

An alternative attack involves compromising the email accounts of employees and sending requests to payroll to have direct deposit information changed. Salaries are then transferred into attacker-controlled accounts.

Phishers may act as affiliates for ransomware-as-a-service (RaaS) gangs and use the access they gain through phishing to compromise other parts of the network, steal data, and then deploy ransomware, or they may simply sell the network access to ransomware gangs.

When email accounts are compromised, they can be used to attack vendors, customers, and other contacts. From a single compromised email account, the damage caused is considerable and often far reaching. Data breaches often cost millions of dollars to mitigate. All this from a single response to a phishing email.

Phishing campaigns require very little skill to conduct and require next to no capital investment. The ease at which phishing attacks can be conducted and the potential profits that can be gained from attacks make this attack method very attractive for cybercriminals. Phishing can be used to attack small businesses with poor cybersecurity defenses, but it is often just as effective when attacking large enterprises with sophisticated perimeter defenses. This is why phishing has long been one of the most common ways that cybercriminals attack businesses.

How to Deal with the Phishing Threat

Phishing attacks may lead to the costliest data breaches, but they are one of the easiest types of cyberattacks to prevent; however, some investment in cybersecurity and training is required. The most important first step is to purchase an advanced spam filter. This technical control is essential for preventing phishing emails from reaching end users’ inboxes. If the phishing emails do not arrive in an inbox, they cannot be clicked by an employee.

Not all spam filtering solutions are created equal. Basic spam filters are effective at blocking most threats, but some phishing emails will still be delivered to inboxes. Bear in mind that phishers are constantly changing tactics and are trying to get one step ahead of cybersecurity firms. Most spam filtering solutions will block messages from malicious IP addresses and IP addresses with poor reputations, along with any messages identified in previous phishing campaigns and messages containing known variants of malware.

Advanced spam filtering solutions use AI and machine learning techniques to identify messages that deviate from the normal emails a business typically receives, are able to detect previously unseen phishing emails, and incorporate Sender Policy Framework and DMARC to identify email impersonation attacks. Sandboxing is also included which is used to identify previously unseen malware threats. Greylisting is a feature of advanced spam filters that involves initially rejecting a message and requesting it be resent. The delay in a response, if one is received at all, indicates the mail server is most likely being used for spamming. Spam servers are usually too busy on huge spam runs to resend messages that have initially been rejected.

Advanced spam filters also feature outbound email scanning, which can identify compromised email accounts and can block phishing messages from being sent internally or externally from a hacked mailbox.

SpamTitan incorporates all of these advanced controls, which is why it is capable of blocking more threats than basic spam filters. Independent tests have shown SpamTitan blocks in excess of 99.97% of malicious messages.

Don’t Neglect End User Training

No spam filter will be 100% effective at blocking phishing threats, at least not without also blocking an unacceptable number of genuine emails. It is therefore important to provide regular security awareness training to the workforce, with a strong emphasis on phishing. Employees need to be taught how to identify a phishing email and conditioned how to respond when a threat is received (alert their security team).

Since phishing tactics are constantly changing, regular training is required. When training is reinforced, it is easier to develop a security culture and regular training sessions will raise awareness of the latest phishing threats. It is also recommended to conduct phishing simulation exercises to test the effectiveness of the training program and to identify individuals who require further training.

Web Filtering is an Important Anti-Phishing Control

The key to blocking phishing attacks is to adopt a defense-in-depth approach. That means implementing multiple overlapping layers of security. One important additional layer is a web filtering solution. Spam filters target the phishing emails, whereas web filters work by blocking access to the webpages hosting the phishing kits that harvest credentials. With a spam filter and web filter implemented, you are tackling phishing from different angles and will improve your defenses.

A web filter will block access to known malicious websites, providing time-of-click protection against malicious hyperlinks in phishing emails. A web filter will also prevent employees from being redirected to phishing web pages from malicious website adverts when browsing the Internet. Web filters also analyze the content of web pages and will block access to malicious web content that has not previously been identified as malicious. Web filters will also block malware and ransomware downloads.

WebTitan is a highly effective DNS-based web filtering solution that protects against phishing, malware, and ransomware attacks. The solution can protect office workers but also employees who are working remotely.

Speak to TitanHQ Today About Improving your Phishing Defenses

TitanHQ has been developing anti-phishing and anti-malware solutions for more than two decades. TitanHQ’s email and web security solutions are cost effective, flexible, easy to implement, and easy to maintain. They are consistently given top marks on software review sites and are a big hit with IT security professionals and managed service providers (MSPs). TitanHQ is the leading provider of email and web security solutions to MSPs serving the SMB market.

If you want to improve your phishing defenses and block more threats, contact the TitanHQ team today for further information on SpamTitan and WebTitan. Both solutions are available on a 100% free trial of the full product complete with product support. Product demonstrations can also be booked on request.

Sneaky Tactics Used in Two Ongoing Phishing Campaigns Targeting User Credentials

New phishing campaigns are constantly being launched that impersonate trusted companies, organizations, and individuals, and use social engineering techniques to trick end users into divulging sensitive information such as their email credentials. Two such phishing campaigns have recently been discovered that use sneaky tactics to fool the unwary.

Sneaky Tactics Used to Obtain Office 365 Credentials

Organizations using Office 365 are being targeted in a sneaky phishing campaign that has been ongoing for several months. The phishing campaign incorporates a range of measures to fool end users and email security solutions. The goal of the campaign is to steal Office 365 credentials.

The phishing emails are sent from believable email addresses with spoofed display names to make the sender appear legitimate. The campaign targets specific organizations and uses believable usernames and domains for sender display names related to the target and the messages also include genuine logos for the targeted company and Microsoft branding.

The messages use believable Microsoft SharePoint lures to trick end users into clicking an embedded hyperlink and visiting the phishing URL. Recipients of the messages are informed that a colleague has sent a file-share request that they may have missed, along with a link directing the recipient to a webpage hosting a fake Microsoft Office 365 login box.

To encourage users to click, the emails suggest the shared file contains information about bonuses, staff reports, or price books. The phishing emails include two URLs with malformed HTTP headers. The primary phishing URL is for a Google storage resource which points to an AppSpot domain. If the user signs in, they are served a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and links to a compromise SharePoint site, which again requires the user to sign in to get to the final page.

To fool email security solutions, the messages use extensive obfuscation and encryption for file types often associated with malicious messages, including JavaScript, in addition to multi-layer obfuscation in HTML. The threat actors have used old and unusual encryption methods, including the use of morse code to hide segments of the HTML used in the attack. Some of the code segments used in the campaign reside in several open directories and are called by encoded scripts. Microsoft researchers discovered and tracked the campaign and likened it to a jigsaw puzzle, where all the pieces look harmless individually and only reveal their malicious nature when correctly pieced together.

This campaign is particularly sneaky, with the threat actor having gone to great lengths to fool both end users and security solutions.

FINRA Impersonated in Phishing Campaign

A new phishing campaign has recently been detected that impersonates the U.S. Financial Industry Regulatory Authority (FINRA). In this campaign, cyber threat actors have used domains that mimic FINRA, which are close enough to the genuine finra.org domain to fool unsuspecting individuals into disclosing sensitive information.

The phishing emails have been sent from three fraudulent domains: finrar-reporting.org, finpro-finrar.org, and gateway2-finra.org. The use of hyphens in phishing domains is very common, and it is often enough to trick people into thinking the site is a subdomain of the official website that the campaign mimics.

The emails ask the recipients to click a link in the email to “view request.” If the link is clicked, the users are prompted to then provide information to complete the request. As is typical in phishing campaigns, there is a threat should no action be taken, which in this case is “late submission may attract financial penalties.”

The financial services regulator has taken steps to take down these fraudulent domains, but it is likely that the threat actor will continue using other lookalike domains. Similar domains were used in the campaign spoofing FINRA earlier this year, including finra-online.com and gateway-finra.org.

These campaign highlights the need for security awareness training, an advanced email security solution, and other anti-phishing measures such as a web filter.

If you are concerned about your cybersecurity defenses and want to block threats such as these, give the TitanHQ team a call for advice on security solutions that can be easily implemented to block phishing and other email threats to improve your security posture and prevent costly data breaches.