Blog
by titanadmin | Nov 26, 2023 | Phishing & Email Spam, Spam Advice |
A malware phishing campaign has been running since September 2023 that is distributing DarkGate malware. Now, the threat actor behind the campaign has switched to PikaBot malware, and the campaign has several similarities to those conducted by the threat actor behind Qakbot.
DarkGate malware was first detected in 2017 but was only offered to other cybercrime groups this summer. Since then, distribution of the malware has increased significantly, with phishing emails and malvertising – malicious adverts – the most common methods of delivery. DarkGate malware is a multi-purpose Windows malware with a range of capabilities, including information stealing, malware loading, and remote access. In September, security researchers at Cofense identified a malware phishing campaign that was spreading DarkGate malware that has since evolved into one of the most advanced active phishing campaigns making it clear that it is being conducted by an experienced threat group. Then in October 2023, the threat actor behind the campaign switched to distributing Pikabot malware. Pikabot malware was first detected in early 2023 and functions as a downloader/installer, loader, and backdoor.
Security researchers have analyzed the malware phishing campaign and have identified several similarities to those used to distribute Qakbot (Qbot) malware including the behavior of the malware upon infection, the method of distribution, as well as internal campaign identifiers. Qakbot was one of the most active malware botnets; however, in August this year, an international law enforcement operation headed by the U.S. Department of Justice successfully took down the infrastructure of Qakbot.
The emergence of the phishing DarkGate/Pikabot campaign around a month after the Qakbot takedown, the use of a similar campaign that was used to distribute Qakbot, and no detected Qakbot activity since the takedown has led security researchers to believe the operators of Qakbot have switched to distributing DarkGate/Pikabot. Both of those malware families have similar capabilities to Qakbot and that could indicate the Qakbot operators have switched to newer malware botnets. As was the case with Qakbot, the new malware variants provide the threat actor with initial access to networks and it is probable that attacks will result in data theft and potentially the use of ransomware. Given the pervasive nature of Qakbot, if the same threat actors are behind the latest DarkGate/Pikabot campaign it poses a significant threat to businesses. The phishing campaign starts with an email that forwards or replies to a stolen message thread. Since the message threat contains genuine previous conversations there is a much higher probability of the recipient responding to the message. The emails contain an embedded URL that directs the user to a.ZIP archive that contains a malware dropper, which delivers the final DarkGate or Pikabot payload.
The phishing campaign continues to evolve and it is the work of a very experienced threat actor. One of the best defenses against these attacks is security awareness training. Employees should be warned of the tactics that are being used to distribute the malware and should be instructed to be vigilant, especially requests received via email that appear to be responses to previous communications that prompt them to visit a website and download a compressed file. They should be instructed to report any such email to their security teams for analysis.
With SafeTitan, TitanHQ’s security awareness training platform, it is easy to incorporate the latest threat intelligence into training content and push out short training sessions to employees to raise awareness of the latest malware phishing campaigns. SafeTitan also includes a phishing simulator that allows custom simulated phishing emails to be sent out to the workforce, including simulated phishing emails that include the tactics used in the DarkGate/Pikabot campaign. Security teams can use the simulator to determine how employees react and can then take proactive steps to address any knowledge gaps before a real DarkGate/Pikabot phishing email lands in an inbox.
An advanced spam filter should also be implemented that is capable of scanning and following links in emails along with a WebFilter for blocking access to malicious websites and restricting file downloads from the Internet, such as TitanHQ’s SpamTitan Plus and WebTitan DNS filter. For more information on the SafeTitan security awareness training and phishing simulation platform, advanced spam filtering with SpamTitan Plus, and web filtering with WebTitan, call TitanHQ today. All TitanHQ solutions are also available on a free trial.
by titanadmin | Nov 24, 2023 | Phishing & Email Spam |
You may be able to grab a bargain on Black Friday and Cyber Monday but you need to be extra vigilant for Black Friday phishing attacks and Cyber Monday scams. Cybercriminals are waiting to take advantage of unwary online shoppers on Black Friday and scams are rife throughout the holiday season.
Black Friday and Cyber Monday are two of the busiest shopping days of the year. Many people take advantage of the deals on offer and delay major purchases to try to get a Black Friday or Cyber Monday bargain, and savvy shoppers get started on their Christmas shopping early and try to grab the best gifts while they are available, often at a sizeable discount. On Black Friday, Cyber Monday, and throughout the holiday season, cybercriminals are hard at work. It is the perfect time for them to fill their pockets before the Christmas break. There are huge numbers of people looking to make purchases online, and cybercriminals are more than happy to offer the bargains and special deals that they seek.
During this shopping frenzy, people who delay making a purchase often miss out due to limited product availability. That means it is the perfect time to conduct a phishing attack offering a high-value product at a rock-bottom price, as it is exactly what consumers are expecting and hoping to find. The whole retail event plays into cybercriminals’ hands. People are made to think that they need to act fast and make a quick purchase when what they need to do is stop and think about whether the offer being presented is really what it seems.
Last year, UK residents lost more than £10 million to cybercriminals over the festive shopping period, according to the UK National Cyber Security Centre, with each victim losing an average of £639 to scams between November 2022 and January 2023. This year, the outlook looks even bleaker due to the ease at which artificial intelligence can be used to create convincing scams. While phishing attempts, scam emails, and malicious websites often contain red flags that indicate all is not what it seems, those red flaws are often missing from AI-generated content. Cybercriminals are leveraging large language models, such as ChatGPT, to create convincing emails, scams, fake adverts, and fraudulent websites. The aim of these attacks is to get unsuspecting consumers to disclose their usernames and passwords, provide their credit card and bank details, make purchases for non-existent products, or download malware. AI allows cybercriminals to conduct these scams on an increasingly large scale.
Tips for Avoiding Black Friday Phishing Scams and Online Fraud
AI tools allow cybercriminals to generate phishing emails with perfect grammar and no spelling mistakes and even generate convincing lures targeted at specific groups of people, but the same social engineering techniques are used in these phishing attempts as human-generated phishing emails. With phishing attempts, there is a sense of urgency. Phishing emails have a call to action and only a limited time to respond and there will usually be a threat of negative consequences if prompt action is not taken. With Black Friday phishing scams, product scarcity or a special offer expiring are often how cybercriminals get urgent action to be taken, or there may be a threat of pending costs, charges, or account closures if the email is ignored. Another common ploy is to generate a security alert about unauthorized account access or a potentially fraudulent purchase that has been made, with immediate action required to block the charge or protect the account. Everyone needs to be extra vigilant during the holiday season and should carefully check the sender of the email and stop and think before taking any action suggested in an email.
With so many purchases being made at this time of year, it is the perfect time for phishing lures warning about unsuccessful deliveries. Most people will be expecting packages to be delivered over the next few days and weeks. If you are notified about a failed delivery attempt, make sure that the message has been sent from the domain of the company that claims not to be able to deliver the package. If the email claims to have been sent by FedEx, UPS, DPD, Yodel, or Evri, check it has been sent from the official domain used by that company and watch out for hyphenated domain names, spelling mistakes, and transposed letters.
While email scams are common, so are scams on social media platforms. Malicious advertisements are posted offering products that are never dispatched. According to the Federal Trade Commission, $2.7 billion has been lost in the United States to social media scams over the past 2 years. While there may be genuine offers on social media sites, any vendor should be carefully vetted before making a purchase through an advert and checked to make sure they are who they claim to be and that they are a reputable retailer. It is also far better to use a credit card for any purchases, as credit card companies offer much greater protection against fraud than banks do for debit cards.
While non-delivery scams are common, and credit card theft is rife, many Black Friday and Cyber Monday scams try to obtain access to accounts. In addition to being extra vigilant, it is important to ensure that accounts are properly protected, which means setting a strong, unique password for each account and ensuring multifactor authentication is enabled. If passwords are reused across multiple sites, if that password is obtained, all accounts that use the same password will be put at risk. Multifactor authentication will provide greater protection for accounts should passwords be guessed or otherwise obtained. A password alone is not sufficient to gain access to an account, as an additional form of authentication must be provided.
by titanadmin | Nov 23, 2023 | Network Security, Spam Software |
Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.
Email-based Cyberattacks are Increasing
Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).
The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.
Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.
To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.
Malware Sandboxing for Email
Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.
SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.
With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?
by titanadmin | Nov 20, 2023 | Network Security, Spam Software |
Implementing your own sandboxing technology for email can be complex and costly. SpamTitan Email Security has an inbuilt sandbox, so all the hard work is done for you. You get the full cybersecurity benefits of a sandbox at a very low cost.
What are the Benefits of an Email Sandbox?
Email sandboxing is no longer a ’want’ it is now a ‘must-have.’ Cybercriminal groups are conducting huge numbers of attacks, nation-state actors are targeting businesses to steal their proprietary data, and these attacks are getting far more sophisticated and can easily evade standard security solutions. The consequences of a successful cyberattack are severe. IBM’s 2023 Cost of a Data Breach Report indicates that the average cost of a successful attack and data breach has risen to $4.45 million in the United States. It is no surprise that many small to medium-sized businesses fold within 6 months of a successful attack.
As has been the case for many years, one of the easiest ways to gain initial access to a company’s network is via email. Employees are targeted as they can be tricked into disclosing their credentials or installing malware. Email security solutions such as spam filters and secure email gateways are capable of blocking many threats, but they are failing to block zero-day malware threats. Traditional email security solutions are reliant on signature-based detection methods for blocking malware. When a malware threat is detected and analyzed by security researchers, the signature for that malware variant is added to the definition list. Email security solutions use signature-based detection methods to block 100% of known malware.
The problem comes with new malware, for which no signature has been defined. Without a signature, malware will not be identified as malicious if it is encountered. If a novel malware variant is attached to an email, the email will most likely be delivered and can be opened by an end user and new malware variants are now being released at an incredible rate. While signature-based detection has served businesses well, additional protection is now required – email sandboxing.
With an email security solution that has an email sandbox, inbound messages will first be subjected to standard checks. An email sandbox is then used to safely analyze the behavior of files in an environment where no harm can be caused. If malware is executed, it will be detected based on its behavior rather than a signature. The threat will then be blocked, and no harm will be caused.
SpamTitan Email Sandboxing Technology for Email
With SpamTitan, the initial checks include AI-based and machine-learning detection, which is capable of detecting previously unseen phishing threats. All attachments are scanned with two antivirus engines to ensure 100% of known malware threats are detected and blocked. The sandbox provides an extra layer of protection. When initial checks are passed, suspicious messages are sent to the sandbox for deep analysis. File attachments are safely detonated, their behavior is analyzed, and the results are checked against an extensive array of online repositories. The process usually takes just a few minutes, or in some cases, a maximum of 20 minutes.
If a threat is detected it is reported to the Bitdefender Global Protective Network – Bitdefender’s cloud threat intelligence service. If that threat is detected again by SpamTitan or any device connected to the network, it will not need to be sent to the sandbox again and all devices will be protected against that threat. The latest malware variants often include code that checks for running security solutions and whether it has landed on a real endpoint. If a virtual environment is detected and the malware determines it is in a sandbox, it will not perform its malicious actions and may delete itself to prevent analysis. To get around this, the email sandbox emulates a real endpoint and analyzes files by leveraging purpose-built, advanced machine-learning algorithms. The sandbox incorporates anti-evasion and anti-exploit techniques and performs aggressive behavior analysis. Every evasion attempt by malware is properly marked and the files are flagged.
The sandbox analyzes a broad range of targets, including documents, spreadsheets, and executable files, and is capable of identifying and blocking polymorphic malware and other threats that have been developed for undetectable attacks. With email-based cyberattacks increasing in number and sophistication, businesses need to ensure they have advanced defenses. With SpamTitan sandboxing technology for email you get advanced threat protection at an affordable price. To find out more, call the TitanHQ team today or take advantage of a free 14-day free trial of SpamTitan.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?
by titanadmin | Nov 15, 2023 | Network Security, Spam Software |
What is Sandboxing in Cybersecurity?
Sandboxing in cybersecurity terms refers to an isolated virtual machine that is used for testing code and analyzing files. Since the sandbox is isolated from other systems and networks, unverified code, untested programs, email attachments, and files downloaded from the Internet can be executed or detonated safely. Code is executed and files are opened and their behavior is analyzed to determine if they are safe or if they may cause damage to data or systems. In the sandbox, the activities that can be performed are restricted so they can’t cause any real damage. If code is executed in the sandbox and it is determined to be malicious, it will be deleted or quarantined for further analysis. Sandboxing is also used for checking URLs. For instance, some web browsers will first open a URL in a sandbox where permissions are set to the lowest privilege levels. If any attempt is made to perform an action that is not permitted, access to the URL will either be blocked or the user will receive a warning.
Why is Sandboxing Important?
In software development, new code may have unintended consequences, such as causing other systems to malfunction, which in a production environment could cause unacceptable and costly downtime. A sandbox allows code to be fully tested to ensure it is safe. A security sandbox protects against malicious code that has been deliberately written to cause damage and/or provide access to systems and data. For example, ransomware is malicious code that encrypts files to prevent them from being accessed. A threat actor then demands payment for the keys to decrypt files. If that code was allowed to execute on the network, data could be permanently lost, or a ransom would need to be paid to recover files.
Cyberattacks on businesses have been increasing and are now being conducted more frequently than ever before. The average ransom demand in data theft and ransomware attacks is now more than $1.5 million, and data from Rapid7 suggests more than 1,500 organizations fell victim to ransomware attacks in the first half of 2023, with more than 20 new ransom groups emerging. Cybercriminals also still use backdoors, keyloggers, banking trojans, and information stealers to gain access to networks and steal sensitive data. To make matters worse, new malware and ransomware variants are constantly being released and these evade security solutions that rely on signature-based detection. It is vital that all files and applications are thoroughly tested before being allowed anywhere near the network and sandboxing allows even previously unseen malicious files to be identified and neutralized.
Email Sandboxing
Email security solutions often use sandboxing for attachments and URLs. With email attachments, they will first be scanned using standard anti-virus engines to determine if they contain known malware or malicious code. These AV checks will only detect known malware. New malware variants that have not been encountered before cannot be detected, as standard AV solutions search for signatures of known malware. Email sandboxing is used to detect new malware, often referred to as zero-day threats. Files that are determined to be clean after AV scanning are sent to the sandbox for behavioral analysis. Email security solutions may also use a sandbox for testing embedded URLs in messages and will follow the links and check the destination and assess whether it contains any threats.
Email Sandboxing from TitanHQ
SpamTitan is a multi-award-winning email security solution from TitanHQ that offers advanced threat protection at an affordable price. SpamTitan blocks phishing, malware, spam, viruses, and other malicious email threats and includes a Bitdefender-powered email sandbox. Emails that pass the initial barrage of checks, including antivirus scans, are sent to the sandbox where they are safely detonated, and their behavior is analyzed. The SpamTitan sandbox combines the latest threat analysis with powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, ensuring businesses are protected against zero-day threats. For more information on SpamTitan Email Security, give the TitanHQ team a call today.
Additional Articles Related to Email Sandboxing
Email Sandboxing
Email Sandboxing Service
Sandboxing Blocking Malware Threats
Email Sandboxing Pattern Filtering
How does an email sandbox block malware?
Email Sandboxing and Message Delivery Delays
Commonly Asked Questions about Email Sandboxing
What is sandbox security?
How does a sandbox work?
How to sandbox email attachments
What is message sandboxing?
What is malware sandboxing for email?
What is sandboxing in cybersecurity?
What are the advantages and disadvantages of email sandboxing?
Sandboxing Technology for Email
What is a malicious file sandbox for email?