titanadmin - Page 10
by titanadmin | Oct 6, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.
Office 365 Phishing Attacks Can Be Difficult to Identify
In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.
There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.
Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.
Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.
Microsoft Azure Blog Storage Phishing Scam
One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.
In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.
Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.
CloudFlare IPFS Gateway Abused
A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.
Office 365 Phishing Protections are Insufficient
Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.
Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.
How to Make Office 365 More Secure
While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.
Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.
To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:
by titanadmin | Sep 27, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam
Cybercriminals have turned to cryptocurrency mining malware as an easy, low-risk way of making money although ransomware is still the main malware threat according to Europol.
While it was common for large-scale spam email campaigns to be sent to random recipients to spread ransomware, tactics used to infect devices with the file-encrypting malware are changing.
There has been a decline in the use of ‘spray and pray’ spam campaigns involving millions of messages toward targeted attacks on businesses. Organized cybercriminal gangs are researching victims and are conducting highly targeted attacks that first involve compromising a network before manually deploying ransomware.
The cybercriminal group behind SamSam ransomware has been particularly prolific. Companies that have failed to address software vulnerabilities are attacked and access is gained to their networks. The SamSam group also conducts brute force attacks on RDP to gain access to business networks. Once access is gained, ransomware is manually installed on as many computers as possible, before the encryption routine is started across all infected devices. With a large number of devices encrypted, the ransom demand can be much higher – Typically around $50,000 per company. The group has collected at least $6 million in ransom payments to date.
Europol warns that ransomware attacks will continue to be a major threat over the following years, although a new threat is emerging – cryptojacking malware. This form of malware is used to hijack computer processors to mine cryptocurrency. Europol warns that if the rise in the use of cryptojacking malware continues it may overtake ransomware and become the biggest malware threat.
Not only does cryptojacking offer considerable rewards, in many cases use of the malware is not classed as illegal, such as when it is installed on websites. This not only means that cybercriminals can generate considerable profits, but the risk involved in these types of attacks is far lower than using ransomware.
Cybercriminals are still extensively using social engineering techniques to fool consumers and employees into disclosing sensitive personal information and login credentials. Social engineering is also extensively used to trick employees into making fraudulent bank transfers. Phishing is the most common form of social engineering, although vishing – voice phishing – and smishing – SMS phishing are also used. Europol notes that social engineering is still the engine of many cybercrimes.
While exploit kits have been extensively used to silently download malware, Europol notes that the use of exploit kits continues to decline. The main attack vectors are spam email and RDP brute-forcing.
As-a-service cyberattacks continue to be a major problem. DDoS-as-a-service and ransomware-as-a-service allow low-level and relatively unskilled individuals to conduct cyberattacks. Europol recommends law enforcement should concentrate on locating and shutting down these criminal operations to make it much harder for low-level criminals to conduct cyberattacks that would otherwise be beyond their skill level.
With spam email still a major attack vector, it is essential for businesses to implement cybersecurity solutions to prevent malicious emails from being delivered to inboxes and ensure cybersecurity best practices are adopted to make them less susceptible to attack. With phishing the main form of social engineering, anti-phishing training for employees is vital.
RDP attacks are now commonplace, so steps must be taken by businesses to block this attack vector, such as disabling RDP if it is not required, using extremely strong passwords for RDP, limiting users who can login, configuring account lockouts after a set number of failed login attempts, and using RDP gateways.
by titanadmin | Sep 19, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Website Filtering
With the largest economy, the United States is naturally a major target for cybercriminals. Various studies have been conducted on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – Europe’s largest economy.
The International Monetary Fund produces a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion represents 4.61% of global GDP.
A recent study conducted by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is taking on the German economy.
The study was conducted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That represents 1.36% of the country’s GDP.
Extrapolate those cybercrime losses in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study placed the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be between 0.79 to 0.89% of GDP.
Small to Medium Sized Businesses Most at Risk
While cyberattacks on large enterprises have potential to be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far easier to target smaller companies with less robust cybersecurity defenses.
Small to medium sized businesses (SMBs) often lack the resources to invest heavily in cybersecurity, and consequently are far easier to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by cybercriminals.
It is not only organized cybercriminal groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to gain access to the advanced manufacturing techniques developed by German firms that give them a competitive advantage. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are an attractive target.
Cybercriminals are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by a quarter of German firms. 11% of German firms report that their communications systems have been tapped.
Attacks are also being conducted to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.
Businesses Must Improve Their Defenses Against Cyberattacks
“With its worldwide market leaders, German industry is particularly interesting for criminals,” said Achim Berg, head of BitKom. Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from gaining access to their systems and data.
According to Thomas Haldenweg, deputy president of the BfV domestic intelligence agency, “Illegal knowledge and technology transfer … is a mass phenomenon.”
Preventing cyberattacks is not straightforward. There is no single solution that can protect against all attacks. Only defense-in-depth will ensure that cybercriminals and nation-state sponsored hacking groups are prevented from gaining access to sensitive information.
Companies need to conduct regular, comprehensive organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be addressed through a robust risk management process and layered defenses implemented to thwart attackers.
One of the main vectors for attack is email. Figures from Cofense suggest that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can help.
TitanHQ is a provider of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To find out more about how TitanHQ’s cybersecurity solutions can help to improve the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team today.
by titanadmin | Sep 17, 2018 | Industry News, Internet Security, Network Security, Spam Software, Website Filtering
Managed service providers (MSPs) are discovering the huge potential for profit from offering security-as-a-service to their clients. Managed security services are now the biggest growth area for the majority of leading MSPs, with security-as-a-service well ahead of cloud migration, cloud management, and managed Office 365 services according to a recent survey conducted by Channel Futures.
Channel Futures conducted the survey as part of its annual MSP 501 ranking initiative, which ranks MSPs based on their ability to act on current trends and ensure they remain competitive in the fast-evolving IT channel market. The survey evaluated MSP revenue growth, hiring trends, workforce dynamics, service deliverables, business models, and business strategies.
The survey revealed that by far the biggest growth area is managed security services. Security-as-a-service was rated the biggest growth area by 73% of MSPs. 55% of MSPs said professional services were a major growth area, 52% said Office 365, and 51% said consulting services.
It is no surprise that security-as-a-service is proving so popular as the volume of attacks on enterprises and SMBs has soared. Cybercriminals are attacking enterprises and SMBs trying to gain access to sensitive data to sell on the black market. Attacks are conducted to sabotage competitors, nation-state-sponsored hackers are attempting to disrupt critical infrastructure, and data is being encrypted to extort money. There is also a thriving market for proprietary data and corporate secrets.
The cost of mitigating attacks when they succeed is considerable. For enterprises, the attacks can make a significant dent in profits, but cyberattacks on SMBs can be catastrophic. A study conducted by the National Cyber Security Alliance suggests as many as 60% of SMBs go out of business in the 6 months following a hacking incident.
Enterprises and SMBs alike have had to respond to the increased threat by investing heavily in security, but simply throwing money at security will not necessarily mean all security breaches are prevented. Companies need to employee skilled IT security professionals to implement, monitor and maintain those cybersecurity solutions, conduct vulnerability scans, and identify and address security gaps. Unfortunately, there is a major shortage of skilled staff and attracting the right talent can be next to impossible. Faced with major challenges, many firms have turned to MSPs to and have signed up for security-as-service offerings.
Forward-thinking MSPs have seized the opportunity and are now providing a comprehensive range of managed security services to meet the needs of their clients. They are offering a wide range of tools and services from phishing protection to breach mitigation services; however, for many MSPs, developing such a package is not straightforward.
Security-as-a-service is in high demand, but MSPs must be able to package the right services to meet customers’ needs and have a platform that can handle the business end. They too must attract the staff who can implement, monitor, and manage those services for their clients.
When devising a security-as-a-service offering, one option is to use a common security architecture for all clients and provide them with a range of solutions from the same provider. Many companies have implemented a slew of different security tools from multiple providers, only to discover they are still experiencing breaches. It is a relatively easy sell to get them to move over to a system where all the component parts are seamlessly integrated and to benefit from an MSP’s expertise in managing those solutions. There is a risk of course that clients will just choose to go direct rather than obtain those services from an MSP. This single platform strategy has been adopted by Liberty Technology – ranked 242 in the MSP 501 list – and is working well, especially for clients that have fewer than 1,000 employees.
At the other end of the spectrum is Valiant Technologies, ranked 206 in the MSP 501 list. Valiant has chosen a wide range of products from multiple cybersecurity solution providers and has built a unique package of products for its security service.
The products were chosen for the level of protection they offered and how well they work together. This approach has been a success for the firm. “Providing a bundle of offerings from different vendors that work well together is the most effective way for an MSP to retain its role as a trusted adviser,” said the firm’s CEO Tom Clancy. The security service has been added to other business services provided by the MSP and has proved to be an easy sell to clients.
ComTec Solutions, which ranked in position 248 in the MSP 501 list, is still deciding on the best way forward. The provision of security-as-a-service is a no brainer, but the company is currently assessing whether it is worthwhile building a security operations center (SOC) and becoming a managed security service provider (MSSP) or outsourcing the SOC service.
There are several different approaches to take when developing a managed security service offering. What is vital is that such a service is provided. The MSP 501 survey has shown that the most successful MSPs have responded to demand and are now helping their clients secure their networks through their security-as-a-service offerings. Those MSPs are clearly reaping the rewards.
If you are an MSP that is considering developing a security-as-a-service offering, be sure to speak to TitanHQ about its world-class cloud-based security solutions for MSPs – WebTitan and SpamTitan – and find out how they can be integrated into your security stack.
by titanadmin | Sep 16, 2018 | Email Scams, Phishing & Email Spam, Spam News, Spam Software, Website Filtering
A new Python-based form of ransomware has been detected that masquerades as Locky, one of the most widely used ransomware variants in 2016. The new ransomware variant has been named PyLocky ransomware by security researchers at Trend Micro who have observed it being used in attacks in Europe, particularly France, throughout July and August.
The spam email campaigns were initially sent in relatively small batches, although over time the volume of emails distributing PyLocky ransomware has increased significantly.
Various social engineering tactics are being used by the attackers to get the ransomware installed, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is downloaded. The zip file contains PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be converted to standalone executable files.
If installed, PyLocky ransomware will encrypt approximately 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files stored on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then dropped on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are unrelated. Ransom notes are written in French, English, Korean, and Italian so it is probable that the attacks will become more widespread over the coming weeks.
While Python is not typically used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been created. Pyl33t was used in several attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant stand out is its anti-machine learning capabilities, which help to prevent analysis using standard static analysis methods.
The ransomware abuses Windows Management Instrumentation (WMI) to determine the properties of the system on which it is installed. If the total visible memory of a system is 4GB or greater, the ransomware will execute immediately. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an attempt to determine if it is in a sandbox environment.
Preventing attacks requires a variety of cybersecurity measures. An advanced spam filtering solution such as SpamTitan will help to prevent the spam emails being delivered to end users’ inboxes. A web filter, such as WebTitan, can be employed to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to ensure that end users recognize the threat for what it is. Advanced malware detection tools are required to identify the threat due to its anti-machine learning capabilities.
There is no free decryptor for PyLocky. Recovery without paying the ransom will depend on a viable backup copy existing, which has not also been encrypted in the attack.
by titanadmin | Aug 31, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
A spam email campaign is being conducted targeting corporate email accounts to distribute Loki Bot malware. Loki Bot malware is an information stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging apps.
In addition to stealing saved passwords, Loki Bot malware has keylogging capabilities and is potentially capable of downloading and running executable files. All information captured by the malware is transferred to the attacker’s C2 server.
Kaspersky Lab researchers identified an increase in email spam activity targeting corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was delivered hidden in a malicious email attachment.
The intercepted emails included an ICO file attachment. ICO files are copies of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, most modern operating systems have the ability to access the contents of the files without the need for any additional software.
In this case, the ICO file contains Loki Bot malware and double clicking on the file will result in installation of the malware on operating systems that support the files (Vista and later).
It is relatively rare for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users attempt to open the files.
The campaign included a wide range of lures including fake purchase orders, speculative enquiries from companies containing product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known companies such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.
Spam Email Campaign Distributing Marap Malware Targets Financial Institutions
A separate and unrelated spam email campaign has been identified that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a downloader capable of downloading a variety of different payloads and additional modules.
Upon installation, the malware fingerprints the system and gathers information such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is installed. If the system is of particular interest, it is earmarked for a more extensive compromise.
Four separate campaigns involving millions of messages were detected by researchers at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document containing a malicious macro. The campaigns appear to be targeting financial institutions.
IQY files are used by Excel to download web content directly into spreadsheets. They have been used in several spam email campaigns in recent weeks to install a variety of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.
Since the majority of end users would not have any need to open ICO or IQY files, these file types should be added to the list of blocked file types in email spam filters to prevent them from being delivered to end users’ inboxes.
by titanadmin | Aug 30, 2018 | Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News
While the majority of phishing attempts are conducted via email, there has been a significant rise in the use of other communications platforms such messaging services, with WhatsApp phishing scams now increasing in popularity amongst phishers.
WhatsApp phishing attacks are common for two main reasons. First is the sheer number of people that are on the platform. In January 2018, the number of monthly users of WhatsApp worldwide reached 1.5 billion, up from 1 billion users six months previously. Secondly, is the lack of anti-phishing measures to prevent malicious messages from being delivered.
Many businesses have implemented spam filtering solutions such as SpamTitan, while personal users are benefiting by significant improvements to spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at identifying phishing emails and other malicious messages and send them to the spam folder rather than delivering them to inboxes.
Messaging services often lack spam filtering controls. Therefore, malicious messages have a much greater chance of being delivered. Various tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, an exceptionally good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is offered.
The messages contain a link that directs the recipient to the phishing website. The link usually contains a preview of the website, so even if a shortlink is used for the URL, the recipient can see some information about the site. A logo may be displayed along with the page title. That makes it much more likely that the link will be clicked.
Further, the message often comes from a known individual – A person in the user’s WhatsApp contact list. When a known individual vouches for the site, the probability of the link being clicked is much greater.
To add further legitimacy to the WhatsApp phishing scams, the websites often contact fake comments from social media sites confirming that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is a winner.
The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.
Gift cards are often given out for taking part in legitimate surveys, so the offer of either a gift card or entry into a free draw is not out of the ordinary. In return, the visitor to the site is required to answer some standard questions and provide information that would allow them to be contacted – their name, address, phone number, and email address for instance.
The information gathered through these sites is then used for further phishing attempts via email, telephone, or snail mail which aim to obtain even more personal information. After completing the questions, the website may claim that the user has one, which requires entry of bank account information or credit card details… in order for prize money to be paid or for confirmation of age.
These WhatsApp phishing scams often have another component which helps to spread the messages much more efficiently to other potential victims. Before any individual can claim their free prize or even submit their details for a prize draw, they must first agree to share the offer with some of their WhatsApp contacts.
If you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a high chance it may not be genuine and is a WhatsApp phishing scam. If an offer seems too good to be true, it most likely is.
by titanadmin | Aug 27, 2018 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
Hotels, restaurants, and telecommunications companies are being targeted with a new spam email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being distributed vis spam emails containing Microsoft Word attachments with malicious macros.
Opening an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary role is to perform fingerprinting on an infected device. Information will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are provided to the malware based on the information gathered on the system. The malware records system information, details of programs installed on the device, Office account details, and other information. It is also able to take screenshots on an infected device.
AdvisorsBot malware is so named because the early samples of the malware that were first identified in May 2018 contacted command and control servers that contained the word advisors.
The spam email campaign is primarily being conducted on targets in the United States, although infections have been detected globally. Several thousands of devices have been infected with the malware since May, according to the security researchers at Proofpoint who discovered the new malware threat. The threat actors believed to be behind the attacks are a APT group known as TA555.
Various email lures are being used in this malware campaign to get the recipients to open the infected attachment and enable macros. The emails sent to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that appear to be resumes from job applicants.
AdvisorsBot is written in C, but a second form of the malware has also been detected that is written in .NET and PowerShell. The second variant has been given the name PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that downloads a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.
These malware threats are still under development and are typical of many recent malware threats which have a wide range of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions performed are determined based on the system on which the malware has been installed. If that system is ideally suited for mining cryptocurrency, the relevant code will be installed. If the business is of particular interest, it will be earmarked for a more extensive compromise.
The best form of defense against this campaign is the use of an advanced spam filtering solution to prevent the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat arrives in their inbox.
by titanadmin | Aug 15, 2018 | Email Scams, Industry News, Network Security
Two factor authentication flaws have been identified that allow accounts to be accessed even when protected by a password and second authentication factor.
Two-factor authentication is an important safeguard to secure accounts. In the event of login credentials being guessed or otherwise obtained by a third party, an additional method of authentication is required to gain access to the account. Without that second factor, access to the account is blocked. But not always. Multiple two-factor authentication flaws have been identified.
Two Factor Authentication Flaws Exploited in Reddit, LinkedIn and Yahoo Cyberattacks
Two-factor authentication is not infallible. Recently, Reddit disclosed that it had suffered a data breach even though two factor authentication had been implemented. Rather than use a token, Reddit used SMS messages to a mobile phone owned by the account holder as the second authentication factor. As Reddit discovered, SMS messages can be intercepted. The attacker was able to intercept a 2FA SMS message and gain access to an employee’s account, through which it was possible to access to an old database of user credentials.
Two-factor authentication was also in place at Yahoo in 2013, yet the company still experienced a massive data breach that resulted in all three billion of its users having their information obtained by hackers. Go back a year and there was the massive 167 million record data breach at LinkedIn, which had also implemented two-factor authentication.
A phone call or text message to a phone owned by the account holder does not necessarily prevent access to the account from being gained by a third party. In August last year, a Bitcoin investor had $150,000 of cryptocurrency stolen from his wallet after it was accessed by a third party. In that case, the investor’s second factor phone number had been re-routed to a device owned by the attacker after the phone company was duped.
Any second factor that uses the phone system of SMS messages provides an additional layer of protection, but it is not enough to protect against a determined skilled hacker.
Two Factor Authentication Flaws Discovered in Microsoft’s Active Directory Federation Services
A major two-factor authentication vulnerability was recently discovered by a security researcher at Okta. Okta, like many companies, uses Microsoft’s Active Directory Federation Services (ADFS) to provide multi-factor authentication.
Okta security researcher Andrew Lee discovered the system have a serious vulnerability that was not only straightforward to exploit, doing so would render an organization’s multi-factor authentication controls virtually useless.
Lee discovered that someone with a username, password, and a valid 2-factor token for one account could use the same token to gain access to any other account in the organization in AD with only a username and password. Any employee who is given an account and specified their own second factor could use it to access other accounts. Essentially the token was like a hotel room key card that opens all rooms in the hotel.
Obtaining another employee’s login credentials would only require a phishing campaign to be conducted. If an individual responded and disclosed their credentials, their account could be accessed without the need for a second factor.
The vulnerability in question, which was patched by Microsoft on August 14 in its August Patch Tuesday updates, was present in how ADFA communicates. When a user tries to login, an encrypted context log is sent by the server which contains the second factor token but not the username. This flaw could be exploited to fool the system into thinking the correct token had been supplied, as no check was made to determine whether the correct token had been supplied for a specific user’s account. As long as one valid username, password and 2FA token combo was owned, the 2FA system could be bypassed.
Two factor Authentication is Not a Silver Bullet
These two factor authentication flaws show that while 2-factor authentication is an important control to implement, businesses should not rely on the system to prevent unauthorized accessing of accounts. The two-factor authentication flaws discussed here are unlikely to be the last to be uncovered.
2-factor authentication should be just one element of an organization’s defenses against phishing and hacking, along with spam filters web filters, firewalls, intrusion detection systems, antivirus solutions, network segmentation, and employee security awareness training. 2FA should not be viewed as a silver bullet to prevent unauthorized account access.
by titanadmin | Aug 9, 2018 | Email Scams, Phishing & Email Spam, Spam News
A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.
On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.
For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.
However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.
While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.
For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.
This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.
It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.
So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.
Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.
Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.
Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.
Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.
by titanadmin | Aug 3, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.
Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.
284% Increase in Email Account Compromises in a Year
The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.
Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?
It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.
By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.
If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.
Once One Account is Breached, Others Will Follow
If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.
Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.
Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.
Email Account Compromises Are Costly to Resolve
Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.
Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.
Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.
How to Prevent Email Account Compromises
Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.
To prevent phishing attacks, companies need to:
- Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
- Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
- Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
- Implement two-factor authentication to prevent attempts to access email accounts remotely
- Implement a web filter as an additional control to block the accessing of phishing websites
- Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
- Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.
by titanadmin | Jul 31, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software
In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.
UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.
That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.
The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.
The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.
A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.
The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.
This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.
The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.
As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.
by titanadmin | Jul 30, 2018 | Network Security
A massive cryptocurrency mining campaign has been uncovered by security researchers at Kaspersky Lab – A campaign that has resulted in the creation of a vast network of devices infected with PowerGhost malware.
PowerGhost malware is being installed on all manner of devices including servers, endpoints, and POS devices. Once infected, each device generates a small amount of a cryptocurrency each day by using the device’s processing power to solve complex computational problems.
While a single device can be used to mine a few dollars of cryptocurrency each day, the returns are significant when the attackers are able to infect server farms and add hundreds of thousands of endpoints to their army of cryptocurrency mining slaves.
Once a device is infected, the cryptocurrency mining tool is downloaded and gets to work. A portion of an infected device’s processing power is then dedicated to mining cryptocurrency until the infection is identified and the malware is removed. PowerGhost malware also spreads laterally to all other vulnerable networked devices.
What makes PowerGhost such a difficult threat to detect is the fact that it doesn’t use any files, instead it is capable of mining cryptocurrency from the memory. PowerGhost is an obfuscated PowerShell script that includes various add-on modules, including the cryptocurrency mining component, mimikatz, and the DLLs required for the operation of the miner. Various fileless techniques are used to infect devices, ensure persistence, and avoid detection by anti-virus solutions. The malware also includes shellcode for the EternalBlue exploit to allow it to spread across a network to other vulnerable devices. Attacks are occurring through the exploitation of unpatched vulnerabilities and through remote administration tools.
PowerGhost malware is primarily being used in attacks on companies in Latin America, although it is far from confined to this geographical region with India and Turkey also heavily targeted and infections detected in Europe and North America.
Companies are being targeted. If a foothold can be gained in a corporate network, hundreds, thousands or tens of thousands of devices can be infected and used for cryptocurrency mining. The potential rewards for a successful attack on a medium to large enterprise is substantial.
In addition to cryptocurrency mining, Kaspersky Lab researchers note that one version of the PowerGhost malware is capable of being used for DDoS attacks, offering another income stream for the cybercriminal gang behind the campaign.
Prompt patching, disabling of remote desktop protocol, and the setting of strong complex passwords can help to protect against this PowerGhost malware campaign.
by titanadmin | Jul 26, 2018 | Email Scams, Industry News, Network Security, Phishing & Email Spam, Spam Software, Website Filtering
One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.
The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.
The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.
It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.
The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.
Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware. While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).
Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.
Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.
To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.
Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.
Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.
by titanadmin | Jul 25, 2018 | Email Scams, Phishing & Email Spam
The National Bank of Blacksburg in Virginia has discovered just how important it is to have effective controls in place to protect against phishing. The bank suffered two costly phishing attacks in the space of eight months that have resulted in losses exceeding $2.4 million.
Phishing is the leading tactic used by cybercriminals to gain access to login credentials, steal data, and install malware. Emails are sent to employees with malicious attachments, which if opened, result in the installation of malware. Alternatively, links are sent in emails that direct employees to fraudulent websites where they are fooled into disclosing their login credentials.
The first attack on Blacksburg Bank took place on May 28, 2016. Malware was installed on its systems which gave the attackers access to the STAR Network – The system that manages debit card ATM activity. After gaining access to the STAR Network, the hackers were able to change account balances, remove security measures such as anti-theft and anti-fraud protections, conduct keystroke logging, and authorize withdrawals from customers’ accounts via ATMs.
In the two days that the hackers had access to the system, they were able to make withdrawals at hundreds of ATMs across the country and stole $569,648.24 from customers’ accounts. This was possible without stealing customers cards or using skimmers to create fake bank cards.
The malware was detected on May 30, 2016 and the attack was investigated by the computer forensics firm Foregenix which determined that the malware was installed as a result of an employee being duped by a phishing email.
Eight months later, on January 7, 2017, a similar attack occurred which involved cybercriminals gaining access to the STAR Network. Similarly, access was possible for two days, although in this case approximately $1.8 million was withdrawn from customers’ accounts. Verizon investigated the breach and concluded that access was gained as a result of an employee falling for a phishing scam.
The National Bank of Blacksburg holds an insurance policy against cyberattacks although its insurer, Everest National Insurance Company, has refused to cover the losses. Blacksburg is now suing its insurer for breach of contract.
What these incidents show is just how easy it is for major losses to be suffered as a result of employees falling for phishing scams and the importance of having robust anti-phishing measures in place.
There is no single solution that will provide total protection against phishing, although a good place to start is with an advanced anti spam service such as SpamTitan.
SpamTitan uses dual antivirus engines (Bitdefender and ClamAV) that provides superior protection against phishing and block emails containing malware and malware downloaders. The solution performs multiple checks on each incoming email to determine whether it is genuine, spam, or malicious, including standard checks of email headers, a Bayesian analysis on message content, and greylisting. Together, these controls ensure 99.97% of spam emails are detected and blocked, with a false positive rate of just 0.03%. Independent tests at Virus Bulletin have confirmed a 100% malware detection rate.
No anti-spam solution will block 100% of all spam and phishing emails so it is essential for employees to be trained how to recognize phishing emails. While it was once a best practice to provide annual training, with the volume of phishing emails now being sent and the increased sophistication of attacks, an annual training session is no longer sufficient.
Training needs to be ongoing, with regular training sessions scheduled throughout the year and employees conditioned through phishing simulation exercises. With effective spam filtering and employee security awareness training, the majority of phishing attempts can be thwarted.
by titanadmin | Jul 19, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam
In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.
The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.
Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.
The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.
The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.
The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.
Average Data Breach Mitigation Costs Have Reached $3.86 Million
A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.
On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.
In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.
Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.
Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.
Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.
The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.
What Factors Affect Data Breach Mitigation Costs the Most?
For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).
The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).
With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.
Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.
by titanadmin | Jul 12, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Website Filtering
There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.
As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.
Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.
Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.
The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months. Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.
Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.
Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.
Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.
One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.
It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.
Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.
Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.
Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.
by titanadmin | Jul 6, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software
Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.
Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.
This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.
However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.
The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.
The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.
When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.
If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.
If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.
Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.
by titanadmin | Jul 5, 2018 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.
Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.
Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.
In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.
That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.
The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.
The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.
In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.
The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.
While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.
Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.
In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.
2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.
Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.
An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.
Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.
An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.
The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.
For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.
by titanadmin | Jun 29, 2018 | Internet Security, Network Security, Website Filtering
A recent survey of members of the Spiceworks community investigated the use of web filtering by businesses and the effect of web filtering on security and productivity. The survey was conducted on 645 members of its professional network based in the United States and Europe from a wide range of industries including healthcare, finance, and manufacturing.
Web filtering is an important security control that can provide an additional layer of protection against malware and phishing attacks. Web filters can also be used to improve the productivity of the workforce by limiting access to certain types of websites. The Internet can help to improve productivity, although it can also prove a temptation for workers and a major distraction. When a complicated report must be produced, cat videos can be especially tempting.
The survey sought to find out more about the effect of web filtering on security and productivity, how web filters are being used by businesses, the amount of time that employees are wasting on personal Internet use, and the types of websites that businesses are blocking to improve productivity.
Web Filtering is Used by the Majority of Businesses
The survey revealed widespread use of web filters by businesses. Overall, 89% of organizations have implemented a web filter and use it to block certain types of productivity-draining Internet content such as social media websites, dating sites, gambling sites, and streaming services.
The larger the business, the more likely it is that Internet content control will be implemented. 96% of large organizations (1,000+ employees) use web filters to limit employee Internet activity. The percentage drops to 92% for mid-sized businesses (100-999 employees) and 81% for small businesses (up to 99 employees). 58% of organizations said they use a web filtering solution to monitor Internet use by employees.
The survey asked IT professionals who have not implemented a web filtering solution how many hours they think employees are wasting on personal Internet use each week. 58% of employees were thought to waste around 4 hours a week on personal internet use and around 26% of workers spend more than 7 hours a week on non-work-related websites. Without a web filter, most employees will spend around 26 days a year on personal Internet use which, based on average earnings, corresponds to $4,500 paid per employee to slack off on the Internet.
Compare that to the figures for companies that restrict access to at least one category of website and the percentages fall to 43% of employees spending more than 4 hours a week on personal Internet use and 18% who spend more than 7 hours a week on non-work-related websites. The biggest drain of productivity was social media sites, with the figures falling to 30% of employees spending more than 4 hours a week on non-work-related sites when social media sites were blocked.
What are the Most Commonly Blocked Websites?
How are web filters used by businesses and what types of website are most commonly blocked? Unsurprisingly, the most commonly blocked websites were illegal sites and inappropriate sites (pornography for example). Both categories were blocked by 85% or organizations.
After that, the most commonly blocked category of content was dating sites – blocked by 61% of organizations. Businesses are more permissive about the use of social media websites, with only 38% blocking those sites, while instant messaging services were blocked by 34% of organizations. Even though they can be a major drain on bandwidth, streaming services were only blocked by 26% of companies.
What are the Main Reasons for Implementing a Web Filter?
While Internet content control – in some form – has been implemented by the majority of companies, it was not the main reason for implementing a web filter. Money could be saved by improving productivity, but the biggest reason for implementing a web filter was security. 90% of businesses said they had implemented a web filter to protect against malware and ransomware infections and with good reason: Inappropriate Internet access leads to data breaches.
38% of surveyed companies said they had experienced a data breach in the past 12 months as a result of employees visiting non-work-related websites, most commonly webmail services (15%) and social media sites (11%).
Other reasons for implementing a web filter were to block illegal activity (84%) and discourage inappropriate Internet access (83%). 66% of organizations use a web filter to avoid legal liability while 57% used web filters to prevent data leakage and block hacking.
Web Filtering from TitanHQ
TitanHQ has developed an innovative web filtering solution for businesses that helps them improve their security posture, block malware downloads, prevent employees from visiting phishing websites, and limit personal Internet use.
WebTitan Cloud is a 100% cloud-based web filtering solution that can be easily implemented by businesses, without the need for any hardware purchases or software downloads. The solution has excellent scalability, is cost effective, and easy to configure and maintain.
The solution provides Internet content control and malware protection regardless of the device being used to access the Internet and the solution can provide malware protection and allow content control for on-site and remote workers.
Granular controls ensure accurate content filtering without overblocking, time-based filters can be set to restrict access to certain websites at busy times of the day, and different policies can be applied at the organization, department, group, or individual level.
If you have not yet implemented a web filtering solution, are unhappy with your current provider or the cost of your solution, contact the TitanHQ team today and find out more about WebTitan.
by titanadmin | Jun 28, 2018 | Internet Security, Phishing & Email Spam
A database of U.S. consumer information has been left unsecured online by the marketing firm Exactis. At 340 million records, this is the largest data breach of 2018.
The Largest Data Breach of 2018 by Some Distance
You will probably be unaware of the existence of the Palm Coast, FL-based data broker Exactis, but chances are the firm has heard of you. The firm holds 3.5 billion consumer, business and digital records while its email database contains 500 million consumer emails and 16 million business emails.
One database maintained by the firm contains around 340 million records, including 230 million consumer records and 110 million records of businesses. That database was recently discovered to have been left exposed on the Internet. The database could be accessed without any authentication. Anyone who knew where to look would have been able to access the database. At least one person did.
Security researcher Vinny Troia who runs NightLion Security, a New York consultancy firm, was searching online for instances of Elasticsearch databases. Troia was curious about the security of the databases as they are designed to be easily queried over the Internet. Troia searched for the databases using the search engine Shodan. Shodan is a search engine that allows people to find specific types of computers that are connected to the Internet.
Troia discovered more than 7,000 Elasticsearch databases that were visible on publicly accessible servers with U.S. IP addresses and set about determining which, if any, had data exposed on the Internet. He wrote a script that queried those databases and searched for keywords that would indicate they contained sensitive information – fields such as date of birth.
2 Terabytes of Data Exposed
One database stood out due to the amount of data it contained – around 2 terabytes of data. The database was not protected by a firewall and could be accessed without authentication. The database was discovered to contain huge numbers of detailed records about consumers. Troia noted, “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”
He discovered the records contained up to 150 data fields, with highly detailed information on consumers including names, addresses, phone numbers, email addresses and descriptions of the person, including information such as the estimated value of their home, hobbies, mortgage provider, ethnic group, whether the individual owns any stock, their religion, if they have made political donations, number of children, people in the household, whether they are smokers, if they own any pets…the list goes on and on.
While the database did not contain Social Security numbers or financial information, the data could be used by scammers in spear phishing campaigns, telephone scams and social engineering attacks. Around half the records contained email addresses, making it particularly valuable to spammers.
Troia said he is certainly not the only person who has searched for Elasticsearch databases, and the database was easy to find using Shodan: A popular search engine with white hat and black hat hackers. It is unknown whether anyone else found the database, but Troia explains that it would not be hard for anyone to find it. He could not be sure how long the database had been exposed online, but said it was at least 2 months.
After identifying an IP address which he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. Troia also alerted the FBI. Exactis made contact with Troia and the database has now been secured and is no longer accessible.
At 340 million records, this the largest data breach of 2018 and one of the largest breaches ever discovered. The breach is more than twice the size of the Experian data breach of last year, although not on the scale of the Yahoo data breach that contained around 3 billion records. However, the types of information exposed potentially make the breach far more serious than Yahoo’s.
A database containing such detailed information on consumers should not have been left exposed. Safeguards should have been in place to alert the company that security protections had either been turned off or had not been implemented.
This security breach certainly stands out in terms of scale, but it is sadly only one of many that have been identified in recent months involving databases left freely accessible over the Internet.
by titanadmin | Jun 26, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam News, Spam Software
The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).
In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.
2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.
Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.
Business Email Compromise Scams – The Main Cause of Losses in 2017
More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.
Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.
BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.
Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information. These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.
Phishing Extensively Used in Internet Crime
Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.
The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.
Ransomware Attack Mitigation Proves Expensive
In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.
Tech Support Fraud Losses Increased by 90%
Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.
These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.
Protecting Against Internet Crime
One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.
Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.
A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.
These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.
by titanadmin | Jun 25, 2018 | Email Scams, Phishing & Email Spam, Spam News, Spam Software
UK users are being targeted with a fake WannaCry ransomware alert threatening file encryption if a ransom demand is not paid.
Fraudsters Claim WannaCry is Back!
In May last year, WannaCry ransomware attacks brought many companies to a standstill, with the UK’s National Health Service (NHS) a notable victim. Now, a little more than a year later, a new WannaCry ransomware campaign is being run, or so the sender of a batch of phishing emails claims.
Email recipients are told “WannaCry is back!” and are warned that their devices have been hacked and ransomware has been installed.
Email recipients are warned that the threat actors have perfected their ransomware and this time around antivirus software and firewalls will not prevent file encryption. Further, recovery will not be possible if the ransom is not paid.
Failure to pay, or any attempt to try to remove the ransomware without paying the ransom demand will result in permanent file deletion. Further, the ransomware can propagate and infect the local network, cloud data, and remote devices, regardless of operating system.
Email recipients are told that the ransomware has already been deployed and payment of a ransom of 0.1 Bitcoin – Around $650 – must be made to stop the attack. Email recipients are given just 24 hours to pay the ransom before data are permanently deleted.
The email is signed by WannaCry-Hack-Team, and so far, more than 300 copies of the message have been reported to the UK government’s National Fraud and Cyber Crime Reporting Centre, Action Fraud.
A Phishing Scam that Preys on WannaCry Fears
There are some signs that the email is not a genuine threat, and instead is just preying on fears about another WannaCry style attack.
Ransomware attackers encrypt data then ask for a ransom to unlock files. They do not send a warning saying they will encrypt data if a ransom is not paid. That tactic may be used by some DDoS attackers, but not by ransomware threat actors.
Email recipients are told that this version of WannaCry will work on “any version of Windows, iOS, Android, and Linux.” The original version of WannaCry took advantage of a vulnerability in Windows Server Message Block. WannaCry only affected vulnerable Windows devices that had not been patched. The ransomware was not a threat on other operating systems.
Phishing campaigns often include spelling mistakes in the subject line and message body and this email is no different. The subject line is – “Attantion WannaCry”.
This is simply a phishing campaign that attempts to extort money from the recipient. No ransomware has been installed and the attackers cannot encrypt any files.
If you receive such a message threatening file encryption unless you pay a ransom, report the message to Action Fraud (UK), US-CERT (phishing-report@us-cert.gov) in the United States, or the government Fraud and Cyber Crime agency in your country of residence and delete the email and do not pay any Bitcoin ransom.
Of course, not all ransomware threats are as benign as this and many attackers will be able to encrypt your data. To protect against real ransomware threats ensure you create multiple backups of your files, deploy a spam filtering solution, ensure your operating system and all software are kept up to date, and keep your anti-virus protection up to date.
by titanadmin | Jun 14, 2018 | Email Scams, Phishing & Email Spam, Spam News
A new type of ransomware attack could be on the horizon. The attack method, termed ransomcloud, was developed by a white hat hacker to demonstrate just how easy it is to launch an attack that results in cloud-based emails being encrypted.
A successful attack will see the attacker gain full control of a cloud-based email account, allowing them to deploy a ransomware payload that encrypts all emails in the account. This method could also be used to gain full control of the account to use for spamming and other malicious purposes.
The attack works on all cloud-based email accounts that allow third party applications account access via OAuth, which includes Gmail and Office 365 accounts.
The ransomcloud attack starts with a phishing email. In this example, the message appears to have been sent by Microsoft offering the user the opportunity to sign up and use a new email spam filtering service called AntiSpamPro. The email includes the Microsoft logo and appears to be a new Microsoft service that provides the user with better spam protection.
In order to take advantage of this service, the user is required to click a hyperlink in the email to give authorization for the new service to be installed. Clicking the link will result in a popup window appearing that requires the user to authorize the app to access their email account.
Such a request is perfectly reasonable, as an app that offers protection against spam would naturally require access to the email account. Emails would need to be read in order for the app to determine whether the messages are genuine or spam. Clicking on ‘accept’ would give the attacker full control of the email account via an OAuth token. If access is granted, the user loses control of their email account.
In this example, ransomware is installed which encrypts the body text of all emails in the account. An email then appears in the inbox containing the ransom note. The user is required to pay a ransom to regain access to their emails.
Additionally, the attacker could claim the email account as their own and lock the user out, send phishing emails to all the user’s contacts, access sensitive information in emails, use email information to learn about the individual to use in future attacks such as spear phishing campaigns to gain access to their computer.
The ransomcloud attack method is astonishingly simple to pull off and could be adopted by cybercriminals as a new way of extorting money and gaining access to sensitive information.
by titanadmin | Jun 14, 2018 | Internet Security, Network Security, Website Filtering
TitanHQ, the award-winning provider of email and web security solutions to SMBs, has partnered with the networking giant Datto. The partnership has seen TitanHQ integrate its cutting-edge cloud-based web filtering solutions – WebTitan Cloud and WebTitan Cloud for Wi-Fi – into the Datto networking range.
Datto was formed in 2007 and fast became the leading provider of MSP-delivered IT solutions to SMBs. The company selects the best products and tools for its MSP partners to allow them to meet the needs of their clients and improve their bottom lines.
The company’s solutions include data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, remote monitoring and management tools, and a wide range of security solutions.
Now that TitanHQ’s DNS-based web filtering solutions have been included, MSPs can offer their clients even greater protection from malware and phishing threats.
WebTitan Cloud and WebTitan Cloud for WiFi use a combination of AI-based services and human-supervised machine learning to block Internet-based threats. The solutions provide real-time protection against malicious URLs and phishing sites by preventing end users from visiting malicious webpages. The solutions also allow companies to carefully control the Internet content that can be accessed through their wired and wireless networks.
The MSP-friendly solutions can be rapidly deployed by MSPs, without the need for site visits, software installations or additional hardware purchases. The multi-tenant solutions allow all client deployments to be managed through a single, intuitive administration console and can be configured in minutes.
MSPs are also offered multiple hosting solutions, including hosting WebTitan in their own environment, and the solutions can be provided in full white-label format.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
TitanHQ is a sponsor of the upcoming DattoCon 2018 conference – The largest MSP event in the United States. The full TitanHQ team will be in attendance and Datto’s MSP partners can come and meet the team and see WebTitan in action.
In addition to showcasing WebTitan Cloud, MSPs will also be able to find out more about SpamTitan – TitanHQ’s 100% cloud-based spam filtering solution, and ArcTitan – Its MSP-friendly email archiving solution.
DattoCon 2018 runs from June 18-20 in Austin, Texas at the Fairmont Austin Hotel. The TitanHQ team will be at booth #66 in the exhibition hall for all three days of the conference.
by titanadmin | Jun 11, 2018 | Internet Security, Network Security
A recent study of commonly used passwords by Dashlane/Virginia Tech has revealed some of the worst passwords of 2018.
For the study, Virginia Tech researchers provided Dashlane with an anonymized copy of 61.5 million passwords. The password list was created from 107 individual lists of passwords available on forums and in data archives, many of which have come from past data breaches.
The analysis of the list revealed many common themes. These include the names of favorite sports teams: In the UK, common password choices were liverpool, chelsea and arsenal – the leading soccer teams in the premier league.
Popular brand names were also chosen, such as cocacola, snickers, mercedes, skittles, mustang, and playboy. MySpace and LinkedIn were also common choices, alarmingly, to secure accounts on those sites.
Bands and movie references were often used, with Spiderman, superman, starwars, and pokemon all common choices as were expressions of frustration – a**hole, bull****, and f***you were often chosen.
The Dashlane report shows that despite warnings about the risk of using easy-to-remember passwords, end users are still choosing weak passwords. One particularly worrying trend is the use of seemingly secure passwords, which are anything but secure.
1q2w3e4r5t6y and 1qaz2wsx3edc may appear to be relatively secure passwords; however, how they are created makes them easy to guess. They are certainly better than “password” or letmein” but not by much.
The passwords are created by a process that Dashlane calls password walking – the use of letters, numbers, and symbols next to each other on a keyboard. Simpler variations on this theme are qwerty and asdfghjk. To get around password rules, the same technique is used with the incorporation of capital letters and symbols.
The study shows that even though many companies require end users to set strong passwords, employees ignore password advice or choose passwords that pass security checks but are really not that secure.
What Makes a Good Password?
A good password will not be in the dictionary, will not use sequential numbers or be created by walking fingers along a keyboard. Brand names and locations should also be avoided. Passwords should be a minimum of 8 characters and should be unique – never used before by the user, and never reused on a different platform.
Passwords should include at least one capital letter, lowercase letter, symbol and number. If all lowercase letters are used, each letter in the password could be one of 26 letters. Add in capitals and the possible options double to 52. There are 10 digits, increasing the options to 62, and let’s say 32 special characters, bringing the total up to 94 options. With so many options and possible combinations, randomly generated passwords are particularly difficult to guess. However, randomly generated passwords are also particularly difficult to remember.
Recently, that problem has been recognized by the National Institute of Standards and Technology (NIST), which has revised its advice on passwords (See special publication 800-63B).
While the use of random strings of characters and symbols makes passwords particularly difficult to guess and more resilient to hackers’ brute force password guessing tactics, end users have trouble remembering their passwords and that leads to particularly risky behaviors such as writing the password down or storing it in a browser.
NIST now suggests the use of longer passphrases rather than passwords – Iboughtacarwithmyfirstpaypacket or ifihadahorseIwouldcallitDave– for example. Passphrases are more user-friendly and easier to remember, but are still secure – provided a sufficient number of characters are used. If passphrases are encouraged rather than difficult to remember passwords, end users will be less likely to set passwords that meet strong password guidelines but are not particularly secure – LetMeIn! for example.
The minimum number of characters can be set by each organization, but rather than restricting the characters at 16, companies should consider expanding this to at least 64. They should also accept all printable ASCII characters, including spaces, and UNICODE characters.
Since some end users will attempt to set weak passwords, it is important to incorporate controls that prevent commonly used passwords from being chosen. Each password choice should be checked against a blacklist before it can be set.
Version française de cet article.
by titanadmin | Jun 8, 2018 | Email Scams, Network Security, Spam Advice, Spam News
A new spam campaign has been identified that uses Excel Web Query files to deliver malware. In this case, the .iqy files are used to launch PowerShell scripts that give the attackers root access to a device. .iqy files are not usually blocked by spam filters, making the technique effective at silently delivering malware.
The spam emails are being delivered via the Necurs botnet. Three spam campaigns have been detected by Barkly that use these attachments, although further campaigns are almost certain to be launched.
Excel Web Query files obtain data from an external source and load it to Excel. In this case, the external data is a formula which is executed in Excel. The formula is used to run PowerShell scripts which, in at least one campaign, downloads a Remote Access Trojan (RAT) called FlawedAmmyy Admin – a tweaked legitimate remote administration tool that gives the attacker full control of a computer, allowing any number of malicious programs to be installed.
The emails masquerade as purchase orders, unpaid invoices, and scanned documents – Common themes used in spam emails to deliver malware. These spam email campaigns often use Word documents with malicious macros. Macros are usually disabled by default. Through security awareness training, end users have been conditioned not to enable macros on documents from unknown senders, thus preventing malware downloads.
Since most end users will not be used to receiving .iqy files, these attachments should arouse suspicion. Microsoft has also built in warnings to prevent these files from being run by end users. If an end user attempts to open one of these files it will trigger a warning alerting the user that the file may not be safe as it enables an external connection. The end user would be required to click enable before the connection is made and data is pulled into Excel. A second warning would then be displayed, again requiring authorization. Only if both warnings are ignored will the script be allowed to run that downloads the malicious payload.
There are two steps you can take to protect your endpoints and networks from these types of attacks. The first is to configure your email spam filter to quarantine any emails containing .iqy attachments. SpamTitan allows certain attachment types to be blocked such as executable files and iqy files. You can set the policy to quarantine, reject, or delete the emails. Since these types of files are not usually sent via email, rejecting the messages or deleting them is the safest option.
You should also cover the use of these files in your security awareness training sessions and should consider sending an email alert to end users warning them about the threat.
Further information on steps you can take to prevent malware infections spread via email can be found in our anti-spam tips page. You can find out more about the capabilities of SpamTitan by calling the sales team:
- USA: +1 5859735070
- UK/EU: +44 (0)2476993640
- Ireland: +353 91 545555
- Mid East: +971 4 3886998
by titanadmin | May 30, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News, Spam Software
World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.
World Cup 2018 Phishing Scams Detected!
The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.
Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.
Fake Tickets and Fake Touts
With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.
Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.
Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.
Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.
Competition Scams
Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.
Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners
Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.
Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.
Cheap Travel Accommodation Scams
Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.
These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.
Team and Match News and World Cup Gossip
As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.
How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam
These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.
Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:
- Only buy tickets from the official FIFA website
- Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
- Never buy products or services advertised in spam email
- Never opening attachments in World Cup-themed emails from unknown senders
- Do not click hyperlinks in emails from unknown senders
- Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
- Ensure all software, including browsers and plugins, is patched and kept fully up to date
- Ensure anti-virus software is installed and is kept up to date
- Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
- Stay alert – If an offer seems to good to be true, it most likely is
by titanadmin | May 28, 2018 | Email Scams, Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software
The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.
The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.
The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.
43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.
While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.
The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.
The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.
Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.
The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.
TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.
WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware. Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.
There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.
by titanadmin | May 26, 2018 | Email Scams, Internet Security, Phishing & Email Spam, Spam Advice, Spam News
According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.
A Nightmare Scenario for TSB Customers
The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.
While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.
Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.
Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.
TSB Phishing Scams Soar
The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.
TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.
The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.
Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.
According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.
With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.
by titanadmin | May 25, 2018 | Industry News, Internet Security, Network Security
Data breach costs have risen considerably in the past year, according to a recent study of corporate IT security risks by Kaspersky Lab. Compared to 2016, the cost of a data breach for enterprises increased by 24% in 2017, and by even more for SMBs, who saw data breach costs rise by 36% in 2017.
The average cost of data breach recovery for an average-sized enterprise is now $1.23 million per data breach, while the cost for SMBs is now $120,000 per incident.
For the study, Kaspersky Lab surveyed 6,614 business decision makers. Respondents were asked about the main threats they have to deal with, cybersecurity incidents they have experienced in the past year, how much they spent resolving those incidents, and how that money was spent.
When a data breach is experienced, the costs can quickly mount. Enterprises and SMBs must contain the attack, scan systems for malware and backdoors, and pay for improvements to security and infrastructure to prevent similar attacks from occurring in the future. Staff need to receive additional training, new staff often need to be brought in, and third-parties hired to assist with recovery and security assessments.
Data breach recovery can take time and considerable effort. Additional wages have to be paid to staff assisting in the recovery process, there can be losses due to system downtime, repairing damage to a brand prove costly, credit monitoring and identity theft recovery services may have to be provided to breach victims, insurance premiums rise, credit ratings drop, and there may also be regulatory fines to cover.
The largest component of data breach costs is making emergency improvements to security and infrastructure to prevent further attacks, which is around $193,000 per breach for enterprises, the second biggest cost for enterprises is repairing reputation damage, which causes major increases in insurance costs and can severely damage credit ratings. On average, this costs enterprises $180,000. Providing after-the-event security awareness training to the workforce was the third biggest cost for enterprises at $137,000.
It is a similar story for SMBs who typically pay around $15,000 for each of the above three cost categories. A lack of inhouse expertise means SMBs often have to call in cybersecurity experts to assist with making improvements to security and for forensic analyses to determine how access to data was gained.
Data breaches affecting third-party hosted infrastructure are the costliest for SMBs, followed by attacks on non-computing connected devices, third party cloud services, and targeted attacks. For enterprises, the costliest data breaches are targeted attacks followed by attacks on third-party infrastructure, attacks on non-computing connected devices, third party cloud services, and leaks from internal systems.
The high cost of recovering from a data breach means a successful cyberattack on an SMB could be catastrophic, forcing the company to permanently shut its doors. It is therefore no surprise that businesses are allocating more of their IT budgets to improving their security defenses. Enterprises are now spending an average of $8.9 million on cybersecurity each year, while SMBs spend an average of $246,000. Even though the cost of additional cybersecurity defenses is high, it is still far lower than the cost of recovering from data breaches.
While data breach prevention is a key driver for greater investment in cybersecurity, that is far from the only reason for devoting a higher percentage of IT budgets to security. The main drivers for increasing security spending are the increasing complexity of IT infrastructure (34%), improving the level of security expertise (34%), and management wanting to improve security defenses (29%).
by titanadmin | May 24, 2018 | Internet Security, Network Security
A suspected nation-state sponsored hacking group has succeeded in infecting at least half a million routers with VPNFilter malware.
VPNFilter is a modular malware capable of various functions, including the monitoring of all communications, launching attacks on other devices, theft of credentials and data, and even destroying the router on which the malware has been installed. While most IoT malware infections – including those used to build large botnets for DDoS attacks – are not capable of surviving a reboot, VPNFilter malware can survive such a reset.
The malware can be installed on the type of routers often used by small businesses and consumers such as those manufactured by Netgear, Linksys, TP-Link and MikroTik, as well as network-attached storage (NAS) devices from QNAP, according to security researchers at Cisco Talos who have been monitoring infections over the past few months.
The ultimate aim of the attackers is unknown, although the infected devices could potentially be used for a wide range of malicious activities, including major cyberattacks on critical infrastructure, such as disrupting power grids – as was the case with BlackEnergy malware.
Since it is possible for the malware to disable Internet access, the threat actors behind the campaign could easily prevent large numbers of individuals in a targeted region from going online.
While the malware has been installed on routers around the world – infections have been detected in 54 countries – the majority of infections are in Ukraine. Infections in Ukraine have increased significantly in the past few weeks.
While the investigation into the campaign is ongoing, the decision was taken to go public due to a massive increase in infected devices over the past three weeks, together with the incorporation of advanced capabilities which have made the malware a much more significant threat.
While the researchers have not pointed the finger at Russia, they have identified parts of the code which are identical to that used in BlackEnergy malware, which was used in several attacks in Ukraine. BlackEnergy has been linked to Russia by some security researchers. BlackEnergy malware has been used by other threat actors not believed to be tied to Russia to the presence of the same code in both forms of malware is not concrete proof of any link to Russia.
The FBI has gone a step further by attributing the malware campaign to the hacking group Fancy Bear (APT28/Pawn Storm) which has links to the Russian military intelligence agency GRU. Regardless of any nation-state backing, the sophisticated nature of the malware means it is the work of a particularly advanced hacking group.
Most of the attacked routers are aging devices that have not received firmware updates to correct known flaws and many of the attacked devices have not had default passwords changed, leaving them vulnerable to attack. It is not entirely clear exactly how devices are being infected although the exploitation of known vulnerabilities is most probable, rather than the use of zero-day exploits; however, the latter has not been ruled out.
Some progress has been made disrupting the VPNFilter malware campaign. The FBI has seized and sinkholed a domain used by the malware to communicate with the threat group behind the campaign. Without that domain, the attackers cannot control the infected routers and neither identify new devices that have been infected.
Ensuring a router is updated and has the latest firmware will offer some degree of protection, as will changing default passwords on vulnerable devices. Unfortunately, it is not easy to tell if a vulnerable router has been infected. Performing a factory reset of a vulnerable router is strongly recommended as a precaution.
Rebooting the device will not eradicate the malware, but it will succeed in removing some of the additional code downloaded to the device. However, those additional malware components could be reinstalled once contact is re-established with the device.
by titanadmin | May 17, 2018 | Email Scams, Phishing & Email Spam, Spam News
Several GDPR phishing scams have been detected in the past few days as scammers capitalize on the last-minute rush by companies to ensure compliance ahead of the May 25, 2018 GDPR deadline. Be wary about any GDPR related email requests – they may be a scam.
GDPR Provides Scammers with a New Opportunity
You will probably already be sick of receiving email requests from companies asking if they can continue sending you emails, but that is one of the requirements of GDPR. GDPR requires consent to be obtained to use – or continue to use – personal information. With previous privacy policies failing to comply with the new EU law, email requests are being sent to all individuals on mailing lists and those who have previously registered on websites to re-obtain consent.
All companies that have dealings with EU residents are required to comply with GDPR, regardless of their location. Emails are therefore being sent from companies far and wide. Consumers are receiving messages from companies that they may have forgotten they had dealings with in the past. If personal data is still on file, email requests are likely to be sent asking for permission to retain that information.
The masses of emails now being sent relating to GDPR has created an opportunity for scammers. GDPR phishing scams have been developed to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams identified in recent weeks. It is ironic that a regulation that aims to improve privacy protections for EU residents is being used to violate privacy.
Apple Spoofed in New Phishing Scam
Phishers often spoof large, familiar brands as there is a greater chance that the recipient of the message will have an account with that company. The most popular global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.
These impersonation scams can be highly convincing. A request is sent via email that seems perfectly reasonable, the emails appear to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails contain branding and images which are familiar, and the messages can be almost indistinguishable from genuine communications.
The aim is to get users to click on an embedded hyperlink and visit the company’s website and login. There is usually an urgent call to action, such as a security alert, threat of account closure, or loss of services.
Apple is one such brand that has recently been impersonated in GDPR phishing scams. The aim of the attackers is to get Apple customers to login to a fake site and disclose their credentials. Once the credentials have been obtained, the scammers have access the user’s account, which includes financial information, credit card details, and other personal information.
Airbnb GDPR Phishing Scams Detected
Redscan has detected Airbnb GDPR phishing scams recently. Users of its home sharing platform are required to update their contact details due to GDPR law in order to continue to use the platform. The request is entirely reasonable given so many companies are sending similar emails.
The emails claim to be from Airbnb customer service, contain the correct images and branding, and direct users to a familiar looking website that differs only in the domain name. Users are asked to re-enter their contact information and payment card details.
Watch Out for GDPR Phishing Scams
These scams are just two of several. More can be expected over the coming days in the run up to the compliance deadline and beyond. To avoid falling for the scams, make sure you treat all GDPR-related requests as potentially suspicious.
The easiest way to avoid the scams is to visit the website of the brand by typing the correct address directly into the browser or using your usual bookmark. It should be clear when you login if you need to update your information because of GDPR.
by titanadmin | May 10, 2018 | Internet Security, Network Security, Website Filtering
Ransomware attacks on businesses appear to be declining. In 2017 and 2018 there has been a marked decrease in the number of attacks. While this is certainly good news, it is currently unclear whether the fall in attacks is just a temporary blip or if the trend will continue.
Ransomware attacks may have declined, but there has been a rise in the use of cryptocurrency mining malware, with cybercriminals taking advantage in the high price of cryptocurrencies to hijack computers and turn them into cryptocurrency-mining slaves. These attacks are not as devastating or costly as ransomware attacks, although they can still take their toll, slowing down endpoints which naturally has an impact on productivity.
While ransomware attacks are now occurring at a fraction of the level of 2016 – SonicWall’s figures suggest there were 184 million attacks in 2017 compared to 638 million in 2016 – the risk of an attack is still significant.
Small players are still taking advantage of ransomware-as-a-service – available through darknet forums and marketplaces – to conduct attacks and organized cybercriminal gangs are conducting targeted attacks. In the case of the latter, victims are being selected based on their ability to pay and the likelihood of a payment being made.
These targeted attacks have primarily been conducted on organizations in the healthcare industry, educational institutions, municipalities and the government. Municipalities are targeted because massive disruption can be caused, and attacks are relatively easy to pull off. Municipalities typically do not have the budgets to devote to cybersecurity.
Attacks in healthcare and education industries are made easier by the continued use of legacy software and operating systems and highly complex networks that are difficult to secure. Add to that the reliance on access to data and not only are attacks relatively easy, there is a higher than average chance of a ransom being paid.
In the past, the aim of ransomware gangs was to infect as many users as possible. Now, targeted attacks are conducted with the aim of infecting as many end points as possible within an organization. The more systems and computers that are taken out of action, the greater the disruption and cost of mitigating the attack without paying the ransom.
Most organizations, government agencies, municipalities, have sound backup policies and can recover all data encrypted by ransomware without paying the ransom. However, the time taken to recover files from backups and restore systems – and the cost of doing so – makes payment of the ransom preferable.
The attack on the City of Atlanta shows just how expensive recovery can be. The cost of restoring systems and mitigating the attack was at least $2.6 million – The ransom demand was in the region of $50,000. It is therefore no surprise that so many victims have chosen to pay up.
Even though the ransom payment is relatively low compared to the cost of recovery, it is still far more expensive than the cost of implementing security solutions to prevent attacks.
There is no single solution that can block ransomware and malware attacks. Multi-layered defenses must be installed to protect the entire attack surface. Most organizations have implemented anti-spam solutions to reduce the risk of email-based attacks, and security awareness training is helping to eliminate risky behaviors and teach security best practices, but vulnerabilities still remain with DNS security often lacking.
Vulnerabilities in DNS are being abused to install ransomware and other malware variants and hide communications with command and control servers and call home addresses. Implementing a DNS-based web filtering solution offers protection against phishing, ransomware and malware by preventing users from visiting malicious websites where malware and ransomware is downloaded and blocking C2 server communications. DNS-based web filters also provide protection against the growing threat from cryptocurrency mining malware.
To mount an effective defense against phishing, malware and ransomware attacks, traditional cybersecurity defenses such as ant-virus software, spam filters, and firewalls should be augmented with web filtering to provide security at the DNS layer. To find out more about how DNS layer security can improve your security posture, contact TitanHQ today and ask about WebTitan.
by titanadmin | May 2, 2018 | Industry News, Internet Security, Network Security, Phishing & Email Spam, Spam Software, Website Filtering
Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.
School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.
The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.
School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.
In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.
Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.
Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.
There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.
Some of the most important defenses include:
- An advanced firewall to defend the network perimeter
- Antivirus and anti-malware solutions on all endpoints/servers
- Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
- An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
- Disable RDP if it is not required
- Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
- A web filtering solution capable of blocking access to malicious websites
The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.
by titanadmin | Apr 27, 2018 | Industry News, Internet Security, Network Security
The cost of the Equifax data breach has risen to more than $242 million, and that figure will continue to rise and could even double.
According to the Equifax financial report for the first quarter of 2018, the total spent on mitigation and preventative measures to avoid a further security breach is now $242.7 million.
The breach, which was made public in September 2017, affected 147.9 million customers, making it one of the largest data breaches ever discovered and certainly one of the most serious considering the types of data involved. Yahoo may have experienced much larger breaches, but the data exposed in those incidents was far less sensitive.
Fortunately for Equifax, it holds a sizable insurance policy against cybersecurity incidents. The policy will cover up to $125 million of the cost, minus a $7.5 million deductible. That insurance policy has already paid out $60 million, with $10 million in payments received in the first quarter of 2018.
The breakdown of cost of the Equifax data breach so far for Q1, 2018 is:
- $45.7 million on IT security
- $28.9 million on legal fees and investigation of the breach
- $4.1 million on product liability
- $10 million has been recovered from an insurance payout.
The net expenses from the breach in the first quarter of 2018 was $68.7 million. That is on top of the $114 million spent in the final quarter of 2017, which is broken down as $64.6 million on product costs and customer support, $99.4 million on professional fees, minus $50 million that was paid by its insurance carrier. The net spend so far for Q4, 2017 and Q1, 2018 is $140.5 million, although Equifax reports that the total costs related to the cybersecurity incident and incremental IT and data security costs has been $242.7 million.
Equifax has also reported that throughout 2018 and 2019 the firm will be investing heavily in IT and is committed to building an industry-leading data security system, although the firm has not disclosed how much it is expecting to spend, as the company does not have visibility into costs past 2018.
Equifax has predicted that there will be at least a further $275 million in expenses related to the cyberattack which must still be covered, although a further $57.5 million should be covered by its insurance policy.
While considerable costs have been incurred so far, the firm has done little to repair the reputational damage suffered as a result of the breach and has yet to hire many of the new staff it plans to bring in to help with the breach recovery, including a new CTO. The firm has said that it is taking a very aggressive approach in attracting the top talent in both IT and data security.
The high cost of the Equifax data breach to date, and the ongoing costs, is likely to make this the most expensive data breach of all time.
by titanadmin | Apr 26, 2018 | Internet Security, Network Security
The Atlanta ransomware attack that took IT systems and computers out of action and brought many municipal operations to a grinding halt has proven particularly costly for the city.
On March 22, 2018, ransomware was deployed on its network forcing a shutdown of PCs and systems used by some 8,000 employees. Those employees were forced to work on pen and paper while attempts were made to recover from the attack. With IT systems offline, many municipal services stopped entirely.
The attackers sent a ransom demand for approximately $50,000. By paying the ransom, the city could potentially have been given the keys to unlock the files encrypted by the SamSam ransomware variant used in the attack. However, there are never any guarantees decryption keys will be supplied. Many victims have received further demands for payment after the initial demand was paid, and there have been many cases where the attackers have not made good on their promise and did not supply any valid keys.
It is unclear whether the ransom payment was made, although that appears unlikely. The payment portal used by the attackers went offline shortly after the attack and the cleanup costs following the Atlanta ransomware attack have been considerable. The high cost suggests the city opted to recover its data and restore systems from backups.
In the immediate aftermath of the Atlanta ransomware attack, the city awarded emergency procurements to eight firms to assist with recovery efforts. The total cost of those services was $2,667,328.
The city spent $60,000 on incident response services, $50,000 on crisis communication services, and $60,000 on support staff augmentation. Secureworks was paid $650,000 for emergency incident response services, Two contracts were awarded to assist with its Microsoft cloud and Windows environments, including migrating certain on-premises systems to the cloud. Those two contracts totaled $1,330,000 and a further $600,000 was paid to Ernst & Young for advisory services for cyber incident response. The $2.6 million cost could rise further still.
Paying the threat actors who conducted the Atlanta ransomware attack could well have seen sizable savings made, although it would certainly not have cost $50,000. Some of the costs associated with recovery from the attack have been spent on improving security to prevent further incidents, and certainly to make recovery less costly. Those costs would still have to be recovered even if the ransom was paid.
What is clear however, is that $2.6 million paid on reactive services following a ransomware attack will not give tremendous value for money. Had that amount been spent on preventative measures prior to the attack, the city would have got substantially more value for every buck spent. Some industry experts have estimated the cost of preventative measures rather than reactive measures would have been just 20% of the price that was paid.
The attack revealed the City of Atlanta was unprepared and had failed to implement appropriate defenses. The city was vulnerable to attack due to the failure to apply security best practices, such as closing open ports on its systems and segmenting its network. The vulnerabilities made an attack far to easy. However, it would be unfair to single out the city as many others are in exactly the same position.
This incident should therefore serve as a stern warning to other cities and organizations that the failure to adequately prepare for an attack, implement appropriate defenses, and apply security best practices will likely lead to an incredibly costly attack.
It may be difficult to find the money to spend on ransomware attack prevention measures, but it will be much harder to find five times the cost to implement defenses and respond after an attack has taken place.
by titanadmin | Apr 25, 2018 | Industry News, Network Security
A warning has been issued to the healthcare industry over an extensive campaign of targeted cyberattacks by the Orangeworm threat group. The Orangeworm threat group has been operating since 2015, but activity has been largely under the radar. It is only recently that the group’s activities have been identified and disclosed.
Attacks have been conducted on a range of industries, although the primary targets appear to be large healthcare organizations. 39% of confirmed attacks by the Orangeworm threat group have been on organizations in the healthcare industry, including large healthcare providers and pharmaceutical firms. IT service providers, manufacturers, and logistics firms have also been attacked, many of which have links to the healthcare industry.
Some of the IT service providers discovered to have been attacked have contracts with healthcare organizations, while logistics firms have been attacked that deliver medical equipment, as have manufacturers of medical devices. The aim appears to be to infect and investigate the infrastructure of the entire supply chain.
The Orangeworm threat group is using a custom backdoor, which is deployed once access to a network is gained. First the backdoor is deployed on one device, giving the Orangeworm threat group full control of that device. The backdoor is then aggressively spread laterally within a network via unprotected network shares to infect as many devices as possible with the Kwampirs backdoor. While some steps have been taken by the group to avoid detection, this lateral worm-like movement is noisy and easily detected. The threat group does not seem to be overly concerned about hiding its activity.
This attack method works best on legacy operating systems such as Windows XP. Windows XP is no longer supported, and even though the continued use of the operating system is risky and in breach of industry regulations, many healthcare organizations still have many devices operating on Windows XP, especially machines connected to imaging equipment such as MRI and X-Ray machines. It is these machines that have been discovered to have been infected with the Kwampirs backdoor.
Once access is gained, the group is spending a considerable amount of time exploring networks and collecting information. While the theft of patient health information is possible, this does not appear to be a financially motivated attack and systems are not sabotaged.
Symantec, which identified a signature which has allowed the identification of the backdoor and raised the alert about the Orangeworm threat group, believes this is a large-scale espionage campaign with the aim of learning as much as possible about the targets’ systems. What the ultimate goal of the threat group is, no one knows.
The method of spreading the backdoor does not have the hallmarks of nation-state sponsored attacks, which tend to use quieter methods of spreading malware to avoid detection. However, the attacks are anything but random. The companies that have been attacked appear to have been targeted and well researched before the attacks have taken place.
That suggests the Orangeworm threat group is a cybercriminal gang or small collective of hackers, but the group is clearly organized, committed to its goals, and is capable of developing quite sophisticated malware. However, even though the group is clearly capable, and has operated under the radar for three years, during that time no updates have been made to their backdoor. That suggests the group has been confident that they would not be detected, or that they simply didn’t see the need to make any updates when their campaign was working so well.
While espionage may be the ultimate aim, the Orangeworm threat group could easily turn to more malicious and damaging attacks. Once the backdoor has been installed on multiple devices, they would be under full control of the hackers. The group has the capability to deploy malware such as wipers and ransomware and cause considerable damage or financial harm.
The ease at which networks can be infiltrated and the backdoor spread should be of major concern for the healthcare industry. The attacks show just how vulnerable the industry is and how poorly protected many organizations are.
The continued use of outdated and unsupported operating systems, a lack of network segmentation to prevent lateral movement once access has been gained, the failure to protect network shares, and poor visibility of the entire network make these attacks far too easy. In fact, simply following security best practices will prevent such attacks.
The attacks by the Orangeworm threat group should serve as a wakeup call to the industry. The next wave of attacks could be far, far worse.
by titanadmin | Apr 24, 2018 | Email Scams, Phishing & Email Spam, Spam Advice, Spam News
Microsoft has released new figures that show there has been a sizeable increase in tech support scams over the past year. The number of victims that have reported these scams to Microsoft increased by 24% in 2017. The true increase could be much higher. Many victims fail to report the incidents.
According to Microsoft, in 2017 there were 153,000 reports submitted from customers in 183 countries who had been fooled by such a scam. While not all of the complainants admitted to losing money as a result, 15% said they paid for technical support. The average cost of support was between $200 and $400, although many individuals were scammed out of much more significant amounts. While victims may not willingly pay much more to fix the fictitious problem on their computers, if bank account details are provided to the scammers, accounts can easily be drained. One victim from the Netherlands claims a scammer emptied a bank account and stole €89,000.
The rise in complaints about tech support scams could, in part, be explained by more scammers pretending to be software engineers from Microsoft, prompting them to report the incidents to Microsoft when they realize they have been scammed.
However, the rise in tech support scams is backed up by figures released by the FBI. Its Internet Crime Complaint Center (IC3) received 86% more complaints in 2017 from victims of tech support scams. Around 11,000 complaints were received by IC3 about tech support scams last year and more than $15 million was lost to the scams.
It is easy to see why these scams are so attractive for would-be cybercriminals. In many cases, little effort is required to pull off the scam. All that is required in many cases is a telephone. Cold calling is still common, although many of the scams are now much more sophisticated and have a much higher success rate.
Email is also used. Some tech support scams involve warnings and use social engineering techniques to convince the recipient to call the helpline. Others involve malware, sent as an attachment or downloaded as a result of visiting a malicious website via a hyperlink supplied in the email.
Once installed, the malware displays fake warning messages that convince the user that they have been infected with malware that requires a call to the technical support department.
The use of popups on websites is common. These popups cannot be closed and remain on screen. Browser lockers are also common which serve the same purpose. To prompt the user to call the support helpline.
While many more experienced users would know how to close the browser – CTRL+ALT+DEL and shut down the browser via Windows Task Manager – less experienced users may panic and call the helpline number, especially when the popup claims to be from a well-known company such as Microsoft or even law enforcement.
The typical process used in these tech support scams is to establish contact by telephone, get the user to download software to remove a fictitious virus or malware that has previously been installed by the attackers. Remote administration tools are used that allows the scammer to access the computer. The user is convinced there is malware installed and told they must pay for support. Payment is made and the fictitious problem is fixed.
These techniques are nothing new, it is just that more cybercriminals have got in on the act and operations have been expanded due to the high success rate. Fortunately, there are simple steps to take that can prevent users from falling for these tech support scams.
To avoid becoming a victim of such a scam:
- Never open any email attachments you receive from unknown senders
- Do not visit hyperlinks in email messages from unknown senders
- If contacted by phone, take a number and say you will call back. Then contact the service provider using verified contact information, not the details supplied over the telephone
- If you are presented with a warning via a popup message or website claiming your device has been infected, stop and think before acting. Genuine warnings do not include telephone numbers and do not have spelling mistakes or questionable grammar
- If you receive a warning about viruses online and want to perform a scan, download free antivirus software from a reputable firm from the official website (Malwarebytes, AVG, Avast for instance)
- Before making any call, verify the phone number. Use a search engine to search for the number and see if it has been associated with scams in the past
- ISPs and service providers rarely make unsolicited telephone calls to customers about viruses and technical issues and offer to fix the device
If you believe you are a victim of a tech support scam, report the incident to the service provider who was spoofed and notify appropriate authorities in your country of residence.
In the USA, that is the Federal Trade Commission or the FBI’s IC3; in the UK it is the National Fraud and Cyber Crime Reporting Center, the European Consumer Center in Ireland, or the equivalent organizations in other countries.
by titanadmin | Apr 20, 2018 | Email Scams, Phishing & Email Spam, Spam News
Two new phishing campaigns have been detected in the past few days that have seen phishers sink to new lows. An active shooter phishing campaign has been detected that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to increase the probability of victims paying ransom demands.
Active Shooter Phishing Campaign
Mass shootings at U.S schools are on the rise, with the latest incident in Parkland, Florida placing teachers and other staff on high alert to the threat of campus shootings. A rapid response is essential when an active shooter alert is issued. Law enforcement must be notified quickly to apprehend the suspect and children and staff must be protected.
It is therefore no surprise that fake active shooter threats have been used in a phishing campaign. The emails are designed to get email recipients to click without thinking to receive further information on the threat and have been developed to cause fear and panic.
The active shooter phishing campaign was being used in a targeted attack on a Florida school – an area of the country where teachers are hypersensitive to the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were reported to the anti-phishing and security awareness platform provider KnowBe4, all of which were used to direct recipients to a fake Microsoft login page where they were required to enter in their login credentials to view the alert. Doing so would give those credentials to the attacker.
The email subject lines used – although other variants could also be in use – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is likely that similar campaigns will be conducted in the future. Regardless of the level of urgency, the same rules apply. Stop and think about any message before taking any action suggested in the email.
Syrian Refugee Phishing Campaign
Phishing campaigns often use crises, major world events, and news of sports tournaments to get users to click links or open email attachments. Any news that is current and attracting a lot of interest is more likely to result in users taking the desired action.
There have been several Syrian refugee phishing campaigns run in recent months that take advantage of compassion to infect users with malware and steal their credentials. Now researchers at MalwareHunterTeam have identified a ransomware campaign that is using the terrible situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Helping refugees.
Infection with what has been called RansSIRIA ransomware will see the victim presented with a ransom note that claims all ransom payments will be directed to the victims of the war in Syria. A link is also provided to a video showing the seriousness of the situation in Syria and links to a WorldVision document explaining the plight of children affected by the war.
While the document and images are genuine, the claim of the attackers is likely not. There is no indication that any of the ransom payments will be directed to the victims of the war. If infected, the advice is not to pay and to try to recover files by other means. If you want to do your bit to help the victims of the war, make a donation to a registered charity that is assisting in the region.
