Cybercriminals are using SharePoint to send malicious documents to businesses in the United Kingdom. This tactic has seen many messages pass through email security defenses undetected and arrive in inboxes.
The campaign appears to be targeting businesses in the financial services and aims to obtain Office 365 credentials and username/password combos from other email service providers. Those credentials can be used to gain access to sensitive information in email accounts and cloud storage repositories such as OneDrive.
In the latest campaign, the attacker used a compromised email account at a London legal firm to send emails to employees of businesses in the financial services sector. The attacker uses SharePoint to send a request to review a document. In order to view the document, the user is required to click an embedded hyperlink in the email.
If that link is clicked, the user is directed to SharePoint and onto another malicious URL where they are requested to download a OneNote document. In order to download that document, the user is required to enter their login credentials.
Since the initial URL is for the SharePoint domain, many email security solutions fail to identify the link as malicious. Similar tactics have been used in phishing campaigns that link to OneDrive, Citrix ShareFile, Google Drive, and Windows.net. Since the domains are thought to be benign and the email messages do not contain any malware, the messages are delivered to end users.
The URL used in this campaign is likely to arouse suspicion even though it is a SharePoint domain, but not all users carefully check URLs and the full URL may not be visible on mobile devices, which increases the risk of an end user being fooled into disclosing their login credentials. The spoofed OneDrive for Business portal to which the user is directed is also a poor imitation, but it is sufficiently realistic to fool many end users. Other identified phishing campaigns using file sharing websites are far more convincing and are unlikely to be detected as malicious even by security conscious employees.
When credentials are compromised, the email account is often used to send further phishing emails to other individuals in the organization. Since those emails come from an internal account, users are more likely to respond. The attackers can also view past message threats in the compromised account and use those messages to continue a conversation. The messaging style of the account holder can also be mimicked to add further realism to the phishing emails. Typically, businesses discover one email account has been compromised, but the investigation reveals the attack is far more widespread and many email accounts have been compromised. Once recent phishing attack on a U.S. healthcare provider saw an astonishing 72 email accounts compromised!
To block these threats, an advanced email security solution is required. Businesses should look for a solution that incorporates DMARC. DMARC incorporates SPF and DKIM email authentication protocols and verifies that the IP address used to send the email is authorized to send emails from that domain. If that check fails, the email is blocked. This is one of the most important and most effective methods of detecting and blocking email impersonation attacks, including BEC attacks and lateral phishing attempts.
Fortunately, a combination of an advanced spam filtering solution and end user security awareness training will help to ensure that emails do not reach inboxes and, if they do, that employees will be alert to the threat and will avoid clicking the link and disclosing their credentials.
In this post we will explain why businesses using Office 365 should implement a third-party email archiving service rather than use the Office 365 email archiving feature to ensure compliance.
Many businesses have ditched their on-premise Exchange email systems and have migrated their email to the cloud. There are many benefits of such a move. Switching to the cloud means it is not necessary to purchase and maintain on-premises hardware and the space devoted to housing that hardware can be freed up and put to better use. There is also no limit on the number of mailboxes that can be set up and mailbox limits do not need to be set as storage space is never an issue.
Businesses store huge amounts of business-critical information in mailboxes, such as contacts, purchase orders, legal documents, and intellectual property. It is important that this information is always available and cannot be accidentally deleted. A study by IDC suggests that 60% of business-critical information is actually stored in the email system, and much of that data is not stored elsewhere. It is therefore no surprise that when ransomware attacks result in encryption of email data, businesses have little option other than pay the ransom demand.
Most of the time, data in the email system is not required, so it makes sense to archive the messages. When information in the archive needs to be recovered, it can be found with a simple search.
If a customer gets in touch, emails related to past email conversations can be recovered, but if emails need to be recovered for legal reasons, businesses need to demonstrate that the email in the archive is exactly the same as the message that was received or sent. They must be able to prove emails have not been altered in any way.
Users of Office 365 can prove the authenticity of an email by placing it on Legal Hold in Office 365. Messages placed on Legal Hold are stored in their original, unedited form. Legal Hold is activated by the Office 365 administrator through the admin panel. Provided Legal Hold remains switched on, edited and deleted messages can be recovered along with the original message through the Compliance Center.
To ensure compliance, Legal Hold should never be switched off. Without Legal Hold, messages can be forever lost from the email system. There are two legal hold options available – Litigation Hold and In-Place Hold. The former will ensure that all messages are retained, even if they are deleted from mailboxes. They will be retained for as long as Litigation Hold remains active.
With In-Place Hold, the admin can set criteria for a search query and only messages that meet that search query will be preserved. With In-Place Hold, if a user deletes an email that is not covered by the search query, it will be purged within 14 days and will not be recoverable, even by the IT team. With this option, businesses will not be able to prove that a message has not been sent. If a message is not in the archive, it could just mean that the message was not picked up by the search query.
Legal Hold is therefore the best option, but while Legal Hold is set up, the mailbox cannot be deleted, even if that individual leaves the company. If a user account is deleted, and that user has a mailbox, since the account is no longer connected to a user account, it will be marked for deletion. It does not matter if the account is still on Legal Hold.
Most third-party email archiving solutions use an archiving method called journaling. Journaling takes a copy of all incoming and outgoing emails on the mail server – or all messages for selected users – in real time. In addition to the message, all associated meta-data and attachments are included in the journal message. This archiving method is utilized by Microsoft Office 365, but there are limitations. For example:
Searches are limited to under 10,000 mailboxes in any one search
Search results are limited to 250 results in the Compliance Center. For more results in a single search, a .PST file must be used. Since .PST files can be edited, this method does not guarantee message authenticity as edits could potentially be made.
Only a maximum of 2 eDiscovery searches can be made at any one time by the same company
If the email service goes down, emails on Litigation Hold and/or live email cannot be accessed
If Litigation Hold is turned off, it is not possible to prove that emails are originals
Without a permanent Litigation Hold, it is not possible to prove that an email has not been sent
Searches are limited to the Outlook search bar
Searches can be difficult for non-technical users
Searches are slow, especially when searching multiple folders or mailboxes.
If individuals leave the company, emails will only be retained if the mailbox is maintained and that has cost implications.
The latter issue can prove costly for organizations. In order to maintain a mailbox when a user has left the company, the license for that user must be maintained. If that user is replaced, another license will be required for that person’s replacement.
That means that for an organization with 50 employees who stay for an average of 2 years, in four years the company would be paying for 200 licenses a year, even though at any one time only 50 licenses should be required. That adds up to a significant extra and unnecessary cost.
TitanHQ has developed its email archiving solution, ArcTitan, to work seamlessly with Office 365. The solution solves the above compliance and performance issues and augments Microsoft’s Compliance Center with much more powerful search and recovery tools. Messages can be found and retrieved much more quickly and efficiently, and there are considerable savings to be made as customers only pay for the licenses they need, regardless how many individuals leave the company and are replaced.
Key Features of ArcTitan
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamperproof copy of all emails is retained
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
If you are looking for a more powerful email arching solution to work on top of Office 365 that can be quickly and easily implemented in one step and will save you money and ensure compliance, give the TitanHQ team a call.
An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.
The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.
If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.
The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.
Microsoft Office 365 Users are Under Attack!
Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.
What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.
When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.
How to Protect Your Business and Block Office 365 Phishing Attacks
There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.
SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.
No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.
Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.
2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.
A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.
When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.
A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.
On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.
A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.
This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.
A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.
As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.
Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.
It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.
Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.
SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.
Equifax phishing scams have been detected which are attempting to take advantage of individuals who were affected by the 143-million record data breach and want to make a claim to recover their out-of-pocket expenses.
Several lawsuits have been filed against Equifax over the breach. One of those lawsuits, filed by the Federal Trade Commission, has recently been settled for $700 million. That figure includes a fund of $425 million to cover claims from victims of the breach.
Anyone who was affected by the breach is entitled to submit a claim, and with so many people affected, scammers have a more than reasonable chance of landing an email in the inbox of an individual who was affected by the breach. More than half the population of the United States had their information exposed.
In order to make a claim, victims of the breach must visit a website set up by Equifax where claims can be processed. The name of the correct domain reflects its purpose – equifaxbreachsettlement.com – which does have a hint of phishiness about it.
Cybercriminals have set up a plethora of fake sites that closely resemble the genuine website, with similarly phishy but realistic names. Those sites similarly allow victims of the breach to submit a claim.
When submitting a claim on the genuine website, the claimant must enter their contact information and make their claim. They can choose to have the payment sent on a pre-paid card or by check in the mail. At no point must a Social Security number, bank account information, or credit card information be entered.
Large-scale spam campaigns are being conducted inviting victims of the breach to submit their claim and receive their share of the settlement amount. Hyperlinks are embedded in the messages which link to fake Equifax claim webpages.
After landing on these phishing webpages, users are guided through making a claim. Contact information is requested along with other sensitive information to confirm identity. Bank account information is also requested to process direct deposit refunds.
After entering in all that information, the claim is submitted, and the user is likely to be unaware that their sensitive information has been stolen.
Any email received in relation to the Equifax data breach settlement should be treated as potentially suspicious. Anyone wanting to make a claim should visit equifaxbreachsettlement.com
Microsoft Office 365 is being adopted by businesses at a staggering rate. Office 365 is now the most widely used cloud service in terms of number of users. One in 5 corporate employees use an Office 365 cloud service and, according to Gartner, 56% of businesses using cloud services use Office 365.
Any platform that attracts such high numbers of business users is a major target for cybercriminals. Hackers are developing innovative ways of attacking businesses and bypassing Office 365 protections to get their phishing emails delivered to inboxes.
Campaigns are tested on genuine Office 365 accounts to ensure Office 365 defenses are bypassed, before targeted campaigns are conducted on business users. Microsoft’s standard Exchange Online Protection (EOP) is not sufficient to block these threats. At a minimum, users need to pay for Advanced Threat Protection (APT) to provide the level of protection required to block the types of sophisticated phishing attacks that are fast becoming the norm.
Four campaigns that have recently been identified use novel tactics to evade detection and fool end users into disclosing their login credentials.
Custom 404 Error Pages Used to Host Office 365 Phishing Forms
Microsoft researchers identified a novel tactic being used in a phishing campaign targeting office 365 users – 404 error pages to host phishing forms. 404 error pages are displayed when a website visitor attempts to visit a page that does not exist. By customizing the 404 page and using it to host a phishing form, the attackers have a virtually unlimited supply of phishing URLs to use. Any random URL would bring up the 404 page and the phishing form. Many email security solutions would not detect the link as malicious.
Voicemail Notifications Used as Lure in Office 365 Phishing Campaign
Avanan researchers recently identified a phishing campaign that uses voicemail notifications as a lure to obtain Office 365 credentials. The emails include Microsoft Office 365 logos and notification of the time of a call, the caller number, and the length of the voicemail message.
The text and logos are combined into three images in the email and an HTML file is attached which the email claims is the voicemail message. If opened, the HTML attachment uses meta refresh to redirect a user from the locally stored HTML page to an Internet-hosted page where they are presented with an Office 365 login box. Credentials are required to listen to the message through the spoofed voicemail management system.
Office 365 Admin Credentials Targeted
Office 365 credentials are valuable, but none more so than administrator credentials. A typical employee may have an email account containing sensitive data and their credentials may allow a limited number of cloud resources to be accessed. A set of administrator credentials would give an attacker the ability to create new accounts, access other users’ accounts, send messages from their email accounts, and access a much greater range of resources.
Office 365 admins are being targeted in a campaign that uses Office admin alerts about time-sensitive issues to lure them into disclosing their credentials. Two common lures are a critical problem with the mail service and the discovery of an unauthorized access incident.
Attacks Use Credentials in Real Time
A phishing campaign has been detected in which the attackers use the data captured from fake Office 365 login forms to access the genuine Office 365 account in real-time. If the login fails, a warning is displayed requesting the user re-enter their credentials. When the correct credentials have been entered, the user is redirected to their real Office 365 inbox, most likely totally unaware that their credentials have been stolen.
These are just four new tactics being used by cybercriminals to gain access to the Office 365 credentials of business users. Without advanced anti-phishing defenses in place, many of these sophisticated phishing emails will be delivered to end users’ inboxes. Security awareness training for employees will go a long way toward strengthening your last line of defense, but unless the majority of email threats are blocked, data breaches will occur.
Businesses using Office 365 need to ensure their email security defenses are up to scratch and can detect and block advanced phishing threats. That means paying for Office 365 ATP or using a third-party anti-spam and anti-phishing solution.
With SpamTitan layered over Office 365, businesses will be protected from the full range of email-based threats. Advanced phishing techniques such as those detailed above are detected and neutralized by SpamTItan.
TitanHQ’s DNS filtering solution, WebTitan, adds another layer of security to protect against phishing attacks. WebTitan blocks all known malicious web pages and scans new websites for malicious content. Threats are detected and webpages are blocked before any content can be downloaded.
For further information on securing Office 365 accounts and improving your anti-phishing defenses, contact the TitanHQ team today.
Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.
The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.
If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots. The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.
The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.
There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.
Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.
The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.
Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source. SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.
For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.
TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.
For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.
Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.
UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.
TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.
Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.
All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.
“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.
Cabarrus County in North Carolina is the latest victim of a major Business Email Compromise attack. The scammers impersonated a building contractor that was constructing a new high school in the County and succeeded in redirecting a $2.5 million payment to their account.
One of the contractor’s email accounts was compromised and an email was sent to a contact at the County requesting a change to the usual bank account.
Any request for such a change naturally needed to pass checks, but since the scammers had sent through all the appropriate documentation, the banking information was changed. The scammers then waited until the next regular payment was made. That payment was for $2,504,601.
The missing payment was queried by the contractor, Branch and Associates, and an investigation uncovered the scam. The relevant banks were informed to freeze the accounts to prevent the money from being withdrawn, but despite the quick response, the banks were only able to recover $776,518.40. The scammers had managed to divert $1,728,082.60 to a variety of accounts and had pocketed the funds.
The County was protected by an insurance policy, but it only provided $75,000 of coverage. $1,653,082.60 of the funds had to be covered by the County, in addition to the costs of investigating the attack, implementing additional security measures, and the cost increase of its insurance premiums after making such a large claim.
In this case the transfer was substantially larger than the average fraudulent BEC wire transfer, but transfers of this magnitude are far from unusual. Figures released by the U.S. Financial Crimes Enforcement Network (FinCEN) show there has been a 172% increase in losses to BEC attacks since 2016. Attacks are also increasing in frequency. In 2018, 1,100 BEC attacks were reported by businesses and $310 million per month was lost to BEC attacks.
FinCEN’s report shows businesses in the manufacturing and construction industries are the most commonly targeted and face the greatest risk of attack, although all businesses need to be aware of the threat and should take steps to reduce risk.
Defending against BEC attacks requires a variety of technical and administrative safeguards. There is no single solution that can be implemented which will detect and block all BEC attacks.
BEC scams usually start with a phishing email, so steps should be taken to improve email security. Advanced email security solutions such as SpamTitan can identify and block these BEC threats. SpamTitan also provides protection against the second stage of the attack. In addition to scanning all incoming emails, SpamTitan also scans outbound email for potential threats coming from within the organization.
Not all threats can be blocked, even with highly advanced email security defenses, so it is essential for the workforce to be trained how to identify potential email threats. Policies and procedures should also be developed covering amendments to banking credentials and email requests for bank transfers over a certain size.
Companies that fail to take action to reduce risk could well find their losses included in next year’s FinCEN BEC financial losses report.
If you have not implemented an anti-spam service, if you are unhappy with your current provider, or if you use Office 365 for email, contact the TitanHQ team today to find out more about improving your security posture and increasing your defenses against BEC attacks.
Email archiving solutions have been developed by many cloud service providers, but prices can vary considerably between products, even between products that include a virtually identical set of features. Finding the best value email archiving solution for your business can be a challenge.
While the difference in price may only be a dollar or two per user, when multiplied by the number of employees in the organization the cost difference can be of the order of several thousand dollars a year.
To help you get the best possible price on email archiving, we have created a 2019 email archiving price comparison grid. The grid includes some of the leading names in email archiving and gives a typical price per user per month and per year, along with the total annual cost for a business with 100 mailboxes. The prices were taken from price lists available on 04/05/2018.
As you can see from the grid, TitanHQ’s email archiving solution, ArcTitan, is very competitively priced and is an affordable solution for most businesses. Being cloud-based, an email archive is quick and easy to set up and no hardware or software is required.
2019 Email Archiving Costs
Key Features of ArcTitan
100% cloud-based – No hardware or software is required
No limits on numbers or storage space
Virtually unlimited scalability
Enhances Search and Storage functionality of Office 365
Rapid archiving – Processes 200 emails a second
Lightning fast searches - ArcTitan can search millions of emails a second.
Intuitive design ensures easy use by all employees on desktop and mobile
Full audit trail maintained
Remote access to the archive from authorized users from any location or device
Full protection against data loss and mail server outages with automatic backups
Industry-leading customer support
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
As with all other TitanHQ solutions, we offer all visitors a free demonstration of ArcTitan in action. This gives businesses an opportunity to see the full product and all the product features. During the demo, businesses have access to an experienced engineer who can answer any questions you have about email archiving solutions.
At the end of the demo, if you are happy with what you have seen, you can purchase a license and start using ArcTitan within minutes. If you are not happy for any reason, there is no obligation to proceed with a purchase and TitanHQ will wish you the best of luck with your search for an alternative solution.
If you have any questions about ArcTitan, or to book a product demonstration, contact TitanHQ today.
FAQs
Why do I need an archive if I backup my email?
Backups and email archives are not the same. Backups protect against catastrophic failure and allow mailboxes to be restored to a certain point in time. You cannot easily search a backup, so recovering emails can be an incredibly labor-intensive and time-consuming process and backups may not be adequate if emails need to be provided for court cases.
Are there any hidden email archiving costs?
One ‘hidden’ cost with many email archiving service providers is the need to continue to pay for archiving for all mailboxes, even if an employee leaves the company. Over time, that cost can build up, especially if you have a high staff turnover. With ArcTitan you only pay for the number of active mailboxes and you also benefit from very competitive email archiving pricing.
Is hosted email archiving pricing more expensive than on-premises?
That will largely depend on the number of mailboxes and email volume. For most businesses, once storage space, IT support and maintenance, and backups are factored in, hosted email archiving is usually the most cost-effective and easiest option. Hosted email archiving can be paid for monthly and there are no start-up costs. With on-premise archiving you need to purchase and implement the hardware and software.
What else should I consider when selecting an email archiving service provider?
Our email archiving service cost comparison includes the major providers of cloud-based email archiving for businesses and MSPs as a guide to show you the cost savings. You also need to consider how easy the solutions are to use and how quickly messages can be found in the archive. We are convinced you will love the performance of ArcTitan, which is why we encourage you to take advantage of the free demo.
Do you provide help with migrating an existing email archive?
All ArcTitan customers benefit from industry-leading customer support. If you need help migrating your email archive from an existing service provider, expert technical support is on hand from our team of highly skilled engineers. Full support is also provided during the free demo to ensure you get the most out of ArcTitan.
New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.
Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.
Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.
More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks
The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.
FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.
BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.
There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.
As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.
If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.
FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.
FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.
How to Improve Defenses Against BEC Attacks
With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.
Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam service such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.
For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.
There are several common misconceptions about email archiving which are preventing many businesses from creating an email archive. It is often only when email data needs to be recovered that businesses realize just how important an email archive is. Of course, by then it is too late.
In this post we debunk some of the email archiving myths and explain why email archiving is now essential for almost all businesses, regardless of industry or business size.
Misconception #1: An Email Archive is the Same as a Backup
The recent increase in ransomware attacks has highlighted the importance of creating backups of all critical data. An email backup contains all messages in a mailbox. If anything happens to that mailbox – it is encrypted by ransomware for instance – all email data can be recovered.
An email archive could serve the same purpose but differs in some very important ways. An email archive serves as a depository for all emails that are no longer required but need to be retained to meet state and federal data retention requirements.
If an email, group of emails, needs to be recovered, the messages can be located and restored very quickly. That is because the archive includes email metadata and the archive is searchable. A backup is intended for mass email recovery. Finding individual emails in a backup can be incredibly time consuming, costly, and difficult.
You can restore emails from a backup following a ransomware attack, but for eDiscovery and dealing with customer complaints, an email archive is required.
Misconception #2: Email Archives are Only Necessary in Highly Regulated Industries
The Sarbanes-Oxley Act of 2002 (SOX) requires organizations maintain an audit trail for 7 years, which includes email communications. However, it is not only organizations covered by SOX that must retain emails. Several states have enacted laws that require email data to be retained for a set period of time.
Further, no company is immune to litigation. The Federal Rules of Civil Procedure require email communications to be produced as part of eDiscovery. Those communications must be found and provided quickly, which is only possible with an email archive. The failure to produce emails can result in significant financial penalties.
Misconception #3: Email Archives Must be Stored On-Premises
There is no law that states email archives must be housed on-premises, but many companies mistakenly believe that this is necessary. They then purchase expensive hardware and software to create an on-premises email archive. This is often out of security concerns as IT departments feel they can better protect email data in house.
However, cloud service providers offer the same if not greater security, and their solutions require no hardware purchases nor ongoing hardware and software maintenance. Businesses are therefore paying unnecessarily high prices for their email archive.
There is no need to purchase expensive hardware to store sizable email archives and resources do not need to be made available to maintain the hardware and software. On-premises systems also tend to lack flexibility, whereas cloud-based email archives are extremely scalable. When greater capacity is required, additional storage space is always available.
Many businesses only retain emails for a limited period of time, such as 90 days, after which messages are permanently deleted. There is a common view that If an email is deleted, it cannot cause any harm. However, if a complaint is received or emails need to be produced for eDiscovery, the failure to produce those messages could see a company liable for data destruction.
If you want to meet compliance requirements, reduce costs, and be able to recover email data instantly, an email archive is required.
ArcTitan: The Easy Way to Implement a Cloud Email Archive
TitanHQ offers a powerful, fast, and easy to use archiving solution that allows customers to securely store email data in the cloud. ArcTitan is a set and forget solution that serves as a black box flight recorder for email. Whenever an email needs to be found, you are selected for a compliance audit, or receive and eDiscovery request, the archive can be quickly searched and emails can be recovered in seconds or minutes. Emails are sent to the archive at a rate of around 200 messages a second and searches of the archive can be performed at a rate of up to 30 million messages a second.
With ArcTitan emails are sent to the archive in real-time when they arrive at your mail server. An exact copy of the email is sent to the archive, messages are de-duplicated, compressed and sent to Replicated Persistent Storage on Amazon AWS S3 and the archive is automatically backed up to ensure they can always be recovered. With ArcTitan there are no software updates to be performed, as that is handled by TitanHQ. A full audit log is maintained and you can prove that any emails produced have not been altered – Which is essential for compliance and eDiscovery requests.
Some of the key features of ArcTitan are listed below:
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamperproof copy of all emails is retained
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
To find out more about the benefits of email archiving and for further information on ArcTitan. Contact TitanHQ today.
Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.
A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.
Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.
This is a professional Office 365 phishing campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.
Office 365 Admins Targeted
A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.
Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.
The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.
Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.
Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.
There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.
However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.
WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.
Contact TitanHQ today to find out more about how SpamTitan and WebTitan can block Office 365 phishing attacks, the different deployment options, pricing information, and to book a product demonstration.
New Office 365 Phishing Scams FAQs
Will a spam filter block all spam and phishing emails?
No spam filter will be 100% effective, 100% of the time, which is why it is important to implement layered defenses. Many spam filters block around 99% of spam. SpamTitan is an advanced spam filter that has been independently verified as blocking 99.97% of spam email with a low false positive rate of just 0.03%.
How does email content filtering work?
Once initial checks have been performed to identify malware and emails from known spam sources, message content filtering takes place. Email content is analyzed, and each email is assigned a spam score based on phrases, keywords, images, and hyperlinks. A threshold is set and if that score is reached, the message will be rejected or quarantined.
What is greylisting and why is it important?
Greylisting is an important spam filtering mechanism for detecting new sources of spam. Greylisting initially rejects an email and requests the message is resent. Since email servers being used for spamming are busy sending huge volumes of messages, they do not respond to these requests or there is a significant delay. The delay is a good indicator that the message is spam.
Why should I scan outbound emails?
Outbound scanning is important for several reasons. By scanning outbound emails, email account compromises can be detected quickly to block business email compromise attacks. Attempts to use internal email accounts for sending malware and spam will be blocked, and tags can be applied to certain data types to identify attempted data theft by malicious insiders.
The past few months have seen an increase in reported cyberattacks on ships. The rise in cyberattacks on the commercial shipping network has prompted the U.S. Coast Guard to issue a warning.
This is the second such warning to be issued by the U.S. Coast Guard in the past three months. Together with a recent shipping industry report, they confirm that shipping companies and commercial vessels are being targeted by hackers and many of those attacks are succeeding.
Ships are now largely controlled by computers and mouse clicks and there is increasing reliance on electronic navigation systems. It is now common for operational technology and information technology to be linked together via onboard networks and certain systems are now connected to the internet. When devices are networked and connect to the Internet, hackers are given the opportunity to attack.
The cyberattack that prompted the latest warning occurred in February 2019. A ship bound for the Port of New York started experiencing severe disruption to its shipboard network. Vessel control systems were not affected, although the functionality of the network was severely degraded. The U.S. Coast Guard led a forensic investigation which revealed malware had been installed on the network.
The ship was known to be vulnerable to attack so the crew did not typically use the network for personal matters such as email. The network was only used for business purposes, which involved contact with third parties to maintain charts, manage cargo data, and communicate with shore-side facilities. It is currently unclear how the malware was installed, but what is clear is that cybersecurity defenses were nowhere near sufficient.
The advice from the Coast Guard is to implement network segmentation to limit the harm that can be caused in the event of an attack. Network profiles should be created for each user, and the rule of least privilege should be applied. Anti-virus software should be installed, all software should be kept up to date, and care should be taken connecting any external device to a networked computer due to the risk of malware.
If hackers can gain access to the network, they can steal sensitive data, cause serious disruption to internal networks, and systems could even be rendered inoperable. An extortion attack involving ransomware, for instance, could leave shipping firms with no alternative other than to pay up.
These attacks are the latest in a string of cyberattacks on commercial vessels. In December 2018, 21 shipping associations and industry groups produced a set of guidelines on cybersecurity onboard ships to help commercial vessel operators improve security, secure their networks, and make it difficult for hackers.
The report details recent USB-based attacks, RDP-based attacks, phishing attacks, ransomware attacks, and attacks involving malware, viruses, and worms. The attacks have caused major delays to shipping firms, financial losses, and in some cases have jeopardized safety.
Just as captains must make sure that access to the engine room is restricted, the same should be the case for computer systems. If systems are not secured, cyberattacks are inevitable.
TitanHQ can help shipping firms protect against email and web-based attacks and block the two main vectors that are used to attack commercial vessels.
Contact the team today to ask about SpamTitan and WebTitan: TitanHQ’s award winning antispam and DNS filtering solutions.
A serious outage has affected the spam filtering service, OnlyMyEmail, leaving customers without spam protection for several days.
The spam filtering service, also known as MXDefender, suddenly stopped working on Thursday and customers have been left in the dark about what has happened. Many have taken to online forums and social media to find answers but have only found hundreds of other customers asking the same questions. Customers have not been able to submit support tickets, the website is down, and the phone lines have been jammed.
MSPs know all too well that their clients are vulnerable to attack while their spam filtering service is down. Without the filter in place, spam, phishing, and malware-laced emails can flood into inboxes. All it takes is for one employee to respond to one of those messages for a costly breach to occur.
Several MSPs on forum such as Spiceworks have expressed their frustration about the prolonged outage and have already had to move their clients to alternative service providers to ensure they are protected until the issues are resolved. Two large MSPs have already switched to SpamTitan as a result of the OnlyMyEmail outage.
TitanHQ has received many enquiries about SpamTitan since the OnlyMyEmail service went down, as customers seek an alternative solution to protect their inboxes from email threats and spam. Many have given up waiting for an answer from OnlyMyEmail.
If you are a managed service provider or business that has been affected by the outage, it is important to implement a replacement spam filtering solution as soon as possible. The failure to do so will leave you extremely vulnerable to attack.
TitanHQ has developed an award-winning anti-spam and anti-phishing solution that has been shown to block more than 99.9% of spam in independent tests.
The 2019 G2 Crowd Report on Email Security Gateways named SpamTitan the leader for customer satisfaction. 97% of users awarded the product 4 or 5 stars and 92% of users would recommend the product to others.
TitanHQ ranked top for quality of support with an overall score of 94% – 10% more than the average score for support. SpamTitan clearly outperformed products from likes of Cisco, Barracuda, Mimecast, and SolarWinds.
SpamTitan is available as a cloud-based solution or gateway solution running on a virtual machine on your own hardware. MSPs have a range of hosting options and the solution can be easily integrated into existing MSP systems using TitanHQ’s APIs.
If you want an easy to implement anti-spam solution that provides enterprise-class protection at an affordable SMB price, SpamTitan is the ideal choice.
Sign up for the free trial and you can be protected in minutes.
You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.
Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.
There is still entry barrier to cross before it is possible to conduct phishing attacks. Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.
Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.
One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.
Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.
With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.
If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.
It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.
An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.
If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.
TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.
A new strain of ransomware has been identified which has been used in multiple attacks over the past few weeks.
All of the attack vectors used to distribute the ransomware are not yet known, but samples of the ransomware have been distributed via a spam email campaign.
The spam email campaign uses a tried and test format to deliver the ransomware payload. A Word document called Info_BSV_2019.docm is attached to emails with requests that the recipient open the document. In order for the contents to be displayed, the user is told they must enable macros. Enabling macros will launch code that downloads an executable file, which is renamed LooCipher.exe and is executed.
The ransomware will encrypt a standard range of file types, but instead of deleting the original files, they are retained as zero-byte files. Encrypted files are given the extension .lcphr.
The ransomware creates a file on the Windows Desktop called c2056.ini, which includes the unique ID number of the computer, the time limit for paying the ransom, and the Bitcoin wallet address for payment. The ransom note warns that deletion of the ini file will prevent file recovery.
Users are given 5 days to pay the ransom or the key to unlock files will be permanently deleted. The ransom is €300 ($330) in Bitcoin per device. No option is provided to test to see whether a file can be decrypted.
LooCipher ransomware may not be particularly polished, but it has already claimed several victims. Recovery will depend on an organization’s ability to restore files from backups. It is not clear whether the attackers hold valid keys to decrypt encrypted files.
Ransomware attacks have been increasing following a decline in popularity of ransomware with hackers in 2018. There have been high profile attacks on U.S. cities and ransoms and hundreds of thousands of dollars have been paid in ransoms. Ransomware attacks on healthcare organizations have increased, and several new strains of ransomware have emerged.
Recently the Department of Homeland Security warned of the risk of wiper malware attacks by Iranian threat actors, as tensions between the United States and Iran continue to increase.
These malware threats may be delivered by a variety of different methods, but spam email is the delivery vector of choice. Protecting against these malware threats requires an advanced spam filtering solution capable of precision control over incoming email and the ability to scan messages and analyze attachments for malicious code.
SpamTitan uses twin AV engines to identify known malware and a sandbox to analyze suspicious attachments to identify malicious actions and provides superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
To find out more about how you can improve email security with SpamTitan, contact the TitanHQ team today.
Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.
Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.
Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.
Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.
Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.
More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard. The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.
Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.
As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.
Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.
A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.
Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.
A phishing campaign targeting university employees has already claimed several victims and has seen many email accounts compromised.
Emails are tailored to the institution and use a range of social engineering tricks to convince employees to click a link in the email and enter their Office 365 login credentials to access online content. The credentials are captured and used to gain access to university email accounts.
Once credentials have been obtained, a treasure trove of sensitive data can be plundered. Emails and email attachments contain personally identifiable information of staff, students, and parents, which can be used to commit identity theft and other fraudulent acts. Proprietary information can be obtained, along with details of contacts. The compromised accounts can also be used to conduct further phishing attacks on the university and externally on business contacts and other educational institutions.
Campaigns convincing users to install malware can give the attackers full control of university computers and a foothold to move laterally throughout the network. Access to university email accounts and backdoors in university computers are sold on the dark web, along with a range of stolen and forged university documents.
The healthcare industry is heavily targeted by cybercriminals due to the high value of health data. Health data is versatile and can be used for a multitude of fraudulent purposes. It also has a long-life span and can be used for much longer than financial information. Cybercriminals are also now realizing the potential rewards from attacks on universities. Student data is similarly versatile, and the wealth of data stored in university email accounts provides plenty of opportunities for profit.
Oregon State University is the latest university to announce it is the victim of a phishing attack. The Office 365 email account of an employee was compromised, through which the attacker had access to the records of 636 students. The account was used to send phishing emails to other entities throughout the United States.
Graceland University in Iowa and Southern Missouri State University recently announced that several email accounts had been compromised in recent phishing attacks, which would have allowed access to be gained to sensitive information.
It is unclear whether this is a single campaign or part of a wave of separate attacks on universities. What is clear is the attacks are increasing, so universities should take steps to improve email and web security.
Employees are being targeted so it is important to ensure that staff members are taught email security best practices and are shown how to identify phishing emails.
Technological defenses can also be improved to prevent malicious messages from arriving in Office 365 inboxes. As an additional protection, a DNS filter can be used to prevent users from accessing phishing websites and other known malicious web pages.
TitanHQ has developed powerful anti-phishing and anti-malware solutions for universities that help them protect against email and web-based attacks.
SpamTitan is a powerful anti-spam service that incorporates DMARC authentication and sandboxing to provide superior protection against impersonation and malware attacks for Office 365 users.
WebTitan is a DNS filtering solution that prevents users from accessing known malicious websites, such as those used for phishing and distributing malware.
To improve Office 365 phishing defenses and better protect your email accounts and networks from malware attacks, contact TitanHQ for further information on these two powerful cybersecurity solutions for educational institutions.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon Details
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
The global user review website, G2, is the go-to place to find reviews of business software and services. Unlike many other review websites, G2 gives users of the software and services the opportunity to provide their feedback on how the products perform. Millions of businesses use the website to make smarter buying decisions and select the best products and services to meet their needs.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.
TitanHQ has developed a suite of advanced cybersecurity solutions to keep businesses protected from email and web-based threats and help MSPs serving that market effortlessly provide managed cybersecurity services to their clients.
“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.
However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.
The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.
Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.
The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.
Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.
Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.
There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.
A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.
Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.
The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.
As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.
Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.
Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.
To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.
One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.
While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.
Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.
The French Value Added Distributor (VAD) Exer has partnered with TitanHQ and will start offering its email security, DNS filtering, and email archiving solutions to French VARs.
Exer specializes in network security, mobile security, and managed cybersecurity services and currently works with over 600 French VARs and integrators helping them improve security for their clients.
TitanHQ is a leading provider of email security and DNS filtering services to SMBs, and MSPs and VARs serving the SMB market. The company’s award-winning cybersecurity solutions are now used by more than 7,500 businesses and 1,500 MSPs around the world.
TitanHQ is keen to expand its footprint in France and collaboration with Exer will help the company achieve its aims.
“Our advanced threat protection for email and web security was designed to keep businesses productive and information secure. We are pleased to be offering the Exer partner community choice, enhanced functionality and greater overall value,” explained TitanHQ Executive VP, Rocco Donnino.
“Collaboration with TitanHQ is an opportunity to represent a brand internationally recognized on 3 key technologies: Web Content Filtering, Anti-Spam, and Email Archiving. We are eager to propose these security solutions to ours VARs,” explained Exer CEO, Michel Grunspan. “Our regional presence and our expertise will be our strength for asserting the presence of TitanHQ in the French market”
The collaboration will see Exer offer all three TitanHQ solutions to French VARs: SpamTitan, WebTitan, and ArcTitan.
SpamTitan offers superior protection against all email-based threats and blocked 7 billion spam emails in January 2019. The solution is regularly updated to ensure it continues to protect against the latest email threats. The most recent update saw the incorporation of DMARC and sandboxing to the solution.
WebTitan is a DNS filtering solution that allows businesses to block web-based threats and carefully control the web content that can be accessed by users, both on and off the network. In January, the solution blocked more than 60 million malicious websites to keep businesses protected.
ArcTitan is an email archiving solution that helps businesses meet their compliance requirements. The solution was used to securely archive 10 million emails in January 2019.
French VARs will be able to find out about TitanHQ solutions at Exer’s Tour De France, which commences in Lille on May 23, 2019 at Hameau de la Becque (09:00-13:00).
Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.
Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.
The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.
An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.
Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.
SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.
The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.
These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.
If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.
A critical Windows vulnerability has been identified which could be exploited in a WannaCry-style malware attack. The vulnerability is pre-authentication and requires no user interaction to exploit, as such it is wormable. A patch was issued by Microsoft on May 14, 2019 to correct the flaw. The patch should be applied immediately to prevent the flaw from being exploited.
A remote attacker could exploit the flaw to deliver malware to a vulnerable device and, by incorporating the exploit into the malware, move laterally and infect all vulnerable devices on the network.
The vulnerability, tracked as CVE-2019-0708, is in Remote Desktop Services (previously called Terminal Services) and requires a relatively low level of skill to exploit. To exploit the flaw, an attacker would need to send a specially crafted request to the Remote Desktop Service on a targeted device via RDP. Once exploited, an attacker could download malware and install other programs, view, change, or delete data, create new user accounts with admin privileges, and take full control of a vulnerable device. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.
Microsoft has incorporated security protections into the latest Windows versions, so Windows 8 and Windows 10 users are unaffected. However, earlier versions of Windows contain the vulnerability.
Patches have been released for all vulnerable Windows versions, including Windows XP and Windows 2003, both of which have reached end of life and are no longer supported, as was the case with the Windows Server Message Block (SMB) vulnerability that was exploited by WannaCry.
Affected Windows versions are:
Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows XP
Windows 2003
Businesses running machines with the above operating systems should test the patch and apply it as soon as possible. In the meantime, a workaround should be implemented to prevent the flaw from being exploited.
The workaround requires TCP port 3389 to be blocked on the firewall and for Network Level Authentication (NLA) to be enabled on all systems running vulnerable Windows versions. If NLA is enabled, before the flaw can be exploited, an attacker would first need to authenticate to remote Desktop Services using a valid account. While the workaround will reduce the risk of exploitation of the vulnerability, it is not a replacement for the patch, which should still be applied as soon as possible. Businesses should also disable Remote Desktop Services if they are not essential and RDP should not be exposed to the internet.
Microsoft has warned that the failure to mitigate the vulnerability, either by applying the patch or using the workaround, could result in another global attack on the scale of WannaCry. Such an attack is extremely likely. When patches are released to address critical flaws, it doesn’t take long for them to be reverse engineered and for exploits to be crafted. Such a high severity flaw is likely to be exploited quickly. It may only take a few days before the first attacks are conducted.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions to SMBs and managed service providers (MSPs) has announced a new partner program has been launched: TitanShield.
The aim of the TitanShield Partner Program is to provide MSPs, cloud distributors, OEM partners, Wi-Fi providers, and Technology Alliance partners with all the tools and support they need to start offering TitanHQ solutions to their clients and to provide continued support.
The launch of the new program coincides with TitanHQ’s 20-year anniversary. For the past two decades, TitanHQ has been developing innovative cybersecurity solutions for SMBs and MSPs that serve the SMB market. The company started by developing anti-spam technologies for businesses in Ireland and has since grown into an award-winning global provider of cybersecurity solutions.
Over the course of the past year, TitanHQ has been working closely with partners to make it as easy as possible for them to sell, onboard, deliver, and managed advanced network security solutions directly to their client base. In fact, in the past 9 months, as a result of those efforts, TitanHQ has increased its partner base by 40%.
In addition to providing cutting edge cybersecurity solutions to protect against email and web-based attacks and meet compliance requirements, TitanHQ offers partners flexible pricing models, competitive margins, and a wealth of sales and technical resources to drive revenue growth.
Under the new partner program, all qualified partners will be assigned a dedicated account manager, a support team, and engineers. Partners also benefit from a full range of APIs that will enable them to incorporate TitanHQ products into their backend provisioning and management systems and will be provided with extensive sales enablement and marketing support, including lead generation resources.
“Our new TitanShield partner program allows us to separate partners into their specific areas so that we can make sure they are receiving best practices, simple pricing models and focused information for the markets and customers they serve,” explained TitanHQ Executive VP of Strategic Alliances, Rocco Donnino “Our program takes a unique and strategic approach for our partners and can be customized to fit all business models.”
MSPs and cloud providers who have not yet started offering TitanHQ solutions to their clients can find out more about the TitanShield program by emailing the team at partners@titanhq.com
Malware and ransomware attacks are causing major problems for businesses, but the biggest threat in terms of losses are business email compromise scams.
The 2018 Internet Crime Report from the FBI clearly shows how serious the threat of BEC attacks has become. In 2017, reported losses from BEC attacks reached $675 million. In 2018, losses to BEC scams doubled to reach a staggering $1.2 billion.
It is no surprised that so many cybercriminal gangs are conducting BEC attacks. In contrast to many other forms of cybercrime, BEC scams can be extremely profitable and they require little in the way of technical skill to perform. As with phishing attacks, they often involve an attacker sending an email to trick an individual into making a wire transfer.
The scams often start with a spear phishing email targeting an executive in a company. The aim of the initial phase of the attack is to gain access to that individual’s email account. Once the email account is compromised, emails are then sent to finance department employees or payroll staff requesting a wire transfer be made.
Highly convincing emails are sent, and since they come from a genuine internal email account, the recipient is less likely to question the request.
Large enterprises often make large wire transfers, so a sizable transfer request for tens or hundreds of thousands of dollars may be authorized without question. There have even been cases where much more substantial wire transfers have been made. A town in New Jersey discovered that, as a result of a BEC attack, a transfer of $1 million had been made to a criminal’s account. In that case, the FBI was able to freeze the funds in time, but with many scams, funds are withdrawn before the scam is identified.
In many cases, the first step in the attack is skipped and emails are simply spoofed to make them appear to have been sent from within the organization, from a contractor, or another individual with a relationship with the targeted entity.
The tactics and techniques being used are constantly changing. In addition to requests for wire transfers, cybercriminals often request tax (W2) forms of employees. This year has also seen an increase in gift card related BEC attacks. Instead of requesting wire transfers, requests are made to send gift cards for iTunes and online retailers. Cybercriminals then exchange the gift cards for Bitcoin online.
Confidence fraud and romance scams were the second main cause of losses. $362 million was lost to those scams and investment-related scams resulted in losses of over $252 million.
The real estate sector was extensively targeted in 2018. Criminals have attempted to get deposits and payments for house purchases diverted, often posing as the buyer, seller, real estate agents, or lawyers.
Phishing attacks are also on the rise. In 2018, the FBI’s Internet Crimes Complaint Center (IC3) received 26,379 complaints about phishing, smishing, and vishing, More than $48 million was lost to those scams in 2018.
Many of these scams are either conducted over email or start with a phishing email. It is therefore important for businesses to implement solutions that protect the email gateway and block these attacks at source to prevent malicious messages from reaching end users. It is also essential to provide training to staff to ensure they if they do encounter a phishing email or other scam, they have the skills to identify it as such.
Cybercriminals are constantly coming up with new scams to convince people to part with their login credentials or install botnets, viruses, malware, or ransomware.
Email is one of the easiest ways to get these scams out to the masses, accompanied with a good hook to get the user to open the message. Various tactics are used to achieve the latter, one of the most common being fear. Scaring people into taking action is very effective. A recently identified campaign is a good example. It uses fear of a flu pandemic to get users to take action.
According to the U.S. Centers for Disease Control and Prevention, flu killed about 80,000 in the 2017 to 2018 season, which was a record year for flu deaths. The previous record in the past three decades was beaten by 24,000.
For any phishing email to stand a good chance of fooling large numbers of people, the emails must be credible. This campaign provides that credibility by spoofing the CDC. The subject lines used in the campaign warn of a flu pandemic, and the email addresses used and the logos in the message body make the messages appear to have genuinely been sent by the CDC.
The message included an attachment – named Flu Pandemic Warning – provides important information that users need to know to prevent infection and stop the disease from spreading. The fear of contracting flu combined with the realistic looking emails make it likely that this campaign will fool many individuals.
That document contains malicious code that downloads and runs GandCrab ransomware v5.2, for which there is currently no free decryptor. Once downloaded, GandCrab ransomware will encrypt files on the infected computer preventing them from being accessed. The average ransom demand is $800 per infected computer.
In order for the malicious code to download the ransomware, the content must be enabled. In the message body, recipients are told that in order to view all the information in the document they must enable content. This prior instruction is intended to get the user to click ‘enable content’ quickly when the document is opened, rather than to stop and think.
All users should be alert to these kind of email scams. Caution should be exercised before opening any email attachment, no matter how urgent the message appears to be. Any unsolicited email should be carefully checked as there will usually be signs that indicates all is not what it seems.
Businesses are particularly at risk and can suffer major losses as a result of ransomware attacks, especially when several employees are fooled by these email scams.
Signature-based email defenses were once effective at blocking malware, but malware developers are constantly releasing new versions that have never before been seen. Signature-based AV software struggles to maintain pace and is not effective against zero-day malware variants and malicious code that downloads the malware.
End user training certainly goes a long way and can help to prevent mass infections, but what is really needed is an advanced anti-phishing solution that blocks phishing emails and email scams at source before they are delivered to inboxes. That is an area where TitanHQ can help.
To protect against email-based attacks, TitanHQ developed SpamTitan – A highly effective anti-phishing and anti-spam solution with advanced features that provide superior protection against phishing and malware attacks.
In addition to dual anti-virus engines, SpamTitan incorporates a wide range of checks to distinguish malicious emails from genuine messages. Recently, Spamtitan has had two new features incorporated: DMARC email authentication and sandboxing. DMARC helps to ensure that spoofed email messages, such as those that appear to have been sent by the CDC, are identified as scams and are blocked. Sandboxing is important for protecting against zero-day malware threats and malicious downloaders.
Potentially malicious attachments are executed and analyzed in a Bitdefender-powered sandbox, where the actions performed by malware and malicious code can be assessed without causing harm. When malicious code is detected it is blocked across all users’ inboxes.
With SpamTitan in place, businesses will be well protected against campaigns such as this. For further information on TitanHQ’s award-winning anti-spam solution, for a product demonstration, or to register for a free trial, contact the TitanHQ team today and take the first step toward making your email channel much more secure.
SpamTitan, TitanHQ’s business email security solution, has been named leader in the Spring G2 Crowd Grid Report for Email Security Gateways.
G2 Crowd is a peer-to-peer review platform for business solutions. G2 Crowd aggregates user reviews of business software and the company’s quarterly G2 Crowd Grid Reports provide a definitive ranking of business software solutions.
The amalgamated reviews are read by more than 1.5 million site visitors each month, who use the reviews to inform software purchases. To ensure that only genuine reviews are included, each individual review is subjected to manual review.
The latest G2 Crowd Grid Report covers email security gateway solutions. Gateway solutions are comprehensive email security platforms that protect against email-based attacks such as phishing and malware. The email gateway is a weak point for many businesses and it is one that is often exploited by cybercriminals to gain access to business networks. A powerful and effective email gateway solution will prevent the vast majority of threats from reaching end users and will keep businesses protected.
To qualify for inclusion in the report, email gateway solutions needed to scan incoming mail to identify spam, malware, and viruses, securely encrypt communications, identify and block potentially malicious content, offer compliant storage through archiving capabilities, and allow whitelisting and blacklisting to control suspicious accounts.
For the report, 10 popular email security gateway solutions were assessed from Cisco, Barracuda, Barracuda Essentials, Proofpoint, Mimecast, Symantec, McAfee, Solarwinds MSP, MobileIron, and TitanHQ. Customers of all solutions were required to give the product a rating in four areas: Quality of support, ease of use, meets requirements and ease of administration.
TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.
TitanHQ’s SpamTitan was named leader based on consistently high scores for customer satisfaction and market presence. 97% of users of SpamTitan awarded the solution 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to others.
SpamTitan scored 94% for quality of support and meeting requirements. The industry average in these two areas was 84% and 88% respectively. The solution scored 92% for ease of use against an industry average of 82%, and 90% for ease of admin against an average value of 83%.
“TitanHQ are honored that our flagship email security solution SpamTitan has been named a leader in the email security gateway category,” said Ronan Kavanagh, CEO, TitanHQ. “Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
If you want to improve email security without breaking the bank and want a solution that your IT staff will like using, SpamTitan is the ideal choice.
SpamTitan is available on a 100% free trial to allow you to try before committing to a purchase; however, if you have any questions about the solution, contact the TitanHQ team who will be happy to help and can schedule a product demonstration.
Emotet malware was first identified in 2014 and its original purpose was to obtain banking credentials and other sensitive information; however, the malware is regularly updated and new functionality is added. Emotet malware is now one of the most prevalent and dangerous malware threats faced by businesses.
The malware can detect whether it is running in a virtual environment and will generate false indicators in such cases. The malware is polymorphic, which means it changes every time it is downloaded. That makes it difficult to detect using the signature-based detection methods employed by standard anti-virus software.
The malware also has worm-like features which allows it to rapidly spread to other networked computers. Emotet is also capable of spamming and forwarding itself to email contacts. As if infection with Emotet is not bad enough, it can also download other malware variants onto infected devices.
Emotet malware is one of the most destructive malware variants currently in use and cleaning up Emotet attacks can be incredibly costly. The Department of Homeland Security has reported that some attacks on state, local, tribal, and territorial governments have cost more than $1 million to resolve.
Emotet malware is primarily distributed via spam email, either through malicious attachments or hyperlinks to websites where the malware is silently downloaded. The lures used in the messages are highly varied and include most of the commonly used phishing lures such as shipping notifications, fake invoices, payment requests, PayPal receipts.
Now the threat actors behind the malware have adopted a new tactic to increase infection rates. Once installed on a device, the malware accesses email conversation threads and forwards the message to individuals named in the thread.
The original email conversation is unaltered, but a hyperlink is added to the top of the message. The link directs the recipient to a webpage where a file download is triggered. Opening the document and enabling macros will see Emotet downloaded. Email attachments may also be added to previous conversation threads in place of hyperlinks.
Since the messages come from a known individual with whom an email conversation has taken place in the past, the probability of the document being opened is greater than if messages come out of the blue or are sent from an unknown individual.
Several cybersecurity firms have identified a campaign using this tactic, including phishing intelligence provider Cofense and security researcher Marcus Hutchins (MalwareTech).
The current campaign uses revived conversations from before November 2018, although more recent conversations may be revived in further campaigns. Any revived old email conversation that contains a link or an attachment could indicate a user has been targeted and that at least one member of the email exchange has been infected with Emotet.
The current campaign is not only extensive, it is also proving to be extremely successful. Spamhaus reports that there have been 47,000 new infections in the past two months alone, while Cofense reports that it has identified more than 700,000 infections in the past 12 months.
Protecting against this dangerous malware requires a powerful anti-spam solution and good security awareness training for staff. SpamTitan’s new features can help to detect malicious emails spreading Emotet malware to better protect businesses from attack.
To find out more about SpamTitan and how the solution can protect your business, give TitanHQ a call today.
Monday April 15 is Tax Day in the United States – the deadline for submitting 2018 tax returns. Each year in the run up to Tax Day, cybercriminals step up their efforts to obtain users’ tax credentials. In the past few weeks, many tax-related phishing scams have been detected which attempt to install information stealing malware.
One of the main aims of these campaigns is to obtain tax credentials. These are subsequently used to file fraudulent tax returns with the IRS. Tax is refunded to accounts controlled by the attackers, checks are redirected, and a range of other methods are used to obtain the payments.
Attacks on tax professionals are commonplace. If access can be gained to a tax professional’s computer, the tax credentials of clients can be stolen, and fraudulent tax returns can be filed in their names. A single successful attack on a tax professional can see the attacker obtain many thousands of dollars in tax rebates.
There has been the usual high level of tax-related phishing scams during the 2019 tax season and businesses of all types have been targeted. It is not only tax credentials that cybercriminals are after. Many tax-themed phishing scams have been conducted which attempt to install malware and ransomware such as the TrickBot banking Trojan.
The TrickBot banking Trojan is a powerful malware variant which, once installed, can give an attacker full control of an infected computer. The malware is primarily an information stealer. A successful installation on one business computer can allow the attackers to move laterally and spread the malware across the whole network.
The primary purpose of the TrickBot trojan is to steal banking credentials which can be used to make fraudulent wire transfers: however, TrickBot is regularly updated with new features. In addition to stealing banking credentials, the malware can steal VNC. RDP, and PuTTY credentials.
The threat actors behind TrickBot are highly organized and well resourced. More than 2,400 command and control servers are used by the cybercriminal gang and that number continues to grow.
The three new TrickBot malware campaigns were detected since late January by IBM X-Force researchers. Spam email messages are carefully crafted to appear legitimate and look innocuous to business users and appear to have been sent by well-known accounting and payroll firms such as ADP and Paychex.
Spoofed email addresses are commonly used, although in these campaigns, the attackers have used domain squatting. They have registered domains that are very similar to those used by the accounting firms. The domains have transposed letters and slight misspellings to make the email appear to have been sent from a legitimate source. The domains can be highly convincing and, in some cases, are extremely difficult to identify as fake.
The emails are well written and claim to include tax billing records, which are included as attached spreadsheets. The spreadsheets contain malicious macros which, if allowed to run, will download the TrickBot Trojan.
To prevent attacks, several steps should be taken. Macros should be disabled by default on all devices. Prompt patching is required to keep all software and operating systems up to date to prevent vulnerabilities from being exploited.
End users should receive security awareness training and should be taught cybersecurity best practices and how to identify phishing emails. An advanced spam and anti-phishing solution should also be implemented to ensure phishing emails are identified and prevented from reaching end users inboxes. Further, all IoCs and IPs known to be associated with the threat actors should be blocked through spam filtering solutions, firewalls, and web gateways.
The latter is made easy with SpamTitan and WebTitan – TitanHQ’s anti-phishing and web filtering solutions for SMBs.
Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.
SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.
The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.
The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.
The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.
The past few weeks have seen two major disasters in which hundreds of people lost their lives. 157 people lost their lives in the Ethiopian Airlines Boeing 737 Max crash and the Christchurch mosque massacre saw 50 people killed.
Both events were terrible tragedies that shocked people the world over. Victims and their families have been receiving messages of support on social media and many people have shown their support by making financial donations. More than US$5 million has so far been raised to help the victims of the New Zealand attack.
Unfortunately, cybercriminals are taking advantage. In the past few days, phishing campaigns have been detected that are using the tragedies to infect computers with malware and steal charitable donations.
According to New Zealand’s cybersecurity agency, CERT NZ, multiple campaigns have been detected that are using the Christchurch attack as a lure. Malware has been embedded in video footage of the tragedy which is currently being shared online, including on social media websites.
Phishing attacks are also being conducted which contain links to faked online banking forms that attempt to obtain users banking credentials. One campaign spoofed the Westpac New Zealand bank and emails appeared to have been sent from its domain. Other email campaigns contain pleas for financial assistance and supply bank account details for donations, but the details are for criminal-controlled accounts.
Another campaign has been detected that is using the Ethiopian Airlines Boeing 737 Max crash to spread a remote access Trojan and information stealer. The emails claim to offer information to air travelers about airlines that are likely to also suffer crashes. The emails offer information that has been found on the darkweb by a security analyst. The emails include a JAR file which, it is claimed, has important information for all air travelers on airlines to avoid due to the risk of plane crashes.
Whenever there is a tragedy that is extensively covered in the media cybercriminals try to take advantage. By adopting cybersecurity best practices such as never opening email attachments from unknown senders nor clicking links in emails, these scams can be avoided.
Unfortunately, email spoofing makes it difficult to detect phishing threats. Scam emails often appear genuine and seem to have been sent from a trusted source. To combat the threat to businesses, TitanHQ has recently updated its spam filtering solution, SpamTitan, to provide greater protection from these threats.
SpamTitan now incorporates DMARC to authenticate senders of emails and protect against email impersonation attacks. To provide even greater protection from malware, in addition to dual anti-virus engines, SpamTitan now incorporates a Bitdefender-powered sandbox, where suspicious files can be safely analyzed to determine whether they are malicious.
These additional controls will help to protect businesses and end users from new malware threats and advanced phishing and email impersonation scams.
This week, TitanHQ has rolled out two new features for its award-winning email security solution SpamTitan: Sandboxing and DMARC email authentication.
TitanHQ developed the technology behind its email security solution more than 20 years ago and over the past two decades SpamTitan has received many updates to improve features for end users and increase detection rates.
SpamTitan already blocks more than 99.9% of spam and malicious emails to prevent threats from reaching end users’ inboxes. The level of protection SpamTitan provides against email attacks has made it the gold standard in email security for the SMB market and managed service providers serving SMBs.
In order to provide even greater protection against increasingly sophisticated email threats, TitanHQ added a new sandboxing feature. The next-generation sandboxing feature, powered by Bitdefender, provides SpamTitan customers with a safe environment to run in-depth analyses of suspicious programs and files that have been delivered via email.
New SpamTitan Sandboxing Service
The sandbox is a powerful virtual environment totally separate from other systems. When programs are run in the sandbox, they behave as they would on an ordinary endpoint and can be assessed for suspicious behavior and malicious actions without causing harm.
Prior to being sent to the sandbox, files are first analyzed using SpamTitan’s anti-malware technologies. Only files that require further analysis make it to the sandbox where they are safely detonated. Tactics used by malware to evade detection and avoid analysis are logged and flagged. Purpose-built, advanced machine learning algorithms they assess the files and check their actions against an extensive array of known threats from a range on online repositories in a matter of minutes.
If the file is confirmed as benign, it can be released. If the file is determined to be malicious, the sandboxing service automatically sends a report to the Bitdefender’s Global Protective Network and all further instances of the threat will then be blocked globally to ensure the file does not need to be analysed again.
Email sandboxing provides advanced protection against zero-day exploits, polymorphic threats, APTs, malicious URLs, new malware samples that have yet to be identified as malicious, and new threats that have been developed for undetectable targeted attacks.
Incorporation of this feature into SpamTitan gives customers advanced emulation-based malware analysis capabilities without having to purchase a separate sandboxing solution and ensures customers are protected against rapidly evolving advanced threats.
DMARC Email Authentication Added to SpamTitan
Email spoofing is the term given to the use of a forged sender address. Email spoofing is used to increase the likelihood of an email being delivered and opened by an end user. The email address of a known contact, well known company, or government organization is usually spoofed to abuse trust in that individual, brand, or organization.
DMARC authentication is now essential for all businesses and is a powerful control to prevent spoofing attacks. DMARC is used to check email headers to provide further information about the true sender of an email. Through DMARC, the message is authenticated as having been sent from the organization that owns the domain. If authentication fails, the message is rejected.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan now incorporates DMARC authentication to provide even greater protection against email spoofing attacks.
Both of these new features have been added in the latest update to SpamTitan and are available to users at no extra cost.
“We have listened to requests from customers to have new features added to SpamTitan, and by far the most requested improvements are anti-spoofing technology and sandboxing,” said Ronan Kavanagh, CEO, TitanHQ. “I’m delighted to say that both of these new features have now been added to provide enhanced security for customers at no extra cost.”
During tax season, tax phishing scams are rife. If cybercriminals can steal personal information such as the information contained on W2 forms, they can use the information to file fraudulent tax returns. Each set of credentials can net cybercriminals thousands of dollars. Attacks on businesses can be even more profitable. If an attack results in the theft of the tax credentials of a company’s entire workforce, hundreds of fraudulent tax returns can be filed.
The IRS works hard to combat fraud, but even so, many of these attacks are successful and fraudulent tax refunds are issued. This week, as part of its efforts to combat tax fraud, the IRS has launched its 2019 Dirty Dozen campaign. The campaign raises awareness of the threat of tax fraud and encourages taxpayers, businesses, and tax professionals to be vigilant.
The campaign features 12 common tax scams that attempt to obtain personal information or access to systems that contain such information. The campaign will see a different scam highlighted for 12 consecutive days. The campaign was launched on March 4 with the biggest threat in tax season: Tax phishing scams.
Common Tax Phishing Scams
Tax phishing scams are constantly evolving and each year several new tax phishing scams are identified. The most common scams and attacks are:
Business Email Compromise (BEC) attacks
Business Email Spoofing (BES) attacks
Email impersonation attacks
Malware
BEC attacks involve the use of a genuine business email account to send messages to employees requesting the W2 form information of employees, changes to business account information, requests to reroute direct deposits and make fraudulent wire transfers. The attackers often gain access to a high-level executive’s email account through a spear phishing campaign. BEC is one of the most common business tax phishing scams.
BES attacks are similar, except that no email account has been compromised. The email address of an executive or other employee is spoofed so that emails appears to have been sent from within an organization.
Email impersonation attacks are common during tax season. Scammers impersonate the IRS and use a variety of lures to obtain personal information. Common lures are threats of legal action or fines for outstanding taxes and offers of tax refunds. They often direct users to a website where they are required to enter their personal information. These phishing webpages are also linked to on social media websites. The clients of tax professionals may also be impersonated. Emails often request changes be made to direct deposit accounts or contain requests for sensitive information.
Malware is often used to gain access to the computers of tax professionals, and employees in the payroll and HR departments. Keyloggers are commonly used as they allow the attackers to steal login credentials. Malware can also transfer files containing sensitive information to the attackers’ servers. Malware is often installed via scripts in email attachments – malicious macros for instance – or via drive-by downloads from malicious websites.
New Phishing Scam Targeting Tax Professionals
One of the new tax phishing scams to emerge this year targets tax professionals. First the attackers gain access to tax professionals’ computers, either through spear phishing campaigns or by installing malware. Client tax information is then stolen and fraudulent tax returns are files in the clients’ names. When the IRS processes the refunds, payments are sent to taxpayers’ bank accounts. Those taxpayers then receive a call or an email demanding the return of the funds which have been paid in error. The attackers claim to be from a debt collection agency used by the IRS or the IRS itself.
Don’t Become a Victim of a Tax Phishing Scam
Many taxpayers and businesses fall victim to tax phishing scams each year, especially during tax season when attacks increase; however, by taking some simple steps and being vigilant it is possible to identify scams and keep financial and personal data secure.
Any email, text, or telephone call that requests personal/tax information should be treated as a potential scam. If an email or text message is received that claims to be from the IRS demanding payment of outstanding taxes, an offer of a tax refund, or a threat of legal action, bear in mind that the IRS does not initiate contact via email or text message asking for personal information. If such a message is received, forward the email to phishing@irs.gov and contact the IRS or check your online tax account to find out if there is a genuine problem. Never use the contact information or links in an email and do not open an email attachment in an email that appears to have been sent by the IRS.
Businesses can include information about tax phishing scams in their security awareness training sessions, but departments that are likely to be targeted by cybercriminals – payroll, human resources, finance and accounting Etc.) should receive specific training ahead off the start of tax season. Sending monthly reminders about phishing attacks and other tax scams each month via email is also a good best practice.
Since most attacks start with a phishing email, businesses should ensure that they have an advanced spam filtering solution in place to block phishing and other emails at the gateway before they can be delivered to end users. SpamTitan is an ideal anti-spam solution for businesses and tax professionals to protect against tax phishing scams. The solution blocks more than 99.9% of spam and phishing emails and includes outbound email scanning to ensure that compromised email accounts cannot be used for spamming.
To protect against internet phishing scams, a web filtering solution is ideal. WebTitan prevents end users from visiting phishing websites, including blocking visits to malicious websites via hyperlinks in scam emails. The solution also blocks drive-by malware downloads and other web-based threats.
If you are a tax professional or you run a business and are unhappy with your current anti-spam or web filtering solution provider, or you have yet to implement either of these solutions, give the TitanHQ team a call today for further information on how these solutions can protect your business, details of pricing, and to book a product demonstration.
Spoofed email phishing scams can be hard for end users to identify. The scams involve sending a phishing email to a user and making the email appear as if it has been sent by a known individual. This could be a known contact such as a supplier, a work colleague, a friend or family member, or a well-known company.
These phishing campaigns abuse trust in the sender and they are highly effective. Many end users are warned never to click on links in emails or open email attachments in messages from unknown senders, but when the sender is known, many users feel that the email is safe.
One of the most effective spoofed email phishing scams involves impersonation of the CEO or a high-level executive such as the CFO. This type of scam is often referred to as a business email compromise scam or BEC attack. A message is sent to an employee in the accounts department requesting an urgent wire transfer be made along with the account details. The attacker may first start an email conversation with the target before the request is made. No employee wants to refuse a direct request from the CEO, so the requested action is often taken.
Over the past few months, sextortion scams have grown in popularity with cybercriminals. Sextortion scams are those which threaten to oust the victim unless a payment is made. This could be disclosing the user’s internet browsing habits (dating sites, adult sites) to a spouse, work colleagues, and family members. There were many of these scams launched following the hacking of the Ashley Madison website when details of users of the site were dumped online.
Several sextortion scams have been detected in the past few months which claim that the sender (a hacker) has gained access to the user’s computer and installed malware that provided access to the webcam, microphone, and internet browsing history. The email message informs the recipient that they have been recorded while viewing adult websites and a video of them has been spliced with the content they were viewing at the time. The attacker threatens to send the video to every one of the user’s contacts on email and social media accounts.
Two recent sextortion campaigns have been detected that spoof the users own email address, so the email appears to have been sent from their own email account. This tactic backs up the claim that the attacker has full control of the user’s device and access to their email contacts. The reality is the email header has just been spoofed. Additionally, the user’s password is included in the message, which has been obtained from a past data breach. The password may not be current, but it may be recognized.
A check of the bitcoin wallet address included in the emails for the blackmail payment shows these scam emails have been highly effective and several victims have paid up to avoid being outed. One campaign netted the attacker $100,000 in one week, another saw payments made totaling $250,000.
These spoofed email phishing scams are not difficult to block, yet many businesses are vulnerable to these types of attacks. Security awareness training for employees is a must. If employees are not taught how to check for spoofed email phishing scams, they are unlikely to recognize threats for what they are. Even so, it is difficult for an average employee to identify every possible phishing attempt, as phishing email simulations show.
What is needed is an advanced spam filtering solution that can detect spoofed email phishing attacks and block the malicious emails at source to prevent messages from being delivered to inboxes. SpamTitan Cloud, for instance, blocks more than 99.9% of spam and phishing emails to keep businesses protected.
If you want to keep your business protected and prevent these all to common spoofed email phishing attacks, give the TitanHQ team a call. A member of the team will be happy to talk about the product, the best set up for your organization, and can arrange to give you a full product demonstration and set you up for a free trial.
It doesn’t take long after the release of a patch for hackers to take advantage, especially when the vulnerability potentially impacts 500 million users. It is therefore not surprising that at least one hacker is taking advantage of a recently disclosed WinRAR vulnerability.
Oftentimes, vulnerabilities are found in certain versions of software, but this vulnerability affects all WinRAR users and dates back 19 years. The WinRAR vulnerability was identified by researchers at Check Point. WinRAR was alerted and confirmed the vulnerability existed, and promptly issued an updated version of the file compression tool with the vulnerability removed. Details of the vulnerability were disclosed in a Check Point blog post on February 20, 2019.
The WinRAR vulnerability in question was present in a third-party DLL file which was included in WinRAR to allow ACE archive files to be uncompressed. The researchers found that by renaming a .rar archive to make it appear that the compressed file was an ACE archive, it was possible to extract a malicious file into the startup folder unbeknown to the user. That file would then run on boot, potentially giving an attacker full control of the device. The malicious file would continue to load on startup until discovered and removed.
All an attacker would need to do to exploit the WinRAR vulnerability is to convince a user to open a specially crafted .rar archive file attached to an email. Compressed files are often used in malspam campaigns to hide malicious executable files. Since .rar and .zip files are commonly used by businesses to send large files via email, they are likely to be recognized and may be opened by end users.
In this case, if the archive contents are extracted, the user would likely be unaware that anything untoward had happened, as the executable is loaded into the startup folder without giving any indication the file has been extracted. Due to the location of extraction, no further actions are required by the user.
In this case, the executable installs a backdoor, although only if the user has User Account Control (UAC) disabled. That said, this is unlikely to be the only campaign exploiting the WinRAR vulnerability. Other threat actors may develop a way to exploit the vulnerability for all users that have yet to update to the latest WinRAR version.
Many users will have WinRAR installed on their computer but will rarely use the program, so may not be aware that there is an update available. It is possible that a large percentage of users with the program installed have yet to update to the latest version and are vulnerable to attack.
This campaign illustrates just how important it is to patch promptly. As soon as a patch is released for a popular software program it is only a matter of time before that vulnerability is exploited, even just a few days.
Patching all devices in use in an organization can take time. It is therefore important to make sure that all employees receive security awareness training and are taught email security best practices and how to identify potentially malicious emails.
Unfortunately, social engineering techniques can be highly convincing, and many users may be fooled into opening email attachments, especially when the attacker spoofs the sender’s email address and the email appears to come from a known individual. It is therefore essential to have an advanced spam filtering solution in place that is capable of detecting malicious attachments at source, including malicious files hidden inside compressed files, and stop the messages from being delivered to inboxes.
A year-old vulnerability in the Connectwise plugin for Kaseya VSA has been exploited in a series of MSP ransomware attacks over the past two weeks. The latest campaign is one of several cyberattacks targeting MSPs in recent months that abuse trusted relationships between MSPs and their clients. The aim of the attacks is to gain access to MSP systems in order to attack their clients.
MSPs are trusted by SMBs to improve security, identify and correct vulnerabilities, and prevent costly cyberattacks. However, if MSPs do not follow cybersecurity best practices such as ensuring patches and software updates are applied on their own systems, they place their clients at risk.
MSP ransomware attacks such as these have potential to cause considerable damage to an MSP’s reputation, could easily result in loss of clients, and also possible legal action.
On MSP Reddit poster explained that cybercriminals recently exploited a vulnerability to gain access to clients’ systems and had installed ransomware on approximately 80% of client machines. Other attacks have also succeeded in encrypting files on client networks.
It is not always possible to update plugins, apply patches, and perform software updates instantly, but in this case the vulnerability was identified in November 2017. A proof of concept exploit was published, and an updated plugin was rapidly released by Connectwise to correct the flaw. Despite this, 126 MSPs are still using the out of date and vulnerable plugin according to a recent Kaseya security warning.
The Connectwise plugin for Kaseya VSA contained a flaw – CVE-2017-18362 – that allowed commands to be run on a Kaseya VSA server without the need for authentication due to an error within the Connectwise API. By exploiting the vulnerability, an attacker would be able to gain access to the Kaseya VSA server and conduct attacks on MSP clients. In this case, GandCrab ransomware was installed.
The group behind this campaign may not be the only criminal gang to attempt to exploit the vulnerability. It is possible that some MSPs who failed to update the plugin may have also had their server compromised and less conspicuous malware may have been installed.
All MSPs that use Connectwise and have the plugin installed on their on-premise server should ensure the latest version of the plugin is installed. Connectwise has made a tool available to users that will conduct a scan to determine if the vulnerable plugin is in use. It is also recommended to disconnect the VSA server from the internet and to perform an audit to determine if the server has been compromised.
Thanks to advanced cybersecurity defenses, many of which are provided by MSPs to their clients, it is becoming harder for cybercriminals to use standard tactics such as mass spam emails to gain access to business networks. As the past few months have shown, cybercriminals are now targeting MSPs to gain access to their clients’ systems. It is therefore essentials that MSPs ensure they scan for vulnerabilities on their own systems to identify potential weaknesses before they are exploited by hackers.
TitanHQ is on the road again and has kick started a busy 2019 schedule of conferences with events on both sides of the Atlantic.
On February 14, 2019, TitanHQ Alliance Manager Patrick Regan attended the TitanHQ-sponsored Datto Roadshow in Tampa, Florida, and has been meeting with MSP partners from the region to help them with their existing and new email security, DNS filtering, and email archiving projects. TitanHQ has been working very closely with Datto MSP partners to ensure they get the most out of TitanHQ products to better support their clients.
On the other side to the pond, TitanHQ Alliance Manager Eddie Monaghan kicked off a week at the IT Nation Q1 EMEA Meeting in London and has been meeting MSP clients and finding what is going in in their world.
TitanHQ Alliance Manager, Eddie Monaghan
At both locations and in the upcoming roadshow events the TitanHQ team is available to meet with prospective MSP partners to explain about TitanHQ’s award-winning email security (SpamTitan), web security (WebTitan) and email archiving (ArcTitan) solutions and how they can easily be slotted into MSPs security stacks to better help and protect their clients. Current MSP partners will be given tips to help them get the very most out of the products.
Partner with TitanHQ
TitanHQ is the leading provider of email and web security products for MSPs serving the SMB market and now provides its products to more than 1,500 MSP partners serving clients in more than 200 countries. The combination of SpamTitan and WebTitan allows MSPs to provide their clients with superior protection against malware, ransomware, phishing and other cyber threats.
All TitanHQ products have been developed to specifically meet the needs of MSPs and save them support and engineering time by blocking cyber threats at source.
TitanHQ has developed it’s TitanShield Program to help partners in a wide range of industry sectors take advantage of TitanHQ’s suite of products. The TitanShield Program consists of four elements which meet the needs of MSP, ISP, and technology partners:
The MSP Program: Allows MSPs and resellers adopt the TitanHQ platform and security solutions to provide TitanHQ products direct to their clients.
The OEM program: TitanHQ’s entire suite of products is supplied in white-label form ready to take your company’s branding.
The Technology Alliance Program: Allows tech companies to partner with TitanHQ to offer spam filtering, web filtering, and email archiving solutions to clients alongside their own products.
The Wi-Fi Program: A program for Wi-Fi providers allowing the incorporation of TitanHQ’s cloud-based WiFi content filtering solution partners’ WiFi services.
Over the coming few months, TitanHQ will be visiting Dublin, heading across the channel to the Netherlands, and will be travelling through the UK and United States. If you are a current MSP partner or are interested in finding out how TitanHQ products could benefit your clients and be slotted into your technology stack, be sure to come and meet the team at one the following events.
We look forward to seeing you at one of the roadshow events in 2019.
The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.
HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.
This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.
Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.
The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.
When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.
Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.
The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.
It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.
At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.
SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.
WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.
For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
The French Value Added Distributor (VAD) Exer has partnered with TitanHQ and will start offering its email security, DNS filtering, and email archiving solutions to French VARs.
