A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint. These collaboration requests spoofing SharePoint are becoming more common.
The SharePoint spoofing campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.
This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.
A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.
The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.
Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.
Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.
Businesses can take steps to avoid Office 365 phishing scams such as this.
Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
Use an endpoint protection solution that is capable of detecting phishing attacks.
Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.
Office 365 Phishing Scam Uses SharePoint Lure FAQ
How does a spam filter block social engineering attacks?
Spam filters use real-time block lists to block known sources of spam, greylisting to identify new spam sources, and SPF and DMARC to identify email impersonation attacks. Message content is checked for common signatures of phishing and social engineering attacks. Each message is assigned a score. If a threshold is reached, the message is quarantined or blocked.
What are the main anti-phishing solutions?
A spam filter is the most important anti-phishing solution to prevent phishing and other malicious messages from reaching inboxes. A web filter is important for preventing end users from visiting malicious websites, and end user training and phishing simulations to condition the workforce to recognize threats. Multi-factor authentication is also important to prevent compromised credentials from being used to access accounts.
Why do I need a third-party spam filter for Office 365?
The default Office 365 spam filter is effective at blocking spam email and known malware, but is far less effective at blocking phishing, spear phishing, and zero-day attacks. A more advanced spam filter is required to block these dangerous email threats. SpamTitan uses dual antivirus engines and sandboxing for malware protection, URLs are checked against blacklists of known spam and phishing sources, greylisting for detecting new spam sources, and SPF and DMARC for identifying email impersonation attacks.
Can antivirus software stop phishing attacks?
Antivirus software is concerned with preventing viruses, malware, and ransomware from being downloaded or executed on a device. Phishing attacks are usually concerned with obtaining sensitive information such as login credentials, and antivirus software will not block these attacks. A spam filter protects against phishing by analyzing message headers, content, and embedded hyperlinks to identify phishing and spear phishing emails and prevent them from being delivered.
Is spam filtering software expensive?
Spam filtering software offers exceptional value for money as it blocks email threats that could easily result in a costly data breach or malware infection. The cost of spam filtering software is typically a few dollars per user per year. To find out how much an advanced spam filter is likely to cost, use our cost calculator or contact the sales team for a no obligation quote.
The French engineering firm Altran Technologies has been grappling with a malware infection that hit the firm on January 24, 2019.
Immediately following the malware attack, Altran shut down its network and applications to prevent the spread of the infection and to protect its clients. Technical and computer forensics experts are now assisting with the investigation. The Altran cyberattack has affected operations in some European countries and the firm is currently working through its recovery plan.
A public announcement has been made about the attack although the malware involved has not been officially confirmed. Some cybersecurity experts believe the attack involved a new ransomware variant named LockerGoga which emerged in the past few days.
LockerGoga ransomware was first identified on January 24 in Romania and subsequently in the Netherlands. It was named by MalwareHunterTeam, based on the path used for compiling the source code into an executable.
LockerGoga ransomware does not appear to be a particularly sophisticated malware variant. Security researcher Valthek, who analyzed the malware, claimed the code was ‘sloppy’, the encryption process was slow, and little effort appears to have been made to evade detection. The ransomware appends encrypted files with the .locked file extension.
The ransomware note suggests that companies are being targeted although it is currently unclear how the ransomware is being distributed.
LockerGoga ransomware encrypts a wide range of file types and, depending on the command line argument, may target all files. Since the encryption process is slow, fast detection and remediation will limit the damage caused. Failure to detect the ransomware and take prompt action to mitigate the attack could prove costly. The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption.
The ransomware had a valid certificate that was issued to a UK firm by Comodo Certificate Authority. The certificate has since been revoked.
LockerGoga ransomware is currently being detected as malicious by 46/69 AV engines on VirusTotal, including Bitdefender, the primary AV engine used by SpamTitan.
The massive Allscripts EHR breach in January 2018 resulted in massive disruption for the company and its clients. Clients were locked out of their electronic health records for several days while the company battled to recover from the attack. Around 1,500 of the company’s clients were affected.
The cost of mitigating the ransomware attack was considerable, and in addition to those costs, the Allscripts EHR breach prompted many clients to take legal action. The costs continue to mount.
The Allscripts EHR breach involved SamSam ransomware, which has plagued the healthcare industry over the past couple of years. The threat actors behind the attacks typically gain access to healthcare networks through RDP vulnerabilities and deploy the ransomware manually after scouting the network. This way, maximum damage can be inflicted, which increases the probability of the ransom being paid.
The Allscripts EHR breach certain stands out as one of the most damaging ransomware attacks of 2018, although it was just one of many healthcare ransomware attacks in 2018 involving many ransomware variants.
According to Beazley Breach Response Services, ransomware attacks more than doubled in September. Many cybercriminals have switched to cryptocurrency mining malware, but the ransomware attacks on healthcare organizations are continuing and show no sign of slowing.
In recent months, there has been a growing trend of combining malware variants to maximize the profitability of attacks. Ransomware is a quick and easy way for cybercriminals to earn money but combining ransomware with other malware variants is much more profitable. Further, if files are recovered from backups and no ransom is paid, cybercriminals can still profit from the attacks.
Several campaigns have been detected recently that combine Trojans such as AZORult, Emotet and Trickbot with ransomware. Attacks with these Trojans have increased by 132% since 2017 according to Malwarebytes. The Trojans steal sensitive information through keylogging, are capable lateral movement within a network, and also serve as downloaders for other malware such as Ryuk and GandCrab ransomware. Once information has been stolen, the ransomware payload is deployed.
The Allscripts EHR breach was somewhat atypical. It is far more common for ransomware to be delivered via email than brute force attacks on RDP. The campaigns combining Emotet, Trickbot, and AZORult with ransomware are primarily delivered by email.
In addition to ransomware attacks, phishing attacks are rife in healthcare. Email was the most common location of exposed protected health information in 2018. Email security is a weak point in healthcare defenses.
The number of successful ransomware and phishing attacks in healthcare make it clear that email security needs to improve. An advanced spam filter to block malicious emails, improved end user training is required to teach employees how to recognize email threats, intrusion detection systems need to be deployed, along with powerful anti-virus solutions. Only by implementing layered defenses to block email attacks and other attack vectors will healthcare organizations be able to reduce the risk of ransomware attacks.
A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.
Increase in Banking Trojan and Ransomware Combination Attacks
Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.
However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.
These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.
There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.
Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.
What Does the Ursnif Trojan Do?
The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.
According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.
When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).
Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.
The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.
How Businesses can Protect Against Attacks
Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.
Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.
SMB cybersecurity protections do not need to be advanced as those of large enterprises, but improvements need to be made to ensure smaller businesses are protected. The risk of a cyberattack is not theoretical. While large businesses are having their defenses regularly tested, small to medium sized businesses are also being attacked. And alarmingly often.
Large businesses may store much higher volumes of valuable data, but they also tend to invest heavily in the latest cybersecurity technologies and have dedicated teams to oversee security. Cyberattacks are therefore much harder to pull off. SMBs are much easier targets. Cyberattacks may be less profitable, but they are easier and require less effort.
SMB Cyberattacks are Increasing
A 2017 SCORE study confirmed the extent to which hackers are attacking SMBs. Its study of macro-based malware showed there had been at least 113,000 attacks on SMBs in 2017 and 43% of those attacks were on SMBs. SMBs suffered at least 54,000 ransomware attacks in 2017 and online banking attacks were highly prevalent in the SMB sector.
The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute, painted an even bleaker picture for SMBs. The study suggests SMBs face the same cybersecurity risks as larger businesses and are being attacked almost as often. In its study, 67% of SMB respondents reported having experienced a cyberattack in the past 12 months and 58 had suffered a data breach. Alarmingly, almost half of respondents (47%) said they had little or no understanding about how SMB cyberattacks could be prevented.
The study revealed 60% of successful cyberattacks were the result of employee negligence, hackers were behind 37% of breaches, and for 32% of cyberattacks the cause could not be established.
The high number of successful cyberattacks makes it clear that SMB cybersecurity needs to be improved. Unfortunately, many SMBs simply don’t have the budget to pay for expensive cybersecurity solutions and a lack of skilled staff is also an issue. So, given these restraints, where should SMBs start?
Where to Start with SMB Cybersecurity
Improving SMB cybersecurity does not necessarily mean hiring skilled cybersecurity staff and spending heavily on state-of-the-art cybersecurity solutions. The best place to start is by ensuring basic cybersecurity best practices are adopted. Highly sophisticated cyberattacks are becoming more common, but many successful attacks are the result of basic cybersecurity failures.
These include the failure to implement password policies that enforce the use of strong passwords, not changing all default passwords, or not using a unique password for each account. Implementing 2-factor authentication is a quick way to improve security, as is the setting of rate limiting to lock accounts after a set number of failed login attempts.
Many successful cyberattacks start with a phishing email. An advanced spam filtering solution is therefore essential. This will ensure virtually all malicious messages are blocked and are not delivered to end users. A web filter also offers protection against phishing by preventing employees from visiting phishing websites. It will also block web-based attacks and malware downloads. Both of these SMB cybersecurity solutions can be implemented at a low cost. It costs just a few dollars per year, per employee, to implement SpamTitan and WebTitan.
A little training goes a long way. Employees should be provided with cybersecurity training and should be taught how to identify email and web-based threats. There are plenty of free and low-cost resources for SMBs to help them train their employees. US-CERT is a good place to start.
Good backup policies are an essential part of SMB cybersecurity. In the event of a cyberattack or ransomware attack, this will prevent catastrophic data loss. A good strategy to adopt is the 3-2-1 approach. Three copies of backups, on two different types of media, with one copy stored securely off-site. Also make sure backups are tested to ensure file recovery is possible.
Once the basics have been covered, it is important to conduct a security audit to discover just how secure your network and systems are. Many managed service providers can assist with security audits and assessments if you do not have sufficiently skilled staff to perform an audit inhouse.
Improvements to SMB cybersecurity will carry a cost but bear in mind that an ounce of security is worth a pound of protection and investment in cybersecurity will prove to be much less expensive than having to deal with a successful cyberattack.
Barely a day goes by without an announcement being made about an email account compromise, especially in the healthcare industry, but how does business email get hacked? What are the main ways that email account access is gained by unauthorized individuals?
Four Ways Business Email Gets Hacked
There four main ways that business email gets hacked, although fortunately there are simple steps that can be taken to improve email security and reduce the risk of an email account compromise at your business.
Phishing Attacks
The easiest way for a hacker to access business email accounts is to ask the account holder for their password. This method is incredibly simple, costs next to nothing, and is very effective. Phishing, like fishing, uses a lure to achieve its aim. An attacker only needs to craft an email with a plausible reason for divulging a password.
The attack could be as simple as spoofing an email from the IT department that requests the user change his or her password for security reasons. A link is supplied in the email that directs the user to a site where they have to enter their password and a replacement. Office 365 phishing scams are now common. A user is directed to a spoofed website where they are presented with a standard Office 365 login box, which they need to enter to open a shared file for example.
The lures are diverse, although there is usually a valid reason for providing login credentials, urgency, and often a threat – The failure to take action will result in harm or loss.
Brute Force Attacks
An alternative method of hacking business email accounts is for the attacker to attempt to guess a user’s password. This is a much more long-winded approach that can require thousands of attempts before the password is guessed. This technique is automated and made easier by poor password choices and the failure to change default passwords. Passwords obtained in previous breaches can be used, which will catch out people who use the same passwords for multiple platforms. Information about a person can also be found on social media – A partner’s name, child’s name, pet name, or dates of birth – Information that is commonly used to create passwords.
Man-In-The-Middle Attacks
A man-in-the-middle attack involves an attacker intercepting information such as a password when it is sent between two parties. Information can be intercepted in unencrypted emails or when a user logs into a web-based platform via their browser. Man-in-the-middle attacks are common on unsecured public Wi-Fi networks and evil twin Wi-Fi hotspots – Hotspots that mimic a genuine hotspot provider, such as a coffee shop or hotel. Any information transmitted via that hotspot can be easily intercepted.
Writing Down Passwords
Many businesses have implemented password polices that require the use of strong and difficult to remember passwords. As a result, some employees write their passwords down on post-it notes, tape a password to their computer, or keep a note under their keyboard where any visitor to an office could discover it.
How to Stop Business Email Getting Hacked
These methods of hacking business email accounts are easy and inexpensive to block through low-cost cybersecurity solutions, policies and procedures, and staff training.
For businesses, the most important control to implement to protect against phishing is an advanced spam filter. A spam filter inspects all incoming emails for common spam signatures and malicious links and blocks messages before they are delivered to end users. Some spam filters also inspect outgoing email, which helps to prevent a breached email account from being used for further phishing attacks on contacts.
Even the best spam filters will not block every single phishing email so security awareness training for staff is essential. Regular training sessions should be provided – at least twice annually – and these should be augmented with more regular reminders about security and newsletters about the latest threats. Phishing simulations are useful for testing the effectiveness of training and to condition employees how to respond to email threats.
Brute force attacks are best prevented with good password policies that prevent weak passwords from being set. To prevent employees from writing passwords down, consider paying for a password manager or allowing the use of long passphrases, which are easy to remember but difficult to guess. Ensure two-factor authentication is enabled and rate limiting is applied to block login attempts after a set number of failed password guesses.
Man-in-the-middle attacks can be prevented in a number of ways. Remote workers should be provided with a VPN to access work networks and email. Some web filters, WebTitan for instance, can be used to protect remote workers online and prevent man-in-the-middle attacks and can also to prevent users from visiting malicious websites, such as those used for phishing.
If you want to improve email security, TitanHQ can help. Contact the team today for information on spam filters to block phishing attacks and to find out more about the benefits of web filtering.
How Does Business Email Get Hacked FAQ
Will a spam filter block ransomware attacks?
A spam filter is effective at identifying and blocking malicious files sent by email. SpamTitan uses dual antivirus engines that detect all known malware and ransomware and sandboxing to subject email attachments to in-depth analysis to identify new malware and ransomware variants. However, ransomware can be deployed in many different ways, not just via email, so other cybersecurity measures will also be required.
How can I justify the cost of an additional spam filter for Office 365?
Consider the cost of mitigating a successful malware or phishing attack, data theft/loss, notifying customers, and the harm caused to your company’s reputation. The cost of an additional spam filter is several orders of magnitude lower. Take advantage of a free trial of a new solution to find out what additional threats are blocked to help determine if the cost is justified.
Can I block 100% of all spam and phishing emails?
It is possible to block 100% of spam and phishing emails but doing so may see an unacceptable number of genuine emails blocked. The best spam filters block in excess of 99.9% of spam emails and allow spam tolerance thresholds to be set lower for higher risk departments such as finance to almost reach 100% without blocking genuine emails.
Why is sandboxing important in a spam filter?
Spam filters scan for malicious email attachments using one or more antivirus engines. This ensures 100% of known malware is blocked. However, new malware variants are constantly being released and signature-based mechanisms do not identify these new threats. Sandboxing sees email attachments that pass initial checks sent for deep analysis to identify the malicious actions of unknown malware.
Why do I need a web filter if I have a spam filter?
Phishing emails usually have an email and web component. A spam filter will block the majority of phishing emails but should be combined with a web filter for greater protection. A web filter provides time-of-click protection to prevent users from visiting known malicious websites. A web filter protects also protects against phishing and malware downloads through general web browsing.
A new email campaign is being conducted in the run up to Valentine’s Day which attempts to get users to open email attachments by fooling them into thinking they are love letters. The love letter email scam includes enticing subject lines such as ‘Love Letter’, ‘I Love You’, ‘This is my love letter to you’, ‘Always thinking about you’, and other love and love letter themes.
These types of scams are common in the run up to Valentine’s Day, and as the day draws closer, the likelihood of the scams succeeding grows.
The emails contain a zip file containing a JavaScript file with a variety of names, all of which start with Love_You. Extracting and running the file will result in the download of ransomware and other malware variants.
If the JavaScript file is run, it launches a PowerShell command that downloads and runs a malware variant named krablin.exe. Krablin.exe is also copied to USB thumb drives that are plugged into the computer.
A further four malware variants are subsequently downloaded to the victim’s device: The Phorpiex spambot, a Monero cryptocurrency miner (XMRig), a further malware downloader, and the latest version of GandCrab ransomware: A particularly nasty combination of malware.
The malspam campaign was detected by SANS ISC researcher Brad Duncan who determined the campaign has been running since at least November 2018. Several different subject lines and attachments have been identified and multiple spoofed sending addresses are used in this campaign.
Word documents and Excel spreadsheets containing malicious macros are more commonly used to spread malware, although JavaScript based malspam is nothing new. Most individuals are not familiar with .js files so may choose not to open them, although the theme of this love letter email scam may tempt people into making an exception. JavaScript malware may also be executed by Windows, without the user having to open the file. Simply saving a JavaScript file may be all that is required to trigger the infection process.
To prevent email scams such as this from succeeding, businesses should ensure that their employees receive ongoing security awareness training. Regular email security alerts should be sent to the workforce to keep them abreast of the latest techniques that are being used by scammers to install malware and phish for sensitive information.
It is also essential for an advanced spam filter to be implemented. This will ensure the majority of malicious messages are blocked and not delivered to end users. SpamTitan scans all incoming and outgoing messages and uses a variety of techniques to identify spam and malicious messages. Those controls ensure a block rate in excess of 99.9%, while dual antivirus engines provide total protection against all known malware variants.
SpamTitan is available on a free trial with options to suit all businesses and managed service providers. For further information, to register for the no-obligation free trial, or to book a product demonstration, contact TitanHQ today.
A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing page appear as plaintext.
Many phishing web pages obfuscate their source code to make it harder for automated security solutions to uncover malicious actions and make the phishing pages appear harmless. As such, the phishing sites are not blocked and users may be fooled into supplying their credentials as requested. The phishing web pages used in this scam will display what appears to be a genuine website when the page is rendered in the browser. Users will be presented with a spoofed web page that closely resembles the standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. If credentials are entered, they will be harvested by the scammer and used to gain access to the users’ bank account.
In this case, a substitution cipher is used to obfuscate the source code. To security solutions, the text is encoded, which makes it difficult to determine what that code does. This tactic has been used in previous phishing campaigns, with the substitution cipher applied using JavaScript. While users may be fooled, automated security solutions can detect the JavaScript fairly easily and can block access to the web page.
The latest campaign uses custom fonts – termed woff files – which are present on the page and hidden through base64 encoding. These custom fonts are used to implement the cipher and make the source code appear as plaintext, while the actual source code is encrypted and remains hidden. The substitution is performed using CSS on the landing page, rather than JavaScript. This technique has not been seen before and is much harder to detect.
The substitution cipher results in the user being displayed the correct text when the page is rendered in the browser, although that text will not exist on the page. Solutions that search for certain keywords to identify whether a site is malicious will therefore not find those keywords and will not block access to the page. This technique substitutes individual letters such as abcd with alternate letters jehr for example using woff and woff2 fonts. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.
As an additional measure to avoid detection, the logos that have been stolen from the targeted bank are also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on a genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics (SVG) files, the logos and their source do not appear in the source code of the page and are hard to detect.
These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails. A web filtering solution is also important to prevent users from visiting phishing pages, either through general browsing, redirects via malvertising, or blocking users when they click embedded hyperlinks in phishing emails.
To find out more about cybersecurity solutions that can protect against phishing attacks, contact the TitanHQ team today.
2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?
What is 2-Factor Authentication?
2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.
If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.
Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).
The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.
For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.
A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.
Does 2-Factor Authentication Stop Phishing Attacks?
So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.
There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.
This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.
The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.
The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.
It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.
Additional Controls to Stop Phishing Attacks
To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.
Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.
Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.
A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.
These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.
You can find out more about SpamTitan and WebTitan by contacting TitanHQ.
The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.
The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.
All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.
Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.
The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.
The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.
The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.
While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.
Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.
There are many costs associated with cyberattacks and data breaches, but one of the hardest to quantify is damage to a brand. Brand damage following a data breach is one of the most serious issues, and one that money cannot easily resolve.
Businesses can invest in cybersecurity solutions to prevent further security breaches, but when customers lose trust in a brand, they will simply take their business elsewhere. Winning customers back can be a long process. In many cases, once trust in a brand is lost, customers will leave and never return.
Consumers Expect Businesses to Protect Their Personal Data
If a company asks consumers to provide them with personal data, it is essential that steps are taken to ensure that information remains private and confidential. Consumers believe that any company that collects personal data has an obligation to protect it. A Ponemon Institute study in 2017 confirmed that to be the case. 71% of consumers believed companies that collect personal data have a responsibility to protect it. When a cyberattack occurs that results in the exposure or theft of personal data, consumers are naturally angry at a company for failing to take sufficient precautions to keep their data private.
The same survey revealed that following a data breach, two thirds of consumers lost trust in the breached company and almost a third of consumers said they had terminated their relationship with a brand following a data breach. Companies that were surveyed reported customer churn rates increased up to 7% following a breach. Another study suggests customer loss is more severe and up to 20% of customers have switched brands after their personal information was stolen from a company they did business with. A 2017 study by Gemalto suggests those figures are very conservative. The Gemalto study suggested 70% of customers would switch brands following a data breach.
Loss of Trust in a Brand can have Catastrophic Consequences
Large businesses may be able to weather the storm and regain customer trust over time, but smaller businesses can really struggle. On top of the considerable costs of mitigating a data breach, a loss of anywhere between 20% and 70% of customers would likely be the final nail in the coffin. Loss of customer trust is part of the reason why 60% of SMBs fold within 6 months of a data breach (National Cyber Security Alliance).
Blocking cyberattacks and preventing data breaches requires investment in cybersecurity solutions. Naturally, an advanced firewall is required, and solutions should be introduced to block the most common attack vectors – email for instance – but one area of cybersecurity that is often overlooked is WiFi filtering. WiFi filtering and protecting your brand go hand in hand.
WiFi Filtering and Protecting your Brand
The importance of WiFi Filtering for protecting your brand should not be underestimated. Implementing a web filtering solution shows your customers that you care about security and want to ensure they are protected when they access the Internet through your WiFi network. By implementing a WiFi filter you can prevent customers from downloading malware and ransomware and stop them from connecting to phishing websites.
A WiFi filter can also prevent users from accessing illegal content on your WiFi network. There have been cases of businesses having Internet access terminated by their ISPs over illegal online activity by users – the accessing of banned web content or copyright infringing downloads for instance.
One of the most important uses of a WiFi filter is to prevent users from accessing unacceptable content such as pornography. There is growing pressure on businesses to prevent adult content from being accessed on WiFi networks that are used by customers. McDonalds decided to implement a WiFi filter in 2016 following campaigns by consumers to make its access points family-friendly and in 2018 Starbucks was pressured into doing the same. The coffee shop chain will finally start filtering the internet on its WiFi networks in 2019.
A WiFi filter will also prevent employees from visiting malicious websites and downloading malware that gives criminals access to your internal networks and customer data, thus preventing costly, reputation damaging data breaches.
Businesses that fail to block web-based attacks are taking a major risk, and an unnecessary one considering the low cost of WiFi filtering.
Benefits of WebTitan Cloud for WiFi
Benefits of WebTitan Cloud for WiFi for include:
Create a family-friendly, safe and secure web browsing environment
Manage access points through a single web-based administration panel
Protect any number of Wi-Fi access points
Filter by website, website category, keyword term, or keyword score
Reduce the risk of phishing attacks
Block malware and ransomware downloads
Inspect encrypted websites with SSL certificates
Schedule and run reports on demand
Gain a real-time view of internet activity
Gain insights into bandwidth use and restrict activities to conserve bandwidth
Integrate the solution into existing billing, auto provisioning and monitoring system through a suite of APIs
Apply time-based filtering controls
Multiple hosting options, including within your own data center
Can be supplied as a white label for MSPs and resellers
World class customer service
Highly competitive pricing and a fully transparent pricing policy
For further information on WiFi Filtering and protecting your brand, contact the TitanHQ team today. Our cybersecurity experts will explain how WebTitan can protect your business and will be happy to schedule a product demonstration and help you set up a free trial of WebTitan to evaluate the solution in your own environment.
A new Netflix phishing scam has been detected that attempts to fool Netflix subscribers into disclosing their login credentials and other sensitive information such as Social Security numbers and bank account numbers.
This Netflix phishing scam is similar to others that have been intercepted over the past few months. A major campaign was detected in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now launching large-scale phishing attacks on a monthly basis.
The number of recent Netflix scams and the scale of the campaigns has prompted the U.S. Federal Trade Commission (FTC) to issue a warning to raise awareness of the threat.
The latest campaign was detected by an officer in the Ohio Police Department. As with past campaigns, the attackers use a tried and tested method to get users to click on the link in the email – The threat of account closure due to issues with the user’s billing information.
In order to prevent closure of the user’s Netflix account a link in the email must be clicked. That will direct the user to the Netflix site where login credentials and banking information must be entered. While the web page looks genuine, it is hosted on a domain controlled by the attackers. Any information entered on that web page will be obtained by the threat actors behind the scam.
The emails appear genuine and contain the correct logos and color schemes and are almost identical to the official emails sent to users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.
Image Source: FTC via Ohio Police Department
There are signs that the email is not what it seems. The email is incorrectly addressed “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email directs users is similarly suspect. However, the scam is sure to fool many users who fail to carefully check emails before taking any action.
Consumers need to exercise caution with email and should carefully check messages before responding, no matter how urgent the call for action is. It is a good best practice to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.
If the email is determined to be a scam, it should be reported to the appropriate authorities in the country in which you reside and also to the company the scammers are impersonating. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.
While this Netflix phishing scam targets consumers, businesses are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account information. Businesses can reduce the risk of data and financial losses to phishing scams by ensuring all members of the company, from the CEO down, are given regular security awareness training and are taught cybersecurity best practices and are made aware of the latest threats.
An advanced spam filtering solution is also strongly recommended to ensure the vast majority of these scam emails are blocked and do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing emails and 100% of known malware.
For further information on anti-phishing solutions for businesses, contact the TitanHQ team today.
A major San Diego School District phishing attack has been discovered. The phishing attack stands out from the many similar phishing attacks on schools due to the extent of accounts that were compromised, the amount of data that was potentially obtained, and the length of time it took for the data breach to be detected.
According to a recent breach announcement, the login credentials of around 50 district employees were obtained by the attacker. It is not unusual for multiple accounts to be breached in school phishing attacks. Once access is gained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was initially thought, although 50 sets of compromised credentials is particularly high.
Those accounts were compromised over a period of 11 months. The San Diego School District phishing attack was first detected in October 2018 after staff alerted the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was occurring and there may have been a data breach.
The investigation revealed the credentials obtained by the attacker provided access to the district’s network services, which included access to the district’s database of staff and student records. The school district is the second largest in California and serves over 121,000 students each year. The database contained records going back to the 2008/2009 school year. In total, the records of more than 500,000 individuals were potentially obtained by the hacker. Given the length of time that the hacker had access to the network, data theft is highly probable.
The data potentially obtained was considerable. Student information compromised included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact information, and Social Security numbers. Compromised staff information also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.
Data could be accessed from January 2018 to November 2018. While it is typical for unauthorized access to be immediately blocked upon discovery of a breach, in this case the investigation into the breach was conducted prior to shutting down access. This allowed the identity of the suspected hacker to be determined without tipping off the hacker that the breach had been detected. The investigation into the breach is ongoing, although access has now been blocked and affected individuals have been notified. Additional cybersecurity controls have now been implemented to block future attacks.
School district phishing attacks are commonplace. School districts often lack the resources of large businesses to devote to cybersecurity. Consequently, cyberattacks on school districts are much easier to pull off. Schools also store large volumes of sensitive data of staff and students, which can be used for a wide range of malicious purposes. The relative ease of attacks and a potential big payday for hackers and phishers make schools an attractive target.
The San Diego School District phishing attack is just one of many such attacks that have been reported this year. During tax season at the start of 2018, many school districts were targeted by phishers seeking the W-2 forms of employees. It is a similar story every year, although the threat actors behind these W-2 phishing attacks have been more active in the past two years.
In December this year, Cape Cod Community College suffered a different type of phishing attack. The aim of that attack was to convince staff to make fraudulent wire transfers. At least $800,000 was transferred to the attackers’ accounts in that attack.
These attacks clearly demonstrate the seriousness of the threat of phishing attacks on school districts and highlights the importance of implementing robust cybersecurity protections to protect against phishing.
If you want to improve your defenses against phishing, contact the TitanHQ team today for further information on anti-phishing solutions for schools.
G2 Crowd, the trusted business software review platform, has recognized SpamTitan as a High Performer for email security. The anti-spam solution has been praised for speed of implementation, ease of use, quality of support, and its spam filtering capabilities.
Finding the right software solution can take a lot of time and effort. Even when software is carefully and painstakingly reviewed, making a purchase can be risky. G2 Crowd helps businesses find the most suitable software and services and make informed buying decisions, taking the guesswork out of software selection.
The G2 Crowd platform contains more than half a million independent, authenticated reviews from users of software solutions that give honest feedback on software solutions after having put them through their paces. The platform is trusted by businesses and its user reviews are read by more than 2 million buyers every month.
This December, G2 Crowd released its Winter Secure Email Gateway Grid℠, which ranked SpamTitan as the highest performer in the mid-market segment. According to G2 Crowd, “High Performers provide products that are highly rated by their users,” and have achieved consistently positive reviews from the people that matter – customers.
The high position is due to consistent 5-star reviews from users. 93% of user-reviewers on the site have awarded SpamTitan 5 stars out of 5, with the remaining 7% giving the solution 4 stars out of 5. SpamTitan has attracted praise across the board, notably for how easy it is to set up, use, maintain, its reporting tools, the quality of customer support, and price.
SpamTitan has also been rated as a 5-star email security solution by users of Spiceworks and has won more than 37 consecutive Virus Bulletin Spam awards.
Not only is SpamTitan an ideal solution for SMBs to block spam email, malware, and phishing threats, it has been developed to also meet the needs of managed services providers to allow them to easily add spam filtering and phishing protection to their service stacks.
SpamTitan is available with three deployment choices: SpamTitan Gateway, SpamTitan Cloud, and SpamTitan Private Cloud, to meet the needs of all businesses.
Check out the SpamTitan reviews on G2 Crowd and contact TitanHQ to schedule a product demonstration. SpamTitan is also available on a free 14-day trial to allow you to test the solution for yourself in your own environment.
campaign is to obtain users’ Office 365 passwords.
The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.
The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.
The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.
If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.
If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.
While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.
The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).
While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.
The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.
Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email spam campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.
Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.
Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.
SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.
According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.
Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.
Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.
A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.
Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.
Irish Phishing Study Findings
The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.
In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups. Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.
Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.
It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.
Phishing Protection for Businesses
The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.
The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.
Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.
To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.
In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.
Hackers are Targeting Office 365 Accounts
It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.
One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.
Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.
When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.
So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.
Enforce the Use of Strong Passwords
Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.
The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.
Implement Multi-Factor Authentication
Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.
Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.
Enable Mailbox Auditing in Office 365
Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.
Improve Office 365 Security with a Third-Party Spam Filter
As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.
A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.
Multi-Layered Defenses Breached
If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.
The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.
However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.
How Was the Malware Installed?
The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.
The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.
The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.
Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.
Remediation Took 6 Weeks
Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.
The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.
The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.
While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.
Additional Protection is Required for Office 365 Inboxes
The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.
Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.
Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.
One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.
Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.
Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.
The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.
In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.
Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.
This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.
If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.
However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.
If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.
The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.
Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.
The search for Christmas gifts can be a difficult process. All too often that search proves to be unfruitful and consumers opt to buy gift cards instead. At least with a gift card you can be sure that your friends and family members will be able to buy a gift that they want; however, beware of holiday season gift card scams. Many threat actors are using gift cards as the lure to fool end users into installing malware or parting with sensitive information.
Holiday Season Sees Marked Increase Gift Card Phishing Scams
Holiday season gift card scams are commonplace, and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.
Everyone loves a bargain and the offer of something for nothing may be too hard to resist. Many people fall for these scams which is why threat actors switch to gift card scams around this time of year.
Consumers can be convinced to part with credit card details, but businesses too are at risk. Many of these campaigns are conducted to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will likely pay the price.
This year has seen many businesses targeted with gift card scams. Figures from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had experienced a gif card-themed attack: Up from 11% in Q2, 2018.
This year has also seen an increase in business email compromise (BEC) style tactics, with emails appearing to have been sent from within a company. The emails claim to have been sent from the CEO (or another executive) requesting accounts and administration staff purchase gift cards for clients or ask for gift cards be purchased to be used for charitable donations.
To reduce the risk from gift card scams and other holiday-themed phishing emails, businesses need to ensure they have powerful spam filtering technology in place to block the emails at source and prevent them from being delivered to inboxes.
Advanced Anti-Phishing protection for Office 365
Many businesses use Office 365, but even Microsoft’s anti-phishing protections see many phishing emails slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing controls, emails still make it past Microsoft’s filters.
To block these malicious messages, an advanced third-party spam filter is required. SpamTitan has been developed to work seamlessly with Office 365 to improved protection against malware, phishing emails, and more sophisticated phishing attacks.
SpamTitan blocks more than 99.9% of spam email, while dual anti-virus engines block 100% of known malware. What really sets SpamTitan in a different class is the level of protection it offers against new threats. A combination of Bayesian analysis, greylisting, machine learning, and heuristics help to identify zero-day attacks, which often slip past Office 365 defenses.
If you want to improve protection from email-based attacks and reduce the volume of spam and malicious messages that are being delivered to Office 365 inboxes, give TitanHQ a call today and book a product demonstration to see SpamTitan in action. You can sign up for a free trial of SpamTitan to test the solution in your own environment and see for yourself the difference it makes.
There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.
Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.
PUB Files Used in Phishing Attacks on Retailers
Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.
Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.
If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.
The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.
The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.
Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000
Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.
The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.
All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.
Defense in Depth the Key to Phishing Protection
Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.
Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.
Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.
End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.
For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.
Adobe has issued an unscheduled update to correct flaws in Adobe Flash Player, including a zero-day vulnerability that is currently being exploited in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare facility that provides medical and cosmetic surgery services to high level civil servants of the Russian Federation.
The zero-day flaw is a use-after-free vulnerability – CVE-2018-15982 – which allows arbitrary code execution and privilege execution in Flash Player. A malicious Flash object runs malicious code on a victim’s computer which gives command line access to the system.
The vulnerability was discovered by security researchers at Gigamon ATR who reported the flaw to Adobe on November 29. Researchers at Qihoo 360 identified a spear phishing campaign that is being used to deliver a malicious document and associated files that exploit the flaw. The document used in the campaign was a forged employee questionnaire.
The emails included a .rar compressed file attachment which contained a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document opened, the user is presented with a warning that the document may be harmful to the computer. If the content is enabled, a malicious command is executed which extracts and runs the payload – A Windows executable file named backup.exe that is disguised as an NVIDIA Control Panel application. Backup.exe serves as a backdoor into a system. The malicious payload collects system information which is sent back to the attackers via HTTP POST. The payload also downloads and executes shell code on the infected device.
Qihoo 360 researchers have named the campaign Operation Poison Needles due to the identified target being a healthcare clinic. While the attack appears to be politically motivated and highly targeted, now that details of the vulnerability have been released it is likely that other threat groups will use exploits for the vulnerability in more widespread attacks.
It is therefore important for businesses that have Flash Player installed on some of their devices to update to the latest version of the software as soon as possible. That said, uninstalling Flash Player, if it is not required, is a better option given the number of vulnerabilities that are discovered in the software each month.
The vulnerability is present in Flash Player 31.0.0.153 and all earlier versions. Adobe has corrected the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.
A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.
TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.
The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.
The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’
The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.
The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.
Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.
Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.
There is a more cost-effective alternative to Cisco OpenDNS that provides total protection against web-based threats at a fraction of the price of OpenDNS. If you are currently running OpenDNS or have yet to implement a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity defenses can be implemented to secure the network perimeter, but employees often take risks online that can lead to costly data breaches. The online activities of employees can easily result in malware, ransomware, and viruses being downloaded. Employees may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login credentials.
Mitigating malware infections, dealing with ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly costly. Consequently, the threat from web-based attacks cannot be ignored.
Fortunately, there is an easy solution that offers protection against web-based threats by carefully controlling the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware purchases and no software downloads. Within around 5 minutes, a business will be able to control employee internet access and block web-based threats. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be running a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be joined by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will explain how the DNS-based filtering technology offers total protection from web-based threats at a fraction of the cost of OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
An email archiving solution is now a requirement in business to ensure that emails are not lost, storage space is kept to a minimum, and emails can be retrieved on demand. While native Microsoft Exchange Email Archiving is available, many businesses will find the archiving options come up short. The alternative is to use a third-party email archiving solution. Not only will this provide all the features required by businesses, it will improve efficiency and will save on cost. To meet the requirements of businesses and improve efficiency, TitanHQ offers SMBs and MSPs a solution named ArcTitan: A secure, fast, cloud-based email archiving solution.
What is Email Archiving and Why is it Important?
Federal, state, and industry regulations require businesses to retain emails for many years. Storing emails can take up a considerable amount of storage space, especially considering the volume of emails that are typically sent and received on a daily basis by employees. While businesses can get away with storing emails in backups to meet legal requirements, backups are not searchable. If emails need to be recovered, they need to be recovered quickly. That is simply not possible with backups as they are not searchable. The solution is an email archive. In contrast to backups, email archives are searchable, and messages can be retrieved on-demand quickly and with minimal effort.
Email Archiving is Essential for eDiscovery and GDPR Compliance
The importance of an email archiving solutions for eDiscovery cannot be underestimated. There have been many cases where businesses have received heavy fines for the failure to produce emails as part of the eDiscovery process. For instance, in the Zubulake v. USB Warburg case, the plaintiff was awarded $29 million as a result of the failure to produce emails. In Coleman Holdings v. Morgan Stanley, eDiscovery failures resulted in a fine of $15 million.
Email archives are now essential for GDPR compliance. Sine the EU’s General Data Protection Regulation came into effect on May 25, 2018, companies have been required to produce – and delete – on request every element of an individual’s personal data, including personal data contained in emails. Without an email archive, this can be incredibly time consuming and may result in data being unlawfully retained since backups are not searchable. The fines for GDPR compliance failures can be as high as €20 million or 4% of global annual revenue, whichever is greater.
Native Microsoft Exchange Email Archiving
Native Microsoft exchange email archiving provides businesses with journaling and personal archive functions, but each has its drawbacks. The functions meet some business requirements, such as freeing up space in mailboxes, but they lack the full functions of a dedicated archive and do not meet all eDiscovery requirements.
With native Microsoft Exchange email archiving, end users have far too much control over the information that is loaded into an archive and they can delete emails unless a legal hold is activated. Many businesses rely on Office 365, but Office 365 creates uncertainty over archived email data. There is potential for emails in the archive to have data added or deleted.
Audit logging in is not active by default on Office 365 so administrators have to manually enable this function. Then there are potential issues with log retention, which is dependent on the subscription option. The E1 plan currently does not have any audit log retention, the E3 plan only retains logs for 90 days, and only a year with E5.
Native Microsoft Exchange email archiving functions fail to meet the needs of many businesses, especially those in highly regulated industries. While the native Microsoft Exchange email archiving functions have improved over the years, there are limitations with most product versions and archiving can be complex with certain email architectures. For admins, the control panel is difficult to use and retrieving emails can be complicated and time consuming.
When searches need to be performed, there are severe limitations. Office 365 limits searches to two at a time and then only returns 250 results per search. Large organizations may find that the limit on searches to 10,000 mailboxes to be insufficient. When data needs to be exported, only one export can be run at a time. Since most eDiscovery requests will require more than one search and export, it can take a long time to obtain all the relevant data.
Any business that uses multiple email systems alongside Microsoft Exchange will require a third-party email archiving solution. Microsoft Exchange does not support the archiving of email from other platforms.
Email archiving has improved with Office 365. SMBs that use Office 365 have email archiving functionality included in their plans, but it is only free of charge with E3-E5 plans. Other plans charge around $3 per user, which is more expensive than custom-built archiving solutions such as ArcTitan.
Native Microsoft Exchange email archiving is an option for businesses, but Microsoft Exchange was not developed for email archiving. A third-party solution for email archiving on Microsoft Exchange is still a requirement, despite the improvements that have been made by Microsoft.
A third-party email archiving solution will save your IT department a considerable amount of time trying to locate old messages, especially for the typical requests that are received which are light on detail. The advanced search options in ArcTitan make search and retrieval of messages much faster and easier.
Feature-Rich, Lightning Fast Email Archiving with ArcTitan
ArcTitan has been developed specifically for email archiving and email archiving alone. ArcTitan has been designed to meet all archiving needs of businesses and allow managed service providers to offer email archiving to their clients.
The benefits of ArcTitan include lighting fast email archiving and message retrieval, secure encrypted storage, and compliance with industry regulations such as HIPAA, SOX, SEC, FINRA, and GDPR. ArcTitan ensures businesses meet eDiscovery requirements without having to pay for additional eDiscovery services from Microsoft.
With ArcTitan, an accurate audit trail is maintained, and businesses have near instant access to all company emails. ArcTitan serves as a black box recorder for all email to meet all eDiscovery requirements and ensures compliance with federal, state, and industry regulations.
The ArcTitan Email Archiving Solution
ArcTitan requires no hardware or software, is quick and easy to install, and easily slots in to the email architecture of businesses. The solution is highly scalable (there are no limits on storage space for users), it is lightning fast, easy to use, and stores all emails safely and securely in the cloud.
Businesses that have yet to implement a Microsoft Exchange email archiving solution typically save up to 75% storage space and costs are kept to a minimum with a flexible pay as you go pricing policy, with subscriptions paid per live user.
Key Features of ArcTitan
Scalable, email archiving that grows with your business
Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
Lightning fast searches – Search 30 million emails a second
Rapid archiving at up to 200 emails a second
Automatic backups of the archive
Email archiving with no impact on network performance
Ensure an exact, tamper-proof copy of all emails is retained with full audit logs
Easy data retrieval for eDiscovery
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Only pay for active users
Slashes the time and cost of eDiscovery other formal searches
Migration tools to ensure the integrity of data during transfer
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
If you have yet to implement an email archiving solution, if you are unhappy with the native Microsoft Exchange email archiving features, or find your current archiving solution expensive or difficult to use, get in touch with TitanHQ today to find out more about the benefits of ArcTitan and the improvements it can make to your business.
There has been a steady increase in HTTPS phishing websites over the past couple of years, mirroring the transition from HTTP to HTTPS on commercial websites. HTTPS sites are those that have SSL/TLS certificates and display a green padlock next to the URL. The green padlock is an indicator of site security. It confirms to website visitors that the connection between their browser and the website is encrypted. This provides protection against man-in-the-middle attacks by ensuring data sent from the browser to the website cannot be intercepted and viewed by third parties.
HTTPS websites are now used by a large number of businesses, especially e-commerce website owners. This has become increasingly important since search engines such as Google Chrome provide clear indications to Internet users that sites may not be secure if the connection is not encrypted.
This is all good of course, but there is one caveat. Users have been told to look for the green padlock to make sure a site is secure, but the green padlock is viewed by many Internet users as a sign that the site is secure and legitimate. While the former is true, the latter is not. The green padlock does not mean that the site is genuine and just because it is displayed next to the URL it does not mean the site is safe.
If the website is controlled by a cybercriminal, all the green padlock means is that other cybercriminals will not be able to intercept data. Any information entered on the website will be divulged to the criminal operating that site.
It stands to reason for HTTPS phishing websites to be used. If Internet users are aware that HTTPS means insecure, they will be less likely to enter sensitive information if the green padlock is not present. Unfortunately, free SSL certificates can easily be obtained to turn HTTP sites into HTTPS phishing websites.
According to PhishLabs, back in Q1, 2016, fewer than 5% of phishing websites used HTTPS. By Q3, 2016, the percentage started to rise sharply. By Q1, 2017, the percentage had almost reached 10%, and by Q3, 2017, a quarter of phishing websites were using HTTPS. The 30% milestone was passed around Q1, 2018, and at the end of Q3, 2018, 49% of all phishing sites were using HTTPS.
A PhishLabs survey conducted late last year clearly highlighted the lack of understanding of the meaning of the green padlock. 63% of consumers surveyed viewed the green padlock as meaning the website was legitimate, and 72% saw the website as being safe. Only 18% of respondents correctly identified the green padlock as only meaning communications with the website were encrypted.
It is important for all Internet users to understand that HTTPS phishing websites not only exist, but before long the majority of phishing websites will be on HTTPS and displaying the green padlock. A conversation about the true meaning of HTTPS is long overdue and it is certainly something that should be covered in security awareness training sessions.
It is also now important for businesses to deploy a web filtering solution that is capable of SSL inspection – The decryption, scanning, and re-encryption of HTTPS traffic to ensure that access to these malicious websites is blocked. In addition to reading content and assessing websites to determine whether they are malicious, SSL inspection ensures site content can be categorized correctly. This ensures that sites that violate a company’s acceptable usage policies are blocked.
There is a downside to using SSL inspection, and that is the strain placed on CPUs and a reduction in Internet speeds. SSL inspection is therefore optional with many advanced web filters. To ensure that the strain is reduced, IT teams should use whitelisting to prevent commonly used websites from being subjected to SSL filtering.
WebTitan Includes SSL Filtering to Block HTTPS Phishing Websites
WebTitan is a powerful web filtering solution for SMBs and managed service providers (MSPs) that provides protection against web-based threats. There are three products in the WebTitan family – WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for Wi-Fi; all of which include SSL filtering as standard. If SSL filtering is activated, users will be protected against HTTPS phishing websites and other malicious sites that have SSL certificates.
All WebTitan products can be installed in minutes, require no technical knowledge, and have been designed to be easy to use. An intuitive user interface places all information, settings, and reports at users’ fingertips which makes for easy enforcement of acceptable Internet usage polices and fast reporting to identify potential issues – employees browsing habits and users that are attempting to bypass filtering controls for instance.
Whether you are an MSP that wants to start offering web filtering to your clients or a SMB owner that wants greater protection against web-based threats, the WebTitan suite of products will provide all the features you need and will allow you to improve security and employee productivity, reduce legal liability, and create a safe browsing environment for all users of your wired and wireless networks.
For further information on WebTitan, details of pricing, web filtering advice, to book a product demonstration, or to register for a free trial of the product, contact TitanHQ today.
A California wildfire scam is circulating that requests donations to help the victims of the recent wildfires. The emails appear to come from the CEO of a company and are directed at its employees in the accounts and finance department.
It should come as no surprise that cybercriminals are taking advantage of yet another natural disaster and are attempting to con people into giving donations. Scammers often take advantage of natural disasters to pull on the heart strings and defraud businesses. Similar scams were conducted in the wake of the recent hurricanes that hit the United States and caused widespread damage.
The California wildfire scam, identified by Agari, is a form of business email compromise (BEC) attack. The emails appear to have been sent by the CEO of a company, with his/her email address used to send messages to company employees. This is often achieved by spoofing the email address although in some cases the CEO’s email account has been compromised and is used to send the messages.
The California wildfire scam contains one major red flag. Instead of asking for a monetary donation, the scammers request money in the form of Google play gift cards. The messages request the redemption codes be sent back to the CEO by return.
The emails are sent to employees in the accounts and finance departments and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are sent back to the CEO, he/she will then forward them on to company clients that have been affected by the California wildfires.
The reason Google play gift cards are requested is because they can easily be exchanged on darknet forums for other currencies. The gift cards are virtually impossible to trace back to the scammer.
The messages are full of grammatical errors and spelling mistakes. Even so, it is another sign that the messages are not genuine. However, scams such as this are sent because they work. Many people have been fooled by similar scams in the past.
Protecting against scams such as this requires a combination of technical controls, end user training, and company policies. An advanced spam filtering solution should be used – SpamTitan for instance – to prevent messages such as these from reaching inboxes. SpamTitan checks all incoming emails for spam signatures and uses advanced techniques such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing attacks.
End user training is essential for all employees, especially those with access to corporate bank accounts. Those individuals are often targeted by scammers. Policies should be introduced that require all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are authorized.
A combination of these measures will help to protect businesses from BEC attacks and other email scams.
A previously unseen malware variant, dubbed the Cannon Trojan, is being used in targeted attacks on government agencies in the United States and Europe. The new malware threat has been strongly linked to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.
The Cannon Trojan is being used to gather information on potential targets, collecting system information and taking screenshots that are sent back to APT28. The Cannon Trojan is also a downloader capable of installing further malware variants onto a compromised system.
The new malware threat is stealthy and uses a variety of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates via email over SMTPs and POP3S.
Once installed, an email is sent over SMTPS through port 465 and a further two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 is not unknown, it is relatively rare. One advantage offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.
The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being distributed via spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.
The Lion Air spear phishing campaign appears to provide information on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to view the contents of the document. It is claimed that the document was created in an earlier version of Word and content must be enabled for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently download the Cannon Trojan.
Rather than the macro running and downloading the payload straightaway, as an anti-analysis mechanism, the attackers use the Windows AutoClose tool to delay completion of the macro routine until the document is closed. Only then is the Trojan downloaded. Any sandbox that analyzes the document and exits before closing the document would be unlikely to identify it as malicious. Further, the macro will only run if a connection with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.
The techniques used by the attackers to obfuscate the macro and hide communications make this threat difficult to detect. The key to preventing infection is blocking the threat at source and preventing it from reaching inboxes. The provision of end user training to help employees identify threats such as emails with attachments from unknown senders is also important.
Enhance Protection Against Zero-Day Malware and Spear Phishing
TitanHQ has developed a powerful anti-phishing and anti-spam solution that is effective at blocking advanced persistent threats and zero-day malware, which does not rely on signature-based detection methods. While dual anti-virus engines offer protection against 100% of known malware, unlike many other spam filtering solutions, SpamTitan uses a variant of predictive techniques to identify previously unseen threats and spear phishing attacks.
Greylisting is used to identify domains used for spamming that have yet to be blacklisted. All incoming emails are subjected to Bayesian analysis, and heuristics are used to identify new threats.
To further protect against phishing attacks, URIBL and SURBL protocols are used to scan embedded hyperlinks. SpamTitan also scans outbound mail to prevent abuse and identify attempted data theft.
For further information on SpamTitan, to book a product demonstration, or to sign up for a free trial of the full product, contact the TitanHQ team today.
There has been an increase in malspam campaigns spreading Emotet malware in recent weeks, with several new campaigns launched that spoof financial institutions – the modus operandi of the threat group behind the campaigns.
The Emotet malware campaigns use Word documents containing malicious macros. If macros are enabled, the Emotet malware payload is downloaded. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is downloaded.
Various social engineering tricks have been used in these campaigns. One new tactic that was identified by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email appear benign.
According to Cofense, the campaign delivers Emotet malware, although Emotet in turn downloads a secondary payload. In past campaigns, Emotet has been delivered along with ransomware. First, Emotet steals credentials, then the ransomware is used to extort money from victims. In the latest campaign, the secondary malware is the banking Trojan named IcedID.
A further campaign has been detected that uses Thanksgiving themed spam emails. The messages appear to be Thanksgiving greetings for employees, and similarly contain a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to aid the deception and include the user’s name. In this campaign, while the document downloaded appears to be a Word file, it is actually an XML file.
Emotet malware has been updated recently. In addition to stealing credentials, a new module has been added that harvests emails from an infected user. The previous 6 months’ emails – which include subjects, senders, and message content – are stolen. This new module is believed to have been added to improve the effectiveness of future phishing campaigns, for corporate espionage, and data theft.
The recent increase in Emotet malware campaigns, and the highly varied tactics used by the threat actors behind these campaigns, highlight the importance of adopting a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide protection against email attacks.
Phishing campaigns target a weak link in security defenses: Employees. It is therefore important to ensure that all employees with corporate email accounts are taught how to recognize phishing threats. Training needs to be ongoing and should cover the latest tactics used by cybercriminals to spread malware and steal credentials. Employees are the last line of defense. Through security awareness training, the defensive line can be significantly strengthened.
As a frontline defense, all businesses and organizations should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is required to provide protection against more sophisticated email attacks.
SpamTitan is an advanced email filtering solution that uses predictive techniques to provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.
In addition to scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine learning, and Bayesian analysis to identify emerging threats. Greylisting is used to identify and block large scale spam campaigns, such as those typically conducted by the threat actors spreading banking Trojans and Emotet malware.
How SpamTitan Protects Businesses from Email Threats
A web filter – such as WebTitan – adds an additional layer of protection against web-based attacks by preventing end users from visiting malicious websites where malware is downloaded. A web filter assesses all attempts to access web content, checks sites against blacklists, assesses the domain, scans web content, and blocks access to sites that violate its policies.
For further information on how you can improve your defenses against web-based and email-based attacks and block malware, ransomware, botnets, viruses, phishing, and spear phishing attacks, contact TitanHQ today.
Office 365 has many benefits, so it is no surprise that it is proving so popular with businesses, but one common complaint is the number of spam and malicious emails that sneak past Microsoft’s defenses. If you have a problem with spam and phishing emails still being delivered to your end users, there is an easy solution to improve the Office 365 spam filter and block more threats.
Office 365 Email Protection
More than 155 million commercial users are now on Office 365 and that figure is growing at a rate of around 3 million users per month. Unfortunately, the popularity of Office 365 has made it a target for hackers, who are testing their campaigns in their own Office 365 environments to make sure their malspam messages are delivered. Businesses using Office 365 are being sought out and attacked.
Microsoft has been proactively taking steps to improve the Office 365 spam filter to make it more effective at blocking spam and phishing attempts. Office 365 phishing protections have been improved and more malicious emails are now being blocked; however, even with the recent anti-phish enhancements, many businesses still have to deal with an unacceptable volume of spam, phishing emails are still reaching inboxes, and malware is sneaking past Office 365 protections.
Office 365 Spam Protection
Office 365 provides a reasonable level of protection from spam. You can expect Microsoft to block around 99% of all spam emails. While that figure is good, the 1% that are not blocked can amount to a sizeable number of emails. Around 4.5 billion email messages are sent each day and around 46% of those messages are spam. Each inbox may only receive a handful of spam messages but each message that has to be opened, checked, and dealt with by employees is a drain on productivity.
Office 365 Phishing Protection
Spam is a nuisance, but it does not typically pose a threat to businesses. Malspam on the other hand certainly does. Malspam is the name given to spam email that is used for malicious purposes, such as scam and phishing emails and when spam messages are used to distribute malware. This is an area where default Microsoft Office email protection falls short of requirements for many businesses.
Businesses using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online Protection (EOP). EOP is included in an Office 365 subscription and it does a reasonable job of blocking spam, phishing emails, and malware. Given the number of email-based attacks that are now being conducted by cybercriminals, and the high costs of dealing with those attacks, being ‘reasonably’ well protected from malspam is simply not good enough.
Many businesses have found that EOP blocks basic phishing attacks but comes up short at blocking more advanced email threats such as spear phishing and advanced persistent threats. EOP is best at blocking large scale phishing campaigns where attackers use huge email lists and ‘spray and pray’ tactics. These tried and tested techniques are becoming less effective thanks to improvements in spam filtering.
The relatively poor return on these scams has seen many threat actors invest more time in their campaigns and develop new methods of attack. There is a growing trend for more targeted attacks using more sophisticated phishing methods. EOP is not very effective at blocking these types of phishing attacks. One study conducted by Avanan showed 25% of phishing emails were delivered to inboxes and were not blocked by EOP. These targeted attacks are also being conducted on SMBs, not just on large enterprises.
To improve the Office 365 spam filter, you can upgrade to Advanced Threat Protection (APT), the second level of protection for Office 365 offered by Microsoft. The level of protection is much better with this paid service, although APT is still not effective at blocking zero-day threats and falls short of the level of protection provided by most third-party anti-spam and anti-phishing solutions for Office 365. A SE Labs study conducted in the summer of 2017 found that even with the additional level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.
Office 365 Malware Protection
An Osterman Research study showed EOP eliminates 100% of known malware threats but is not nearly as effective at identifying zero-day threats. New malware variants are now being released at a rate of around 350,000 a day, according to AV-TEST.
These new malware threats are a serious risk. If they are not detected as malicious and are delivered to inboxes, malicious attachments can be opened by employees. You can train your workforce to be more security aware, but it is unreasonable to expect every employee to be able to identify every malicious message and act appropriately. Mistakes are inevitable. Those mistakes can be extremely costly. According to the 2019 Ponemon Institute/IBM Security Cost of a Data Breach Study, the global average cost of a data breach is $4.88 million and $8.19 million in the United States!
The number of cases of hackers exploiting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users have seen an increasing number of businesses turning to third-party email protection solutions for Office 365. These solutions are layered on top of EOP and greatly improve Office 365 spam filter capabilities.
There is another reason why it is wise to choose a third-party solution to improve Office 365 email protection rather than opting for Microsoft’s APT. It is important to have layered defenses to protect against cyberattacks, and while layers can be added through the same company, it pays not to put all your eggs in one basket. When businesses have their email on-premises, they typically have many layers to their defenses, and they do not all come from the same solution provider. If a threat is not detected by one solution provider, there is more chance of it being detected by another solution provider than another solution from the same company. The same thinking should be applied to your cloud-hosted Office 365 environment.
An Easy Way to Improve the Office 365 Spam Filter
Businesses that want to further improve the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to consider implementing a third-party anti-spam solution.
Fortunately, there is a solution that will not only improve Office 365 spam filtering, it is quick and easy to implement, requires no software downloads, and no hardware purchases are necessary. In fact, it can be implemented, configured, and be up and running in a few minutes.
SpamTitan is a powerful cloud-based email security solution that has been developed to provide superior protection against spam, phishing, malware, zero-day attacks, and data loss via email.
In contrast to the Office 365 spam filter, SpamTitan uses predictive techniques such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent threats, new malware variants, and new spear phishing methods.
SpamTitan searches email headers, analyzes domains, and scans email content to identify phishing threats. Embedded hyperlinks, including shortened URLs, are scanned in real time and subjected to multiple URL reputation checks, while dual antivirus engines scan and block 100% of known malware. SpamTitan also includes sandboxing, where potentially malicious files and programs can be subjected to in-depth analysis in safety. In the sandbox, files are analyzed for malicious actions and C2 server callbacks.
SpamTitan also incorporates data loss prevention tools for emails and attachments, which are not available with EOP. Users can create tags for keywords and data elements such as Social Security numbers to protect against theft by insiders. SpamTitan also serves as a backup for your mail server to ensure business continuity.
With SpamTitan you get a greater level of protection against spam and malicious emails, a higher spam catch rate (over 99.9%), greater granularity, improved control over outbound email, and better business continuity protections.
If you have transitioned to Office 365 yet are still having problems with spam, phishing, and other malicious emails, or if you are an MSP that wants to offer your clients enhanced Office 365 email security, contact the TitanHQ team today.
The TitanHQ team will be happy to schedule a personalized product demonstration and help you put SpamTitan through the paces in your own environment in a no-obligation free trial.
FAQs on Improving the Office 365 Spam Filter
How does SpamTitan differ from the Office 365 spam filter?
SpamTitan has many advanced features not included in Office 365 and provides a defense in depth approach against malware, phishing and other email threats. SpamTitan include predictive techniques such as Bayesian analysis, heuristics, and machine learning to block new threats, dual AV engines and sandboxing to block malware threats, data leak prevention measures, dedicated RBLs as standard, and allows customized policies to be created for users, domains, domain groups, and the overall system, along with many more features to improve protection for Office 365 environments.
How does sandboxing work?
SpamTitan incorporates a powerful, next-generation sandbox solution. Suspicious messages that pass initial checks are sent to the sandbox for in-depth analysis to identify any malicious actions such as C2 callbacks. If these checks are passed, the message is delivered, if malicious activity is detected, the message will be quarantined or deleted, depending on the policy set by the administrator. Sandboxing is essential for blocking zero-day malware threats.
Why is it necessary to scan outbound emails?
If spam or malicious emails are sent from your mailboxes, you are likely to have your IP added to a spam blacklist and your emails may not be delivered. Outbound scanning can quickly detect a compromised inbox or rogue employee and block outbound emails before any harm is caused. Rules can be set to prevent certain attachments from being sent and data elements can be tagged to protect against data leaks.
How does SpamTitan protect against email spoofing attacks?
SpamTitan supports DKIM signing and incorporates the DMARC (Domain-based Message Authentication, Reporting and Conformance) email-validation system, which has been designed to detect and block email spoofing attacks. A DNS TXT record is used to create an overall policy governing SPF and DKIM, allowing you to accept messages, quarantine them, or reject them if they fail the DMARC check.
How much does SpamTitan Cost and are there any discounts?
The cost of SpamTitan varies depending on the number of mailboxes you want to protect and the length of the contract, with sizable discounts offered to organizations that commit to a 2- or 3-year term. The easiest way to find out how much SpamTitan is likely to cost is to use our cost calculator.
Email archiving for MSPs is an often-overlooked service that can add value and improve profits. Email archiving is easy to implement and manage, has a high margin, generates regular additional income, and should be an easy sell to clients.
In this post we explore the benefits for clients and MSPs and explain why email archiving for MSPs and their clients is a win-win.
Benefits of Email Archiving for SMBs
Email archiving is now important for organizations of all sizes, from SMBs to the largest enterprises. Huge volumes of emails are sent and received on a daily basis and copies of those emails need to be stored, saved, and often retrieved. Storage of emails in mailboxes poses problems. The storage space required for emails and attachments can be considerable, which means hardware must be purchased and maintained. In terms of security, storing large volumes of emails in mailboxes is never a good idea.
Storing emails in backups is an option, although it is far from ideal. Space is still required and recovering emails when they are needed is a major headache as backup files are not indexed and searching for messages can be extremely time consuming.
An email archive on the other hand is indexed and searchable and emails can be quickly and easily retrieved on demand. If there is a legal dispute or when an organization needs to demonstrate compliance – with GDPR or HIPAA for example – businesses need to be able to recover emails quickly and easily. An email archive also provides a clear chain of custody, which is also required for compliance with many regulations.
Cloud-based archives offer secure storage for emails with no restrictions on storage space. Cloud storage is highly scalable and emails can be easily retrieved from any location. In short, email archiving can improve efficiency, enhance security, lower costs, and is an invaluable compliance tool.
Benefits of Email Archiving for MSPs
Given the benefits of email archiving it should be an easy sell for MSPs, either as Office 365 archiving-as-a-service as an add-on or incorporated into existing email packages to offer greater value and make your packages stand out from those of your competitors.
As an add-on service, Office 365 archiving-as-a-service will generate regular income for very little effort and will improve the meager returns from simply offering Office 365 to your clients. As part of a package it can help you to attract more business.
ArcTitan –Email Archiving for MSPs Made Simple
TitanHQ is a leading provider of cloud-based security solutions for MSPs. All TitanHQ products – SpamTitan, WebTitan and ArcTitan SaaS email archiving – have been developed to specifically meet the needs of MSPs.
ArcTitan is an easy to implement email archiving solution that can be easily integrated into MSPs service stacks, allowing them to provide greater value to clients and make email services a much more lucrative offering. On that front, TitanHQ is able to offer generous margins on ArcTitan for MSPs.
ArcTitan Benefits for MSPs
Easy to implement
No hardware required
No software downloads necessary
Highly scalable email archiving
Secure, cloud-based storage with an easy to use centralized management system
Improves profitability of Office 365
Easy for clients to use
Great margins for MSPs
Supplied with a full suite of APIs for easy integration
Usage-based pricing and monthly billing – You only pay for active mailboxes
Fully rebrandable – ArcTitan can be supplied in white-label form ready for your own branding
World class customer service and support
Slashes the time and cost of eDiscovery other formal searches
Protection for email from cyberattacks
Eliminate PSTs and other security risks
Facilitates policy-based access rights and role-based access
Seamless integration with Outlook
Supports, single sign-on
Save and combine searches
Perform multiple searches simultaneously
Limits IT department involvement in finding lost email – users can access their own archived email
Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
If you have yet to start offering email archiving to your clients or if you are unhappy with your current provider, contact the TitanHQ MSP team today for full ArcTitan product information, details of pricing, and further information on our TitanShield MSP program.
A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.
Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.
The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.
While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete. Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.
The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.
Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.
The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.
While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.
To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.
Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.
To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.
SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.
For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.
Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.
Phishing is the Biggest Security Threat Faced by Businesses
Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.
Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.
Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.
Top Phishing Lures of 2018
Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.
Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.
In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.
Top Phishing Lures on the Cofense Platform
Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.
Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.
The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.
Rank
Phishing Subject/Theme
Number of Reported Emails
1
Attached Invoice
4,796
2
Payment Notification
2,267
3
New Message in Mailbox
2,088
4
Online Order (Attachment)
679
5
Fax Message
629
6
Secure Message (MS Office Macro)
408
7
Online Order (Hyperlink)
399
8
Confidential Scanned document (Attachment)
330
9
Conversational Wire transfer (BEC Scam)
278
10
Bill Copy
251
Top Phishing Lures on the KnowBe4 Platform
KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.
The most common real-world phishing attacks in Q3 were:
Rank
Subject
1
You have a new encrypted message
2
IT: Syncing Error – Returned incoming messages
3
HR: Contact information
4
FedEx: Sorry we missed you.
5
Microsoft: Multiple log in attempts
6
IT: IMPORTANT – NEW SERVER BACKUP
7
Wells Fargo: Irregular Activities Detected on Your Credit Card
8
LinkedIn: Your account is at risk!
9
Microsoft/Office 365: [Reminder]: your secured message
10
Coinbase: Your cryptocurrency wallet: Two-factor settings changed
The most commonly clicked phishing lures in Q3 were:
Rank
Subject
% of Emails Clicked
1
Password Check Required Immediately
34%
2
You Have a New Voicemail
13%
3
Your order is on the way
11%
4
Change of Password Required Immediately
9%
5
De-activation of [[email]] in Process
8%
6
UPS Label Delivery 1ZBE312TNY00015011
6%
7
Revised Vacation & Sick Time Policy
6%
8
You’ve received a Document for Signature
5%
9
Spam Notification: 1 New Messages
4%
10
[ACTION REQUIRED] – Potential Acceptable Use Violation
4%
The Importance of Blocking Phishing Attacks at their Source
If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.
Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.
SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.
SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.
Improve Office 365 Email Security with SpamTitan
There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.
Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.
To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.
A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.
New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity
The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.
The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.
In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.
The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.
These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.
Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.
How to Block this Office 365 Threat with SpamTitan and Improve Email Security
Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.
To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.
SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.
How SpamTitan Protects Businesses from Email Threats
Security Solutions for MSPs to Block Office 365 Threats
Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.
TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.
By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.
To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.
Financial institutions, healthcare organizations and universities have seen an increase in cyberattack in recent months, but there has also been an increase in phishing attacks on publishers and literary scouting agencies.
Any business that stores sensitive information that can be monetized is at risk of cyberattacks, and publishers and literary scouting agencies are no exception. Like any employer, scouting agencies and publishers store sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which carry a high value on the black market. The companies also regularly make wire transfers and are therefore targets for BEC scammers.
However, in a somewhat new development, there have been several reports of phishing attacks on publishers and literary scouting agencies that attempt to gain access to unpublished manuscripts and typescripts. These are naturally extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is published, there will be no shortage of fans willing to pay top dollar for a copy. Theft of manuscripts can result in extortion attempts with ransoms demanded to prevent their publication online.
2018 has seen a significant increase in phishing attacks on publishers and literary scouting agencies. Currently, campaigns are being conducted by scammers that appear to have a good understanding of the industry. Highly realistic and plausible emails are being to publishing houses and agencies which use the correct industry terminology, which suggests they are the work of an industry insider.
One current campaign is spoofing the email account of Catherine Eccles, owner of the international literary scouting agency Eccles Fisher. Emails are being sent using Catherine Eccles’ name, and include her signature and contact information. The messages come from what appears to be her genuine email account, although the email address has been spoofed and replies are directed to an alternative account controlled by the scammer. The messages attempt to get other literary agencies to send manuscripts via email or disclose their website passwords.
An increase in phishing attacks on publishers on both sides of the Atlantic have been reported, with the threat already having prompted Penguin Random House North America to send out warnings to employees to alert them to the threat. According to a recent report in The Bookseller, several publishers have been targeted with similar phishing schemes, including Penguin Random House UK and Pan Macmillan.
Protecting against phishing attacks requires a combination of technical solutions, policies and procedures, and employee training.
Publishers and scouting agencies should deploy software solutions that can block phishing attacks and prevent malicious emails from being delivered to their employees’ inboxes.
SpamTitan is a powerful anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is incorporated to detect email spoofing and prevent malicious emails from reaching employees’ inboxes.
End user training is also essential to raise awareness of the risks of phishing. All staff should be trained how to recognize phishing emails and other email threats to ensure they do not fall for these email scams.
If you run a publishing house or literary scouting agency and are interested in improving your cyber defenses, contact the TitanHQ team today for further information on cybersecurity solutions that can improve your security posture against phishing and other email and web-based threats.
Hackers have been going back to school and entering higher education. Quite literally in fact, although not through conventional channels. Entry is gained through cyberattacks on universities, which have increased over the course of the past 12 months, according to figures recently released by Kaspersky Lab.
Cyberattacks on Universities on the Rise
Credit cards information can be sold for a few bucks, but universities have much more valuable information. As research organizations they have valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as quickly as credit cards and Social Security numbers, but there are certainly buyers willing to pay top dollar for valuable research. Nation state sponsored hacking groups are targeting universities and independent hacking groups are getting in on the act and conducting cyberattacks on universities.
There are many potential attack vectors that can be used to gain access to university systems. Software vulnerabilities that have yet to be patched can be exploited, misconfigured cloud services such as unsecured S3 buckets can be accessed, and brute force attempts can be conducted to guess passwords. However, phishing attacks on universities are commonplace.
Phishing is often associated with scams to obtain credit card information or login credentials to Office 365 accounts, with businesses and healthcare organizations often targeted. Universities are also in the firing line and are being attacked.
The reason phishing is so popular is because it is often the easiest way to gain access to networks, or at least gain a foothold for further attacks. Universities are naturally careful about guarding their research and security controls are usually deployed accordingly. Phishing allows those controls to be bypassed relatively easily.
A successful phishing attack on a student may not prove to be particularly profitable, at least initially. However, once access to their email account is gained, it can be used for further phishing attacks on lecturers for example.
Spear phishing attacks on lecturers and research associates offer a more direct route. They are likely to have higher privileges and access to valuable research data. Their accounts are also likely to contain other interesting and useful information that can be used in a wide range of secondary attacks.
Email-based attacks can involve malicious attachments that deliver information stealing malware such as keyloggers, although many of the recent attacks have used links to fake university login pages. The login pages are exact copies of the genuine login pages used by universities, the only difference being the URL on which the page is located.
More than 1,000 Phishing Attacks on Universities Detected in a Year
According to Kaspersky Lab, more than 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been targeted. Those universities are spread across 16 countries, although 83/131 universities were in the United States.
Preventing phishing attacks on universities, staff, and students requires a multi layered approach. Technical controls must be implemented to reduce risk, such as an advanced spam filter to block the vast majority of phishing emails and stop them being delivered to end users. A web filtering solution is important for blocking access to phishing websites and web pages hosting malware. Multi-factor authentication is also essential to ensure that if account information is compromised or passwords are guessed, an additional form of authentication is required to access accounts.
As a last line of defense, staff and students should be made aware of the risk from phishing. Training should be made available to all students and cybersecurity awareness training for researchers, lecturers, and other staff should be mandatory.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently formed a strategic partnership with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to ensure all users benefit from reliable and secure internet access.
TitanHQ’s web filtering technology provides enhanced protection from web-based threats while allowing acceptable internet usage policies to be easily enforced for all users at the organization, department, user group, or user level.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar to explain the enhanced functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
Speakers: John Tippett, VP, Datto Networking; Andy Katz, Network Solutions Engineer; Rocco Donnino, EVP of Strategic Alliances, TitanHQ
In 2015, Anthem Inc., experienced a colossal data breach. 78.8 million health plan records were stolen. This year, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.
It Started with a Spear Phishing Email…
The Anthem data breach came as a huge shock back in February 2015, due to the sheer scale of the breach. Healthcare data breaches were common, but the Anthem data breach in a different league.
Prior to the announcement, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare organizations, that experienced a 4.9 million record breach in 2011. The Anthem data breach was on an entirely different scale.
The hacking group behind the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack. The hackers managed to gain access to Anthem’s data warehouse and exfiltrated a huge volume of data undetected. The time of the initial attack to discovery was almost a year.
While the attack was sophisticated, a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.
At least one employee responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the attackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.
The Anthem Data Breach Settlement is the Largest Ever Penalty for a Healthcare Data Breach
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates healthcare data breaches that result in the exposure or theft of 500 or more records. An in-depth investigation of the Anthem breach was therefore a certainty given its scale. A penalty for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare organizations to safeguard health data. The scale of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.
Before the Anthem data breach settlement, the largest penalty for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people impacted, and the extent to which HIPAA Rules were alleged to have been violated.
OCR alleged that Anthem Inc., had violated five provisions of HIPAA Rules, and by doing so failed to prevent the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.
The regulatory fine represents a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.
The class action settlement document indicated Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on improvements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan members.
With the $115 million class action settlement and the $16 million OCR settlement, that brings the total cost of the Anthem data breach to $391.5 million.
At $391.5 million, that makes this the most expensive healthcare phishing attack by some distance and the cost clearly highlights just how important it is to adopt a defense-in-depth strategy to protect against phishing attacks.
Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.
The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.
The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.
As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.
The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.
In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.
After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.
In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.
While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is. A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.
The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.
A new sextortion scam has been detected that attempts to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of a hacker. This email scam is highly convincing, contains a worrying threat, and demands payment to prevent the release of potentially damaging information.
In the message body, the user is told that their computer has been hacked. The hacker installed a virus on the computer when the user visited an adult website. The virus allowed the hacker to gain access to sensitive information on the computer, including all of the user’s passwords, gave the attacker full control of the webcam and access to websites that were visited in real time.
While the user was visiting pornographic websites, the webcam was recording and sending the video footage to the hacker. The hacker was also taking screenshots of the content that was being viewed at the time. The hacker claims to have synced the website content with the webcam footage and has produced an very embarrassing video, stating “Your tastes are so weird.”
The hacker threatens to send that video to all of the user’s contacts, friends, family, and their partner via email. The video will also be posted on social media websites. To avoid that potentially disastrous scenario, the hacker demands payment must be made in Bitcoin. If payment is made, the hacker says the video will be permanently deleted. This scam will no doubt be familiar to viewers of Black Mirror, a recent episode of which covered a very similar sextortion scam.
Individuals receiving the email that have not visited pornographic websites or do not have a webcam will naturally be able to identify the message as a scam. However, for many individuals, the threat may seem real. Individuals that have visited questionable sites or have a lot to lose if such information is released are likely to be extremely worried about the threat.
However, this is a sextortion scam where the attacker has no leverage. There is no virus, no webcam footage, and it is an empty threat. However, it is clear that at least some recipients were not willing to take a chance. According to security researcher SecGuru, who received a version of the email in Dutch, the Bitcoin account used by the scammer had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the campaign. Now, 7 days after the first payment was made, the account shows that 1.1203 Bitcoin – $6,418 – has been paid by 15 individuals.
A similar sextortion scam was conducted in the summer which also had an interesting twist. It used an old password for the account that had been obtained from a data dump. In that case, the password was real, at least at some point in the past, which made the scam seem genuine.
In this scam, a new technique is used in addition to the inclusion of a password. The sender address has been spoofed to make it appear that the hacker has gained access to the user’s email account. The sender and recipient names in the emails are identical and show that the message has been sent from the user’s account.
A quick and easy check that can be performed to determine whether the sender name displayed in an email is the actual account that has been used, is to click forward. When this is done, the display name is shown, but so too is the actual email address that the message has been sent from. In this case, this simple check does not work, which suggests that the email has actually been sent from the user’s account.
There have been several similar scams conducted recently with a similar theme. Another similar scam includes an email attachment that the hacker claims contains the video that has been created. The file is an executable which will download malware onto the user’s device.
If you receive any such email, you should delete the message and take no further action. As a precaution, conduct a full malware scan of your computer and change your email and social media passwords.
Businesses can protect their networks against malware infections from scams such as these by implementing two cybersecurity solutions: An advanced spam filter to prevent scam emails from being delivered to end users and a web filtering solution to block malware downloads and prevent users from visiting adult websites in the workplace.
For further information of the benefits of these cybersecurity solutions, details of pricing, and to request a demo to see the solutions in action, contact the TitanHQ team today.
