Email Scams

Businesses Targeted with Phishing Emails Sent Via SendGrid

by G Hunt | February 23, 2024 | Email Scams

Small- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service provider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer communication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain access to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming, and scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to send phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security solutions, especially as the compromised accounts will have been used to send communications in the past. SendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are also likely to be trusted by end users.

In this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor authentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access. The users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if credentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and evaded email security solutions because the SendGrid was trusted.

SendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid directly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid detected the malicious activity linked to customer accounts that were being used for phishing, and its fraud, compliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users are advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from granting access to user accounts.

The campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies provide security awareness training to their employees that teaches cybersecurity best practices and trains employees on how to recognize and avoid phishing. It is important to include these types of emails in training material, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run through an ESP.

With SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is easy. The training content is regularly updated with new phishing templates based on real-world attacks and the latest phishing trends, and phishing simulations can be conducted on employees to test how they respond to phishing attempts outside of the training environment. SafeTitan is the only security awareness training platform that delivers targeted training automatically in response to bad security practices by employees, ensuring training is provided at the moment when it is most likely to be taken on board.

New Backdoor Malware Variants Deployed on Barracuda ESG Appliances

by G Hunt | July 31, 2023 | Email Scams

A zero-day vulnerability in Barracuda email security gateway (ESG) appliances was exploited to deliver three malware variants onto the devices. These previously unknown malware variants have been dubbed SeaSide, Saltwater, and Seaspy, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently reporting that an additional malware backdoor dubbed Submarine was also deployed. In the attacks.

Initially, Saltwater malware – a trojanized Barracuda SMTP daemon – was used and allowed the threat actor to perform several actions such as steal files, run shell commands remotely, and proxy traffic to evade intrusion detection systems. SeaSpy malware was deployed to provide persistence and monitor SMTP traffic, and SeaSide malware was used to establish reverse shells and connect with the attacker’s command-and-control server, which allowed remote code execution via SMTP HELO/EHLO messages and provided the attacker with complete control of the appliances, allowing additional malware payloads to be delivered.

According to CISA, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”

The zero-day vulnerability in the Barracuda ESG is tracked as CVE-2023-2868 and is a remote command injection vulnerability, a patch for which has now been released. The vulnerability could be exploited remotely by a threat actor with a malicious email message – an email with a specially crafted .tar file attachment that masqueraded as a harmless .jpeg or .dat file. The attachment was used to exploit the vulnerability and gain access to ESG appliances.

The exploits of the vulnerability have been linked with a pro-China hacking group tracked as UNC4841, which was discovered to have conducted a series of attacks in May, although CISA reports that the threat actor may have been exploiting the vulnerability undetected since as early as October 2022 to gain access to ESG appliances and steal data.

With access to ESG appliances, the threat actor was free to remotely execute code for months. The ESG appliances are used across the public and private sectors, including government organizations, so the compromising of the appliances since October 2022 is of particular concern, as the threat actor may have been able to steal sensitive data for several months undetected. Many large companies also use Barracuda’s ESG appliances including Delta Airlines, Kraft Heinz, Samsung, and Mitsubishi, all of which were affected.

While the vulnerability has been patched, UNC4841 has proven to be very persistent, switching its persistence mechanisms when the attacks were detected. Indicators of Compromise and MD5 hashes were issued by Barracuda to help clients determine if their ESG devices had been compromised and Barracuda even offered its customers a new appliance, regardless of their patch status.

These attacks involved the discovery and exploitation of a previously unknown vulnerability in the ESG appliances and were the work of highly skilled hackers, although, like many attacks, the vulnerability was exploited via a malicious email. An extra layer of protection can be provided by SpamTitan Plus, which specifically combats phishing emails and incorporates signature-based and AI-based behavioral detection mechanisms to improve protection against zero-day threats, including novel malware variants.  Using SpamTitan Plus in addition to other security solutions will greatly improve the probability of detecting and blocking malicious emails and zero-day threats. These attacks demonstrate why it is important to have multiple layers of security, and not to rely on a single cybersecurity solution.

Fake Court Subpoenas Used as Phishing Lure for Malware Distribution

by G Hunt | November 11, 2019 | Email Scams

Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.

In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.

This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.

Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.

The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).

The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.

The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.

The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.

Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.

Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes.  SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.

SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.

With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.

Beware of Thomas Cook Phishing Scams

by G Hunt | October 7, 2019 | Email Scams

The collapse of the package holiday operator Thomas Cook left thousands of holidaymakers stranded, hundreds of thousands of holiday bookings have been cancelled, and more than 9,000 staff have lost their jobs. The company and other UK firms in its group have been forced into compulsory liquidation and cybercriminals have been quick to take advantage. Dozens of Thomas Cook-related domains were registered following the collapse of the firm and several Thomas Cook phishing scams have been detected.

Customer that have incurred out-of-pocket expenses as a result of the collapse of the company and anyone who has paid for a package holiday that has been cancelled may be entitled to a refund or compensation. That has given scammers the perfect opportunity to launch phishing attacks seeking bank account an credit card information.

Customers who have booked Thomas Cook holidays are protected under the ATOL scheme and refunds are being processed by the Civil Aviation Authority, which has set up a subdomain on its website – thomascook.caa.co.uk – where customers can submit claims for refunds. More than 360,000 holidays have been booked for more than 800,000 holidaymakers, who are entitled to refunds. More than 60,000 customers submitted refund forms on the first day that the website was set up and claims for out-of-pocket expenses are being processed by travel insurance firms. The CAA has stated that it will take 60 days for the refunds to be issued.

Anyone who has yet to submit their claim should exercise caution as there are multiple phishing scams being conducted offering money back on canceled holidays, reimbursement of out-of-pocket expenses, compensation, and fake updates on the status of refund claims. Any email received in relation to Thomas Cook should be treated as a potential scam.

Scams may be conducted with the aim of spreading malware or ransomware. Malicious code is contained in file attachments that trigger a malware download when the attachment is opened. However, far more common in situations when people are demanding refunds is to send phishing emails containing hyperlinks to malicious websites. Those websites require sensitive information such as credit card information and bank account details to be entered. Scammers are well aware that in order for refunds to be processed, bank account information would be required and phishing forms have been set up on fake Thomas Cook domains to do just that.

While there may be some giveaways that emails are not genuine – spelling mistakes and grammatical errors – some Thomas Cook phishing scams are virtually impossible to distinguish from genuine communications. Banks have also been notifying customers by email, which has presented scammers with even more opportunities to hoodwink Thomas Cook customers. There have also been reports of former employees being targeted by scammers offering compensation.

The golden rule to avoid becoming a victim of Thomas Cook phishing scams is never to respond to a request in an unsolicited email. Attachments should not be opened, hyperlinks in emails should not be followed, and contact information included in the message body should not be used. Only use official channels such as the CAA website, and contact banks and travel insurance firms directly using verified contact information.

How to Block Google Calendar Phishing Scams

by G Hunt | September 11, 2019 | Email Scams

Google has acknowledged a vulnerability in the Google Calendar app is being exploited by cybercriminals to inject fake and malicious items into Google Calendar.

Several Google Calendar phishing campaigns were detected over the summer of 2019 which were exploiting this flaw. The campaigns saw Google Calendar spam sent to large numbers of users, including invites to events and other requests and special offers that popped up on unsuspecting users’ screens.

These notifications contained links to webpages where users could find out more information about the events and special offers. If events were accepted, they would be inserted into users’ calendars and would trigger automatic notifications. The offers and invites would keep on appearing until the users’ clicked the link. Those links directed users to phishing pages where credentials were harvested.

Some of the scams required credit card information to be entered, others required the user to login using their Office 365 credentials. Links could also direct users to webpages where drive-by malware downloads take place.

Most people are aware of the threat of phishing emails, malicious text messages, and social media posts that harvest sensitive information, but attacks on calendar services are relatively unheard of. Consequently, many users will fail to recognize these notifications and calendar items as malicious, especially when they appear in a trusted app such as Google Calendar.

Unfortunately, these attacks are possible because in the default setting, anyone can send a calendar event to a user. That event will be inserted into the user’s calendar and will automatically trigger notifications, as is the case with legitimate events.

In addition to events, messages can include special offers, notifications of cash prizes, alerts about money transfers, and all manner of other messages to entice the user to click a malicious link and disclose sensitive information or download malware.

Google Calendar is not the only calendar service that is prone to these attacks. Apple users have also been targeted, as have users of other calendar apps.

How to Block Google Calendar Phishing Attacks

Recently, a Google employee acknowledged the increase in ‘calendar spam’ and confirmed action was being taken by Google to address the problem.

In the meantime, users can prevent these spam and phishing messages from appearing by making a change to the app settings. Users should navigate to Event Settings > Automatically Add Invitations, and select the option “No, only show invitations to which I’ve responded” and uncheck the “show declined events” option in View Options.

Businesses should also consider including Google Calendar phishing scams in their security awareness training programs to ensure employees are aware that phishing attacks are not limited to email, text message, telephone calls, and social media posts.

Business Email Compromise Scams Now the Leading Cause of Losses to Cybercrime

by G Hunt | September 10, 2019 | Email Scams

Business email compromise scams are now the leading cause of cyberattack-related losses. Billion are being lost each year and there are no signs of the attacks abating. In fact, it has been predicted that the number of attacks and losses will continue to increase.

Around 1% of global GDP is lost to cybercrime each year and that figure is increasing rapidly. Currently, around $600 billion is lost each year to cybercrime. A FinCEN report from July 2018 shows that suspicious activity report (SAR) filings have increased from $110 million per month in 2016 to $301 million per month in 2018 and Cybersecurity Ventures predicts losses will increase to $6 trillion globally by 2021. According to the FBI, more than $1.2 billion was lost to business email compromise scams in the United States alone in 2018.

Business email compromise (BEC) scams involve the impersonation of an executive or other individual, whose compromise email account is used to send fraudulent wire transfer requests. A variation sees a business associate of the company spoofed and requests sent demanding outstanding involves be paid.  The latter is now more common than attacks spoofing the CEO.

BEC attacks usually start with a spear phishing attack to obtain email account credentials. Once email credentials are compromised, the account is used to send messages to other individuals in the organization, such as employees in the payroll, HR, or finance department. Since the emails come from a trusted source within the organization and the wire transfer requests are not unusual, payment is often made.

A successful attack can see sizable wire transfers made to accounts controlled by the attackers. Payments are often for tens of thousands of dollars or, in some cases, millions of dollars. A recent attack on a subsidiary of the car manufacturer Toyota Boshoku Corporation saw a fraudulent transfer of $37 million made to the attackers.

While that incident stands out due to the scale of the loss, fraudulent transfers of millions of dollars are far from unusual. In many cases, only a small percentage of the transferred funds are recovered. Since these attacks can be extremely profitable, it is no surprise that the so many cybercriminal gangs are getting in on the act and are conducting campaigns.

A new report from the insurer AIG shows BEC attacks are now the leading reason for cybersecurity-related insurance claims, having overtaken ransomware attacks for the first time. 23% of all cyberattack-related claims are due to BEC scams.

In the most part, these BEC attacks can be prevented with basic cybersecurity measures. AIG attributes the rise in claims to poor security measures at the targeted organizations. Investigations have uncovered numerous basic cybersecurity failures such as not providing security awareness training to employees, the failure to enforce the use of strong passwords, no multi-factor authentication, and poor email security controls.

If businesses fail to implement these basic cybersecurity measures, attacks are inevitable. Cyber-insurance policies may cover some of the losses, but many SMBs will not be in a position to make a claim. For them, BEC attacks can be catastrophic.

If you run a business and are concerned about your defenses against phishing, spear phishing, and BEC attacks, contact TitanHQ to find out more about effective cybersecurity solutions that can block BEC attacks.

New CAPTCHA Phishing Scam Targets Android Users and Steals SMS Security Codes

by G Hunt | August 23, 2019 | Email Scams

A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.

When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.

A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.

On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account.  With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.

A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.

This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.

A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.

As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.

Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.

It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.

Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.

SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.

Trial for free today

Business Email Compromise Attacks Cost $310 Million a Month in 2018

by G Hunt | July 29, 2019 | Email Scams

New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.

Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.

Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.

More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks

The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.

FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.

BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.

There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.

As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.

If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.

FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.

FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.

How to Improve Defenses Against BEC Attacks

With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.

Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam service such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.

For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.

New Office 365 Phishing Scams Detected

by G Hunt | July 22, 2019 | Email Scams

Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.

The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.

A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.

If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.

The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.

Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.

This is a professional Office 365 phishing campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.

Office 365 Admins Targeted

A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.

Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.

The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.

Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.

Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.

There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.

However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.

WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.

Contact TitanHQ today to find out more about how SpamTitan and WebTitan can block Office 365 phishing attacks, the different deployment options, pricing information, and to book a product demonstration.

New Office 365 Phishing Scams FAQs

Will a spam filter block all spam and phishing emails?

No spam filter will be 100% effective, 100% of the time, which is why it is important to implement layered defenses. Many spam filters block around 99% of spam. SpamTitan is an advanced spam filter that has been independently verified as blocking 99.97% of spam email with a low false positive rate of just 0.03%.

How does email content filtering work?

Once initial checks have been performed to identify malware and emails from known spam sources, message content filtering takes place. Email content is analyzed, and each email is assigned a spam score based on phrases, keywords, images, and hyperlinks. A threshold is set and if that score is reached, the message will be rejected or quarantined.

What is greylisting and why is it important?

Greylisting is an important spam filtering mechanism for detecting new sources of spam. Greylisting initially rejects an email and requests the message is resent. Since email servers being used for spamming are busy sending huge volumes of messages, they do not respond to these requests or there is a significant delay. The delay is a good indicator that the message is spam.

Why should I scan outbound emails?

Outbound scanning is important for several reasons. By scanning outbound emails, email account compromises can be detected quickly to block business email compromise attacks. Attempts to use internal email accounts for sending malware and spam will be blocked, and tags can be applied to certain data types to identify attempted data theft by malicious insiders.

Increase in Cyberattacks on Ships Prompts U.S. Coast Guard Warning

by G Hunt | July 11, 2019 | Email Scams

The past few months have seen an increase in reported cyberattacks on ships. The rise in cyberattacks on the commercial shipping network has prompted the U.S. Coast Guard to issue a warning.

This is the second such warning to be issued by the U.S. Coast Guard in the past three months. Together with a recent shipping industry report, they confirm that shipping companies and commercial vessels are being targeted by hackers and many of those attacks are succeeding.

Ships are now largely controlled by computers and mouse clicks and there is increasing reliance on electronic navigation systems. It is now common for operational technology and information technology to be linked together via onboard networks and certain systems are now connected to the internet. When devices are networked and connect to the Internet, hackers are given the opportunity to attack.

The cyberattack that prompted the latest warning occurred in February 2019. A ship bound for the Port of New York started experiencing severe disruption to its shipboard network. Vessel control systems were not affected, although the functionality of the network was severely degraded. The U.S. Coast Guard led a forensic investigation which revealed malware had been installed on the network.

The ship was known to be vulnerable to attack so the crew did not typically use the network for personal matters such as email. The network was only used for business purposes, which involved contact with third parties to maintain charts, manage cargo data, and communicate with shore-side facilities. It is currently unclear how the malware was installed, but what is clear is that cybersecurity defenses were nowhere near sufficient.

The advice from the Coast Guard is to implement network segmentation to limit the harm that can be caused in the event of an attack. Network profiles should be created for each user, and the rule of least privilege should be applied. Anti-virus software should be installed, all software should be kept up to date, and care should be taken connecting any external device to a networked computer due to the risk of malware.

If hackers can gain access to the network, they can steal sensitive data, cause serious disruption to internal networks, and systems could even be rendered inoperable. An extortion attack involving ransomware, for instance, could leave shipping firms with no alternative other than to pay up.

These attacks are the latest in a string of cyberattacks on commercial vessels. In December 2018, 21 shipping associations and industry groups produced a set of guidelines on cybersecurity onboard ships to help commercial vessel operators improve security, secure their networks, and make it difficult for hackers.

The report details recent USB-based attacks, RDP-based attacks, phishing attacks, ransomware attacks, and attacks involving malware, viruses, and worms. The attacks have caused major delays to shipping firms, financial losses, and in some cases have jeopardized safety.

Just as captains must make sure that access to the engine room is restricted, the same should be the case for computer systems. If systems are not secured, cyberattacks are inevitable.

TitanHQ can help shipping firms protect against email and web-based attacks and block the two main vectors that are used to attack commercial vessels.

Contact the team today to ask about SpamTitan and WebTitan: TitanHQ’s award winning antispam and DNS filtering solutions.

IRS Issues Warning About Tax Phishing Scams

by G Hunt | March 6, 2019 | Email Scams

During tax season, tax phishing scams are rife. If cybercriminals can steal personal information such as the information contained on W2 forms, they can use the information to file fraudulent tax returns. Each set of credentials can net cybercriminals thousands of dollars. Attacks on businesses can be even more profitable. If an attack results in the theft of the tax credentials of a company’s entire workforce, hundreds of fraudulent tax returns can be filed.

The IRS works hard to combat fraud, but even so, many of these attacks are successful and fraudulent tax refunds are issued. This week, as part of its efforts to combat tax fraud, the IRS has launched its 2019 Dirty Dozen campaign. The campaign raises awareness of the threat of tax fraud and encourages taxpayers, businesses, and tax professionals to be vigilant.

The campaign features 12 common tax scams that attempt to obtain personal information or access to systems that contain such information. The campaign will see a different scam highlighted for 12 consecutive days. The campaign was launched on March 4 with the biggest threat in tax season: Tax phishing scams.

Common Tax Phishing Scams

Tax phishing scams are constantly evolving and each year several new tax phishing scams are identified. The most common scams and attacks are:

• Business Email Compromise (BEC) attacks
• Business Email Spoofing (BES) attacks
• Email impersonation attacks
• Malware

BEC attacks involve the use of a genuine business email account to send messages to employees requesting the W2 form information of employees, changes to business account information, requests to reroute direct deposits and make fraudulent wire transfers. The attackers often gain access to a high-level executive’s email account through a spear phishing campaign. BEC is one of the most common business tax phishing scams.

BES attacks are similar, except that no email account has been compromised. The email address of an executive or other employee is spoofed so that emails appears to have been sent from within an organization.

Email impersonation attacks are common during tax season. Scammers impersonate the IRS and use a variety of lures to obtain personal information. Common lures are threats of legal action or fines for outstanding taxes and offers of tax refunds. They often direct users to a website where they are required to enter their personal information. These phishing webpages are also linked to on social media websites. The clients of tax professionals may also be impersonated. Emails often request changes be made to direct deposit accounts or contain requests for sensitive information.

Malware is often used to gain access to the computers of tax professionals, and employees in the payroll and HR departments. Keyloggers are commonly used as they allow the attackers to steal login credentials. Malware can also transfer files containing sensitive information to the attackers’ servers. Malware is often installed via scripts in email attachments – malicious macros for instance – or via drive-by downloads from malicious websites.

New Phishing Scam Targeting Tax Professionals

One of the new tax phishing scams to emerge this year targets tax professionals. First the attackers gain access to tax professionals’ computers, either through spear phishing campaigns or by installing malware. Client tax information is then stolen and fraudulent tax returns are files in the clients’ names. When the IRS processes the refunds, payments are sent to taxpayers’ bank accounts. Those taxpayers then receive a call or an email demanding the return of the funds which have been paid in error. The attackers claim to be from a debt collection agency used by the IRS or the IRS itself.

Don’t Become a Victim of a Tax Phishing Scam

Many taxpayers and businesses fall victim to tax phishing scams each year, especially during tax season when attacks increase; however, by taking some simple steps and being vigilant it is possible to identify scams and keep financial and personal data secure.

Any email, text, or telephone call that requests personal/tax information should be treated as a potential scam. If an email or text message is received that claims to be from the IRS demanding payment of outstanding taxes, an offer of a tax refund, or a threat of legal action, bear in mind that the IRS does not initiate contact via email or text message asking for personal information. If such a message is received, forward the email to phishing@irs.gov and contact the IRS or check your online tax account to find out if there is a genuine problem. Never use the contact information or links in an email and do not open an email attachment in an email that appears to have been sent by the IRS.

Businesses can include information about tax phishing scams in their security awareness training sessions, but departments that are likely to be targeted by cybercriminals – payroll, human resources, finance and accounting Etc.) should receive specific training ahead off the start of tax season. Sending monthly reminders about phishing attacks and other tax scams each month via email is also a good best practice.

Since most attacks start with a phishing email, businesses should ensure that they have an advanced spam filtering solution in place to block phishing and other emails at the gateway before they can be delivered to end users. SpamTitan is an ideal anti-spam solution for businesses and tax professionals to protect against tax phishing scams. The solution blocks more than 99.9% of spam and phishing emails and includes outbound email scanning to ensure that compromised email accounts cannot be used for spamming.

To protect against internet phishing scams, a web filtering solution is ideal. WebTitan prevents end users from visiting phishing websites, including blocking visits to malicious websites via hyperlinks in scam emails. The solution also blocks drive-by malware downloads and other web-based threats.

If you are a tax professional or you run a business and are unhappy with your current anti-spam or web filtering solution provider, or you have yet to implement either of these solutions, give the TitanHQ team a call today for further information on how these solutions can protect your business, details of pricing, and to book a product demonstration.

How Does Business Email Get Hacked?

by G Hunt | January 22, 2019 | Email Scams

Barely a day goes by without an announcement being made about an email account compromise, especially in the healthcare industry, but how does business email get hacked? What are the main ways that email account access is gained by unauthorized individuals?

Four Ways Business Email Gets Hacked

There four main ways that business email gets hacked, although fortunately there are simple steps that can be taken to improve email security and reduce the risk of an email account compromise at your business.

Phishing Attacks

The easiest way for a hacker to access business email accounts is to ask the account holder for their password. This method is incredibly simple, costs next to nothing, and is very effective. Phishing, like fishing, uses a lure to achieve its aim. An attacker only needs to craft an email with a plausible reason for divulging a password.

The attack could be as simple as spoofing an email from the IT department that requests the user change his or her password for security reasons. A link is supplied in the email that directs the user to a site where they have to enter their password and a replacement. Office 365 phishing scams are now common. A user is directed to a spoofed website where they are presented with a standard Office 365 login box, which they need to enter to open a shared file for example.

The lures are diverse, although there is usually a valid reason for providing login credentials, urgency, and often a threat – The failure to take action will result in harm or loss.

Brute Force Attacks

An alternative method of hacking business email accounts is for the attacker to attempt to guess a user’s password. This is a much more long-winded approach that can require thousands of attempts before the password is guessed. This technique is automated and made easier by poor password choices and the failure to change default passwords. Passwords obtained in previous breaches can be used, which will catch out people who use the same passwords for multiple platforms. Information about a person can also be found on social media – A partner’s name, child’s name, pet name, or dates of birth – Information that is commonly used to create passwords.

Man-In-The-Middle Attacks

A man-in-the-middle attack involves an attacker intercepting information such as a password when it is sent between two parties. Information can be intercepted in unencrypted emails or when a user logs into a web-based platform via their browser. Man-in-the-middle attacks are common on unsecured public Wi-Fi networks and evil twin Wi-Fi hotspots – Hotspots that mimic a genuine hotspot provider, such as a coffee shop or hotel. Any information transmitted via that hotspot can be easily intercepted.

Writing Down Passwords

Many businesses have implemented password polices that require the use of strong and difficult to remember passwords. As a result, some employees write their passwords down on post-it notes, tape a password to their computer, or keep a note under their keyboard where any visitor to an office could discover it.

How to Stop Business Email Getting Hacked

These methods of hacking business email accounts are easy and inexpensive to block through low-cost cybersecurity solutions, policies and procedures, and staff training.

For businesses, the most important control to implement to protect against phishing is an advanced spam filter. A spam filter inspects all incoming emails for common spam signatures and malicious links and blocks messages before they are delivered to end users. Some spam filters also inspect outgoing email, which helps to prevent a breached email account from being used for further phishing attacks on contacts.

Even the best spam filters will not block every single phishing email so security awareness training for staff is essential. Regular training sessions should be provided – at least twice annually – and these should be augmented with more regular reminders about security and newsletters about the latest threats. Phishing simulations are useful for testing the effectiveness of training and to condition employees how to respond to email threats.

Brute force attacks are best prevented with good password policies that prevent weak passwords from being set. To prevent employees from writing passwords down, consider paying for a password manager or allowing the use of long passphrases, which are easy to remember but difficult to guess. Ensure two-factor authentication is enabled and rate limiting is applied to block login attempts after a set number of failed password guesses.

Man-in-the-middle attacks can be prevented in a number of ways. Remote workers should be provided with a VPN to access work networks and email. Some web filters, WebTitan for instance, can be used to protect remote workers online and prevent man-in-the-middle attacks and can also to prevent users from visiting malicious websites, such as those used for phishing.

If you want to improve email security, TitanHQ can help. Contact the team today for information on spam filters to block phishing attacks and to find out more about the benefits of web filtering.

How Does Business Email Get Hacked FAQ

Will a spam filter block ransomware attacks?

A spam filter is effective at identifying and blocking malicious files sent by email. SpamTitan uses dual antivirus engines that detect all known malware and ransomware and sandboxing to subject email attachments to in-depth analysis to identify new malware and ransomware variants. However, ransomware can be deployed in many different ways, not just via email, so other cybersecurity measures will also be required.

How can I justify the cost of an additional spam filter for Office 365?

Consider the cost of mitigating a successful malware or phishing attack, data theft/loss, notifying customers, and the harm caused to your company’s reputation. The cost of an additional spam filter is several orders of magnitude lower. Take advantage of a free trial of a new solution to find out what additional threats are blocked to help determine if the cost is justified.

Can I block 100% of all spam and phishing emails?

It is possible to block 100% of spam and phishing emails but doing so may see an unacceptable number of genuine emails blocked. The best spam filters block in excess of 99.9% of spam emails and allow spam tolerance thresholds to be set lower for higher risk departments such as finance to almost reach 100% without blocking genuine emails.

Why is sandboxing important in a spam filter?

Spam filters scan for malicious email attachments using one or more antivirus engines. This ensures 100% of known malware is blocked. However, new malware variants are constantly being released and signature-based mechanisms do not identify these new threats. Sandboxing sees email attachments that pass initial checks sent for deep analysis to identify the malicious actions of unknown malware.

Why do I need a web filter if I have a spam filter?

Phishing emails usually have an email and web component. A spam filter will block the majority of phishing emails but should be combined with a web filter for greater protection. A web filter provides time-of-click protection to prevent users from visiting known malicious websites. A web filter protects also protects against phishing and malware downloads through general web browsing.

Love Letter Email Scam Delivers Cocktail of Malware

by G Hunt | January 21, 2019 | Email Scams

A new email campaign is being conducted in the run up to Valentine’s Day which attempts to get users to open email attachments by fooling them into thinking they are love letters. The love letter email scam includes enticing subject lines such as ‘Love Letter’, ‘I Love You’, ‘This is my love letter to you’, ‘Always thinking about you’, and other love and love letter themes.

These types of scams are common in the run up to Valentine’s Day, and as the day draws closer, the likelihood of the scams succeeding grows.

The emails contain a zip file containing a JavaScript file with a variety of names, all of which start with Love_You. Extracting and running the file will result in the download of ransomware and other malware variants.

If the JavaScript file is run, it launches a PowerShell command that downloads and runs a malware variant named krablin.exe. Krablin.exe is also copied to USB thumb drives that are plugged into the computer.

A further four malware variants are subsequently downloaded to the victim’s device: The Phorpiex spambot, a Monero cryptocurrency miner (XMRig), a further malware downloader, and the latest version of GandCrab ransomware: A particularly nasty combination of malware.

The malspam campaign was detected by SANS ISC researcher Brad Duncan who determined the campaign has been running since at least November 2018. Several different subject lines and attachments have been identified and multiple spoofed sending addresses are used in this campaign.

Word documents and Excel spreadsheets containing malicious macros are more commonly used to spread malware, although JavaScript based malspam is nothing new. Most individuals are not familiar with .js files so may choose not to open them, although the theme of this love letter email scam may tempt people into making an exception. JavaScript malware may also be executed by Windows, without the user having to open the file. Simply saving a JavaScript file may be all that is required to trigger the infection process.

To prevent email scams such as this from succeeding, businesses should ensure that their employees receive ongoing security awareness training. Regular email security alerts should be sent to the workforce to keep them abreast of the latest techniques that are being used by scammers to install malware and phish for sensitive information.

It is also essential for an advanced spam filter to be implemented. This will ensure the majority of malicious messages are blocked and not delivered to end users. SpamTitan scans all incoming and outgoing messages and uses a variety of techniques to identify spam and malicious messages. Those controls ensure a block rate in excess of 99.9%, while dual antivirus engines provide total protection against all known malware variants.

SpamTitan is available on a free trial with options to suit all businesses and managed service providers. For further information, to register for the no-obligation free trial, or to book a product demonstration, contact TitanHQ today.

Novel Phishing Scam Uses Custom Web Fonts to Evade Detection

by G Hunt | January 10, 2019 | Email Scams

A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing page appear as plaintext.

Many phishing web pages obfuscate their source code to make it harder for automated security solutions to uncover malicious actions and make the phishing pages appear harmless. As such, the phishing sites are not blocked and users may be fooled into supplying their credentials as requested. The phishing web pages used in this scam will display what appears to be a genuine website when the page is rendered in the browser. Users will be presented with a spoofed web page that closely resembles the standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. If credentials are entered, they will be harvested by the scammer and used to gain access to the users’ bank account.

In this case, a substitution cipher is used to obfuscate the source code. To security solutions, the text is encoded, which makes it difficult to determine what that code does. This tactic has been used in previous phishing campaigns, with the substitution cipher applied using JavaScript. While users may be fooled, automated security solutions can detect the JavaScript fairly easily and can block access to the web page.

The latest campaign uses custom fonts – termed woff files – which are present on the page and hidden through base64 encoding.  These custom fonts are used to implement the cipher and make the source code appear as plaintext, while the actual source code is encrypted and remains hidden.  The substitution is performed using CSS on the landing page, rather than JavaScript. This technique has not been seen before and is much harder to detect.

The substitution cipher results in the user being displayed the correct text when the page is rendered in the browser, although that text will not exist on the page. Solutions that search for certain keywords to identify whether a site is malicious will therefore not find those keywords and will not block access to the page. This technique substitutes individual letters such as abcd with alternate letters jehr for example using woff and woff2 fonts. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.

As an additional measure to avoid detection, the logos that have been stolen from the targeted bank are also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on a genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics (SVG) files, the logos and their source do not appear in the source code of the page and are hard to detect.

These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails. A web filtering solution is also important to prevent users from visiting phishing pages, either through general browsing, redirects via malvertising, or blocking users when they click embedded hyperlinks in phishing emails.

To find out more about cybersecurity solutions that can protect against phishing attacks, contact the TitanHQ team today.

Does 2-Factor Authentication Stop Phishing Attacks?

by G Hunt | January 10, 2019 | Email Scams

2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?

What is 2-Factor Authentication?

2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.

If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.

Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).

The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.

For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.

A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.

Does 2-Factor Authentication Stop Phishing Attacks?

So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.

There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.

This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.

The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.

The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.

It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.

Additional Controls to Stop Phishing Attacks

To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.

Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.

Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.

A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.

These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.

You can find out more about SpamTitan and WebTitan by contacting TitanHQ.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

by G Hunt | December 18, 2018 | Email Scams

campaign is to obtain users’ Office 365 passwords.

The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.

The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.

While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.

The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.

Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email spam campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.

Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.

SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.

Office 365 Spam Filtering Controls Failed to Prevent Costly Malware Infection

by G Hunt | December 14, 2018 | Email Scams

A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.

Multi-Layered Defenses Breached

If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.

The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.

However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.

How Was the Malware Installed?

The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.

The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.

The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.

Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.

Remediation Took 6 Weeks

Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.

The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.

The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.

While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.

Additional Protection is Required for Office 365 Inboxes

The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.

Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.

Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.

One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.

Sextortion Scams Now Combine Threat of Exposure with Multiple Malware Infections

by G Hunt | December 14, 2018 | Email Scams

Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.

In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.

Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.

This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.

However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.

The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.

Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.

Thanksgiving Themed Spam Emails Used to Spread Emotet Malware

by G Hunt | November 21, 2018 | Email Scams

There has been an increase in malspam campaigns spreading Emotet malware in recent weeks, with several new campaigns launched that spoof financial institutions – the modus operandi of the threat group behind the campaigns.

The Emotet malware campaigns use Word documents containing malicious macros. If macros are enabled, the Emotet malware payload is downloaded. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is downloaded.

Various social engineering tricks have been used in these campaigns. One new tactic that was identified by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email appear benign.

According to Cofense, the campaign delivers Emotet malware, although Emotet in turn downloads a secondary payload. In past campaigns, Emotet has been delivered along with ransomware. First, Emotet steals credentials, then the ransomware is used to extort money from victims. In the latest campaign, the secondary malware is the banking Trojan named IcedID.

A further campaign has been detected that uses Thanksgiving themed spam emails. The messages appear to be Thanksgiving greetings for employees, and similarly contain a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to aid the deception and include the user’s name. In this campaign, while the document downloaded appears to be a Word file, it is actually an XML file.

Emotet malware has been updated recently. In addition to stealing credentials, a new module has been added that harvests emails from an infected user. The previous 6 months’ emails – which include subjects, senders, and message content – are stolen. This new module is believed to have been added to improve the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent increase in Emotet malware campaigns, and the highly varied tactics used by the threat actors behind these campaigns, highlight the importance of adopting a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide protection against email attacks.

Phishing campaigns target a weak link in security defenses: Employees. It is therefore important to ensure that all employees with corporate email accounts are taught how to recognize phishing threats. Training needs to be ongoing and should cover the latest tactics used by cybercriminals to spread malware and steal credentials. Employees are the last line of defense. Through security awareness training, the defensive line can be significantly strengthened.

As a frontline defense, all businesses and organizations should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is required to provide protection against more sophisticated email attacks.

SpamTitan is an advanced email filtering solution that uses predictive techniques to provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

In addition to scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine learning, and Bayesian analysis to identify emerging threats. Greylisting is used to identify and block large scale spam campaigns, such as those typically conducted by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Protects Businesses from Email Threats

A web filter – such as WebTitan – adds an additional layer of protection against web-based attacks by preventing end users from visiting malicious websites where malware is downloaded. A web filter assesses all attempts to access web content, checks sites against blacklists, assesses the domain, scans web content, and blocks access to sites that violate its policies.

For further information on how you can improve your defenses against web-based and email-based attacks and block malware, ransomware, botnets, viruses, phishing, and spear phishing attacks, contact TitanHQ today.

Cyberattacks on Universities Rise as Hackers Search for Valuable Research Data

by G Hunt | October 25, 2018 | Email Scams

Hackers have been going back to school and entering higher education. Quite literally in fact, although not through conventional channels. Entry is gained through cyberattacks on universities, which have increased over the course of the past 12 months, according to figures recently released by Kaspersky Lab.

Cyberattacks on Universities on the Rise

Credit cards information can be sold for a few bucks, but universities have much more valuable information. As research organizations they have valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as quickly as credit cards and Social Security numbers, but there are certainly buyers willing to pay top dollar for valuable research. Nation state sponsored hacking groups are targeting universities and independent hacking groups are getting in on the act and conducting cyberattacks on universities.

There are many potential attack vectors that can be used to gain access to university systems. Software vulnerabilities that have yet to be patched can be exploited, misconfigured cloud services such as unsecured S3 buckets can be accessed, and brute force attempts can be conducted to guess passwords. However, phishing attacks on universities are commonplace.

Phishing is often associated with scams to obtain credit card information or login credentials to Office 365 accounts, with businesses and healthcare organizations often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so popular is because it is often the easiest way to gain access to networks, or at least gain a foothold for further attacks. Universities are naturally careful about guarding their research and security controls are usually deployed accordingly. Phishing allows those controls to be bypassed relatively easily.

A successful phishing attack on a student may not prove to be particularly profitable, at least initially. However, once access to their email account is gained, it can be used for further phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more direct route. They are likely to have higher privileges and access to valuable research data. Their accounts are also likely to contain other interesting and useful information that can be used in a wide range of secondary attacks.

Email-based attacks can involve malicious attachments that deliver information stealing malware such as keyloggers, although many of the recent attacks have used links to fake university login pages. The login pages are exact copies of the genuine login pages used by universities, the only difference being the URL on which the page is located.

More than 1,000 Phishing Attacks on Universities Detected in a Year

According to Kaspersky Lab, more than 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been targeted. Those universities are spread across 16 countries, although 83/131 universities were in the United States.

Preventing phishing attacks on universities, staff, and students requires a multi layered approach. Technical controls must be implemented to reduce risk, such as an advanced spam filter to block the vast majority of phishing emails and stop them being delivered to end users. A web filtering solution is important for blocking access to phishing websites and web pages hosting malware. Multi-factor authentication is also essential to ensure that if account information is compromised or passwords are guessed, an additional form of authentication is required to access accounts.

As a last line of defense, staff and students should be made aware of the risk from phishing. Training should be made available to all students and cybersecurity awareness training for researchers, lecturers, and other staff should be mandatory.

Spear Phishing Attack Results in $16 Million Anthem Data Breach Settlement

by G Hunt | October 17, 2018 | Email Scams

In 2015, Anthem Inc., experienced a colossal data breach. 78.8 million health plan records were stolen. This year, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.

It Started with a Spear Phishing Email…

The Anthem data breach came as a huge shock back in February 2015, due to the sheer scale of the breach. Healthcare data breaches were common, but the Anthem data breach in a different league.

Prior to the announcement, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare organizations, that experienced a 4.9 million record breach in 2011. The Anthem data breach was on an entirely different scale.

The hacking group behind the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack. The hackers managed to gain access to Anthem’s data warehouse and exfiltrated a huge volume of data undetected. The time of the initial attack to discovery was almost a year.

While the attack was sophisticated, a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.

At least one employee responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the attackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.

The Anthem Data Breach Settlement is the Largest Ever Penalty for a Healthcare Data Breach

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates healthcare data breaches that result in the exposure or theft of 500 or more records. An in-depth investigation of the Anthem breach was therefore a certainty given its scale. A penalty for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare organizations to safeguard health data. The scale of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.

Before the Anthem data breach settlement, the largest penalty for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people impacted, and the extent to which HIPAA Rules were alleged to have been violated.

OCR alleged that Anthem Inc., had violated five provisions of HIPAA Rules, and by doing so failed to prevent the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine represents a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document indicated Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on improvements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan members.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the total cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most expensive healthcare phishing attack by some distance and the cost clearly highlights just how important it is to adopt a defense-in-depth strategy to protect against phishing attacks.

Une attaque de spear phishing donne lieu à une amende de 16 millions de dollars dans l’affaire Anthem

Iceland Police Spoofed in Sophisticated Phishing Scam

by G Hunt | October 16, 2018 | Email Scams

Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.

The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.

The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.

As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.

The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.

In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.

After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.

In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.

While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is.  A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.

The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

by G Hunt | October 6, 2018 | Email Scams

Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.

Office 365 Phishing Attacks Can Be Difficult to Identify

In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.

There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.

Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Scam

One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.

In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Abused

A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.

Office 365 Phishing Protections are Insufficient

Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.

Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.

How to Make Office 365 More Secure

While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.

Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

Sextortion Phishing Emails Proving Lucrative for Scammers

by G Hunt | August 9, 2018 | Email Scams

A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.

On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.

For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.

However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.

While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.

For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.

This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.

It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.

So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.

Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.

Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.

Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.

Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.

1.4 Million Patients Potentially Affected by UnityPoint Health Phishing Attack

by G Hunt | July 31, 2018 | Email Scams

In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.

UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.

That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.

The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.

The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.

A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.

The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.

This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.

The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.

As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.

Cosco Ransomware Attack Affects Americas Arm of Shipping Firm

by G Hunt | July 26, 2018 | Email Scams

One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.

The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.

The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.

It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.

The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.

Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware.  While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).

Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.

Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.

To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.

Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.

Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.

Phishing Attacks on National Bank of Blacksburg Result in $2.4 Million Loss

by G Hunt | July 25, 2018 | Email Scams

The National Bank of Blacksburg in Virginia has discovered just how important it is to have effective controls in place to protect against phishing. The bank suffered two costly phishing attacks in the space of eight months that have resulted in losses exceeding $2.4 million.

Phishing is the leading tactic used by cybercriminals to gain access to login credentials, steal data, and install malware. Emails are sent to employees with malicious attachments, which if opened, result in the installation of malware. Alternatively, links are sent in emails that direct employees to fraudulent websites where they are fooled into disclosing their login credentials.

The first attack on Blacksburg Bank took place on May 28, 2016. Malware was installed on its systems which gave the attackers access to the STAR Network – The system that manages debit card ATM activity. After gaining access to the STAR Network, the hackers were able to change account balances, remove security measures such as anti-theft and anti-fraud protections, conduct keystroke logging, and authorize withdrawals from customers’ accounts via ATMs.

In the two days that the hackers had access to the system, they were able to make withdrawals at hundreds of ATMs across the country and stole $569,648.24 from customers’ accounts. This was possible without stealing customers cards or using skimmers to create fake bank cards.

The malware was detected on May 30, 2016 and the attack was investigated by the computer forensics firm Foregenix which determined that the malware was installed as a result of an employee being duped by a phishing email.

Eight months later, on January 7, 2017, a similar attack occurred which involved cybercriminals gaining access to the STAR Network. Similarly, access was possible for two days, although in this case approximately $1.8 million was withdrawn from customers’ accounts. Verizon investigated the breach and concluded that access was gained as a result of an employee falling for a phishing scam.

The National Bank of Blacksburg holds an insurance policy against cyberattacks although its insurer, Everest National Insurance Company, has refused to cover the losses. Blacksburg is now suing its insurer for breach of contract.

What these incidents show is just how easy it is for major losses to be suffered as a result of employees falling for phishing scams and the importance of having robust anti-phishing measures in place.

There is no single solution that will provide total protection against phishing, although a good place to start is with an advanced anti spam service such as SpamTitan.

SpamTitan uses dual antivirus engines (Bitdefender and ClamAV) that provides superior protection against phishing and block emails containing malware and malware downloaders. The solution performs multiple checks on each incoming email to determine whether it is genuine, spam, or malicious, including standard checks of email headers, a Bayesian analysis on message content, and greylisting. Together, these controls ensure 99.97% of spam emails are detected and blocked, with a false positive rate of just 0.03%. Independent tests at Virus Bulletin have confirmed a 100% malware detection rate.

No anti-spam solution will block 100% of all spam and phishing emails so it is essential for employees to be trained how to recognize phishing emails. While it was once a best practice to provide annual training, with the volume of phishing emails now being sent and the increased sophistication of attacks, an annual training session is no longer sufficient.

Training needs to be ongoing, with regular training sessions scheduled throughout the year and employees conditioned through phishing simulation exercises. With effective spam filtering and employee security awareness training, the majority of phishing attempts can be thwarted.

Average Data Breach Mitigation Costs Now $3.86 Million

by G Hunt | July 19, 2018 | Email Scams

In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.

The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.

Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.

The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.

The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.

The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.

Average Data Breach Mitigation Costs Have Reached $3.86 Million

A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.

On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.

In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.

Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.

Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.

Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.

The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.

What Factors Affect Data Breach Mitigation Costs the Most?

For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).

The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).

With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.

Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.

Cryptojacking Attacks Replace Ransomware as Primary Threat

by G Hunt | July 12, 2018 | Email Scams

There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.

As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.

Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.

Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.

The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months.  Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.

Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.

Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.

Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.

One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.

It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.

Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.

Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.

Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.

FBI 2017 Internet Crime Report: $1.4 Billion Lost to Business Email Compromise Scams

by G Hunt | June 26, 2018 | Email Scams

The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).

In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.

2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.

Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.

Business Email Compromise Scams – The Main Cause of Losses in 2017

More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.

Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.

BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.

Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information.  These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.

Phishing Extensively Used in Internet Crime

Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.

The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.

Ransomware Attack Mitigation Proves Expensive

In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.

Tech Support Fraud Losses Increased by 90%

Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.

These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.

Protecting Against Internet Crime

One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.

Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.

A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.

These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.

Fake WannaCry Ransomware Campaign Detected

by G Hunt | June 25, 2018 | Email Scams

UK users are being targeted with a fake WannaCry ransomware alert threatening file encryption if a ransom demand is not paid.

Fraudsters Claim WannaCry is Back!

In May last year, WannaCry ransomware attacks brought many companies to a standstill, with the UK’s National Health Service (NHS) a notable victim. Now, a little more than a year later, a new WannaCry ransomware campaign is being run, or so the sender of a batch of phishing emails claims.

Email recipients are told “WannaCry is back!” and are warned that their devices have been hacked and ransomware has been installed.

Email recipients are warned that the threat actors have perfected their ransomware and this time around antivirus software and firewalls will not prevent file encryption. Further, recovery will not be possible if the ransom is not paid.

Failure to pay, or any attempt to try to remove the ransomware without paying the ransom demand will result in permanent file deletion. Further, the ransomware can propagate and infect the local network, cloud data, and remote devices, regardless of operating system.

Email recipients are told that the ransomware has already been deployed and payment of a ransom of 0.1 Bitcoin – Around $650 – must be made to stop the attack. Email recipients are given just 24 hours to pay the ransom before data are permanently deleted.

The email is signed by WannaCry-Hack-Team, and so far, more than 300 copies of the message have been reported to the UK government’s National Fraud and Cyber Crime Reporting Centre, Action Fraud.

A Phishing Scam that Preys on WannaCry Fears

There are some signs that the email is not a genuine threat, and instead is just preying on fears about another WannaCry style attack.

Ransomware attackers encrypt data then ask for a ransom to unlock files. They do not send a warning saying they will encrypt data if a ransom is not paid. That tactic may be used by some DDoS attackers, but not by ransomware threat actors.

Email recipients are told that this version of WannaCry will work on “any version of Windows, iOS, Android, and Linux.” The original version of WannaCry took advantage of a vulnerability in Windows Server Message Block. WannaCry only affected vulnerable Windows devices that had not been patched. The ransomware was not a threat on other operating systems.

Phishing campaigns often include spelling mistakes in the subject line and message body and this email is no different. The subject line is – “Attantion WannaCry”.

This is simply a phishing campaign that attempts to extort money from the recipient. No ransomware has been installed and the attackers cannot encrypt any files.

If you receive such a message threatening file encryption unless you pay a ransom, report the message to Action Fraud (UK), US-CERT (phishing-report@us-cert.gov) in the United States, or the government Fraud and Cyber Crime agency in your country of residence and delete the email and do not pay any Bitcoin ransom.

Of course, not all ransomware threats are as benign as this and many attackers will be able to encrypt your data. To protect against real ransomware threats ensure you create multiple backups of your files, deploy a spam filtering solution, ensure your operating system and all software are kept up to date, and keep your anti-virus protection up to date.

New Spam Campaign Uses Malicious Excel Web Query Files to Deliver Malware

by G Hunt | June 8, 2018 | Email Scams

A new spam campaign has been identified that uses Excel Web Query files to deliver malware. In this case, the .iqy files are used to launch PowerShell scripts that give the attackers root access to a device. .iqy files are not usually blocked by spam filters, making the technique effective at silently delivering malware.

The spam emails are being delivered via the Necurs botnet. Three spam campaigns have been detected by Barkly that use these attachments, although further campaigns are almost certain to be launched.

Excel Web Query files obtain data from an external source and load it to Excel. In this case, the external data is a formula which is executed in Excel. The formula is used to run PowerShell scripts which, in at least one campaign, downloads a Remote Access Trojan (RAT) called FlawedAmmyy Admin – a tweaked legitimate remote administration tool that gives the attacker full control of a computer, allowing any number of malicious programs to be installed.

The emails masquerade as purchase orders, unpaid invoices, and scanned documents – Common themes used in spam emails to deliver malware. These spam email campaigns often use Word documents with malicious macros. Macros are usually disabled by default. Through security awareness training, end users have been conditioned not to enable macros on documents from unknown senders, thus preventing malware downloads.

Since most end users will not be used to receiving .iqy files, these attachments should arouse suspicion. Microsoft has also built in warnings to prevent these files from being run by end users. If an end user attempts to open one of these files it will trigger a warning alerting the user that the file may not be safe as it enables an external connection. The end user would be required to click enable before the connection is made and data is pulled into Excel.  A second warning would then be displayed, again requiring authorization. Only if both warnings are ignored will the script be allowed to run that downloads the malicious payload.

There are two steps you can take to protect your endpoints and networks from these types of attacks. The first is to configure your email spam filter to quarantine any emails containing .iqy attachments. SpamTitan allows certain attachment types to be blocked such as executable files and iqy files. You can set the policy to quarantine, reject, or delete the emails. Since these types of files are not usually sent via email, rejecting the messages or deleting them is the safest option.

You should also cover the use of these files in your security awareness training sessions and should consider sending an email alert to end users warning them about the threat.

Further information on steps you can take to prevent malware infections spread via email can be found in our anti-spam tips page. You can find out more about the capabilities of SpamTitan by calling the sales team:

• USA: +1 5859735070
• UK/EU: +44 (0)2476993640
• Ireland: +353 91 545555
• Mid East: +971 4 3886998

Beware of These World Cup 2018 Phishing Scams

by G Hunt | May 30, 2018 | Email Scams

World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.

World Cup 2018 Phishing Scams Detected!

The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.

Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.

Fake Tickets and Fake Touts

With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.

Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.

Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.

Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.

Competition Scams

Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.

Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners

Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.

Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.

Cheap Travel Accommodation Scams

Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.

These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.

Team and Match News and World Cup Gossip

As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.

How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam

These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.

Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:

• Only buy tickets from the official FIFA website
• Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
• Never buy products or services advertised in spam email
• Never opening attachments in World Cup-themed emails from unknown senders
• Do not click hyperlinks in emails from unknown senders
• Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
• Ensure all software, including browsers and plugins, is patched and kept fully up to date
• Ensure anti-virus software is installed and is kept up to date
• Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
• Stay alert – If an offer seems to good to be true, it most likely is

Beware of GDPR Phishing Scams

by G Hunt | May 17, 2018 | Email Scams

Several GDPR phishing scams have been detected in the past few days as scammers capitalize on the last-minute rush by companies to ensure compliance ahead of the May 25, 2018 GDPR deadline. Be wary about any GDPR related email requests – they may be a scam.

GDPR Provides Scammers with a New Opportunity

You will probably already be sick of receiving email requests from companies asking if they can continue sending you emails, but that is one of the requirements of GDPR. GDPR requires consent to be obtained to use – or continue to use – personal information. With previous privacy policies failing to comply with the new EU law, email requests are being sent to all individuals on mailing lists and those who have previously registered on websites to re-obtain consent.

All companies that have dealings with EU residents are required to comply with GDPR, regardless of their location. Emails are therefore being sent from companies far and wide. Consumers are receiving messages from companies that they may have forgotten they had dealings with in the past. If personal data is still on file, email requests are likely to be sent asking for permission to retain that information.

The masses of emails now being sent relating to GDPR has created an opportunity for scammers. GDPR phishing scams have been developed to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams identified in recent weeks. It is ironic that a regulation that aims to improve privacy protections for EU residents is being used to violate privacy.

Apple Spoofed in New Phishing Scam

Phishers often spoof large, familiar brands as there is a greater chance that the recipient of the message will have an account with that company. The most popular global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.

These impersonation scams can be highly convincing. A request is sent via email that seems perfectly reasonable, the emails appear to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails contain branding and images which are familiar, and the messages can be almost indistinguishable from genuine communications.

The aim is to get users to click on an embedded hyperlink and visit the company’s website and login. There is usually an urgent call to action, such as a security alert, threat of account closure, or loss of services.

Apple is one such brand that has recently been impersonated in GDPR phishing scams. The aim of the attackers is to get Apple customers to login to a fake site and disclose their credentials. Once the credentials have been obtained, the scammers have access the user’s account, which includes financial information, credit card details, and other personal information.

Airbnb GDPR Phishing Scams Detected

Redscan has detected Airbnb GDPR phishing scams recently. Users of its home sharing platform are required to update their contact details due to GDPR law in order to continue to use the platform. The request is entirely reasonable given so many companies are sending similar emails.

The emails claim to be from Airbnb customer service, contain the correct images and branding, and direct users to a familiar looking website that differs only in the domain name. Users are asked to re-enter their contact information and payment card details.

Watch Out for GDPR Phishing Scams

These scams are just two of several. More can be expected over the coming days in the run up to the compliance deadline and beyond. To avoid falling for the scams, make sure you treat all GDPR-related requests as potentially suspicious.

The easiest way to avoid the scams is to visit the website of the brand by typing the correct address directly into the browser or using your usual bookmark. It should be clear when you login if you need to update your information because of GDPR.

2017 Saw 24% Increase in Tech Support Scams

by G Hunt | April 24, 2018 | Email Scams

Microsoft has released new figures that show there has been a sizeable increase in tech support scams over the past year. The number of victims that have reported these scams to Microsoft increased by 24% in 2017. The true increase could be much higher. Many victims fail to report the incidents.

According to Microsoft, in 2017 there were 153,000 reports submitted from customers in 183 countries who had been fooled by such a scam. While not all of the complainants admitted to losing money as a result, 15% said they paid for technical support. The average cost of support was between $200 and $400, although many individuals were scammed out of much more significant amounts. While victims may not willingly pay much more to fix the fictitious problem on their computers, if bank account details are provided to the scammers, accounts can easily be drained. One victim from the Netherlands claims a scammer emptied a bank account and stole €89,000.

The rise in complaints about tech support scams could, in part, be explained by more scammers pretending to be software engineers from Microsoft, prompting them to report the incidents to Microsoft when they realize they have been scammed.

However, the rise in tech support scams is backed up by figures released by the FBI. Its Internet Crime Complaint Center (IC3) received 86% more complaints in 2017 from victims of tech support scams. Around 11,000 complaints were received by IC3 about tech support scams last year and more than $15 million was lost to the scams.

It is easy to see why these scams are so attractive for would-be cybercriminals. In many cases, little effort is required to pull off the scam. All that is required in many cases is a telephone. Cold calling is still common, although many of the scams are now much more sophisticated and have a much higher success rate.

Email is also used. Some tech support scams involve warnings and use social engineering techniques to convince the recipient to call the helpline. Others involve malware, sent as an attachment or downloaded as a result of visiting a malicious website via a hyperlink supplied in the email.

Once installed, the malware displays fake warning messages that convince the user that they have been infected with malware that requires a call to the technical support department.

The use of popups on websites is common. These popups cannot be closed and remain on screen. Browser lockers are also common which serve the same purpose. To prompt the user to call the support helpline.

While many more experienced users would know how to close the browser – CTRL+ALT+DEL and shut down the browser via Windows Task Manager – less experienced users may panic and call the helpline number, especially when the popup claims to be from a well-known company such as Microsoft or even law enforcement.

The typical process used in these tech support scams is to establish contact by telephone, get the user to download software to remove a fictitious virus or malware that has previously been installed by the attackers. Remote administration tools are used that allows the scammer to access the computer. The user is convinced there is malware installed and told they must pay for support. Payment is made and the fictitious problem is fixed.

These techniques are nothing new, it is just that more cybercriminals have got in on the act and operations have been expanded due to the high success rate. Fortunately, there are simple steps to take that can prevent users from falling for these tech support scams.

To avoid becoming a victim of such a scam:

• Never open any email attachments you receive from unknown senders
• Do not visit hyperlinks in email messages from unknown senders
• If contacted by phone, take a number and say you will call back. Then contact the service provider using verified contact information, not the details supplied over the telephone
• If you are presented with a warning via a popup message or website claiming your device has been infected, stop and think before acting. Genuine warnings do not include telephone numbers and do not have spelling mistakes or questionable grammar
• If you receive a warning about viruses online and want to perform a scan, download free antivirus software from a reputable firm from the official website (Malwarebytes, AVG, Avast for instance)
• Before making any call, verify the phone number. Use a search engine to search for the number and see if it has been associated with scams in the past
• ISPs and service providers rarely make unsolicited telephone calls to customers about viruses and technical issues and offer to fix the device

If you believe you are a victim of a tech support scam, report the incident to the service provider who was spoofed and notify appropriate authorities in your country of residence.

In the USA, that is the Federal Trade Commission or the FBI’s IC3; in the UK it is the National Fraud and Cyber Crime Reporting Center, the European Consumer Center in Ireland, or the equivalent organizations in other countries.

Phishing Attacks Expected Following Massive MyFitnessPal Data Breach

by G Hunt | April 9, 2018 | Email Scams

Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.

The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.

While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.

The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.

Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.

Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.

While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.

While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.

Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.

Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.

An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.

Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced anti-spam services for businesses are now a necessity.

If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.

Lazio Phishing Scam Nets Cybercriminals €2 million

by G Hunt | April 6, 2018 | Email Scams

A recent Lazio phishing scam has potentially resulted in a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a scammer.

The Lazio phishing scam involved some insider knowledge as the scammer was aware that part of the transfer fee for a player was outstanding. An email was carefully crafted and sent to the Italian football team that appeared to have come from representatives of the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was demanded. Stefan de Vrij had joined Lazio from Feyenoord in 2014.

The email looked official and appeared to have been sent from a legitimate source. The accounts department at the Italian club responded and proceeded with the transfer of funds – approximately $2,460,840 – to the bank account as requested. However, the bank account details supplied in the email were not those of Feyenoord.

When Feyenoord was contacted, the club denied all knowledge of any email communication about the player and confirmed that no funds had been received. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor any representative of the player.

The payment has been tracked and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that will be possible.

The Lazio phishing scam has certainly made the headlines, but many similar attacks go unreported. Scams such as this are commonplace, and businesses are being fooled into making huge transfers of funds to criminals’ accounts.

While this attack clearly involved some insider knowledge, that information can easily be gained with a simple phishing email. If the CFO of an organization can be fooled into revealing their email login credentials, the account can be accessed and a treasure trove of information can be found. The account can then be used to send an email request to a member of the accounts department or a company that is in the process of making a sizeable purchase.

The attacker can match the writing style of the CTO and copy the usual format of email requests. All too often the recipient is fooled into making the transfer.

This type of scam is called business email compromise – or BEC – and it is costing businesses billions. One recent report estimates the total losses to BEC attacks alone is likely to reach $9 billion in 2018.

These scams are far different to the typical phishing scams of years gone by where huge numbers of emails were sent in the hope of a few individuals responding. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the time and effort.

Businesses need to protect themselves against these types of phishing attacks, but there is no silver bullet. Layered defenses are essential. Businesses need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is a must, DMARC should be implemented to prevent brand abuse, and security awareness training for staff is essential. Policies should also be developed and implemented that require two-factor verification on any wire transfer over a certain threshold.

Even if an email filter could not block the Lazio phishing email and the email was so believable to fool a security aware employee, a quick telephone call to confirm the request could have highlighted the scam for what it was.

Sophisticated Multi-Stage Phishing Scam Used to Obtain Millions of Dollars from Businesses

by G Hunt | February 22, 2018 | Email Scams

Cybercriminal gangs operating in Nigeria have been discovered to be using phishing kits in a highly sophisticated phishing campaign that has seen millions of dollars obtained from big businesses.

The scammers are regularly fooling employees into revealing their email login credentials – The first stage of the complex scam. The ultimate goal of the attackers is to gain access to corporate bank accounts and convince accounts department employees to make sizeable transfers to their accounts.

According to research conducted by IBM, these scams have been highly successful. Fortune 500 companies are being targeted and losses have been estimated to be of the order of several million dollars.

These scams take time to pull off and considerable effort is required on the part of the scammers. However, the potential rewards are worth the effort. Bank transfers of tens or hundreds of thousands of dollars can be made and business email accounts can be plundered.

A Sophisticated Multi-Stage Phishing Scam

In order to pull off the scam, the attackers must first gain access to at least one corporate email account. Access is gained using phishing emails, with social engineering tactics used to convince employees to click on a malicious link. Those links direct the email recipients to malicious DocuSign login pages where credentials are harvested. These malicious pages have been created on multiple websites.

According to IBM, the gang behind this campaign has created more than 100 of these pages, many of which have been loaded onto genuine websites that have been compromised by the attackers.

Once access to one email account is gained, it is easy to obtain email addresses from the contact list to fool other employees. When an email account is accessed, the attackers search the account for messages involving accounts and payments. The attackers then send emails carrying on conversations between staff members, inserting themselves into conversations and continuing active discussions.

“The attackers typically took a week between the point they gained initial access to a user’s email account and the time they started setting up the infrastructure to prepare a credible ruse,” said IBM’s X-Force researchers.  “During this time, they likely conducted extensive research on the target’s organizational structure, specifically focusing on the finance department’s processes and vendors.”

By setting up email rules and filters, it is possible to block genuine conversations between the employees that could uncover the scam. By doing this, all conversations take place between a specific individual and the attacker.

This method of attack allows the attackers to gain access to banking credentials and send highly convincing emails requesting transfers to their accounts. Targeted employees are unlikely to be unaware that they are not emailing a legitimate contact.

This is a manual, labor-intensive scam involving no malware. That has the advantage of allowing the attackers to evade anti-malware technologies.

How to Protect Against These Sophisticated Email Scams

While these scams are complex, they start with a simple phishing email to gain access to a corporate email account. Once access to an email account has been gained, stopping the scam becomes much harder. The easiest time to prevent such an attack is at the initial stage, by preventing the phishing emails from reaching the inboxes of employees and training employees how to identify phishing emails.

That requires an advanced spam filtering solution that can identify the common signatures of spam and scam emails. By setting aggressive filtering policies, the vast majority of spam emails will be captured and quarantined. With the SpamTitan cloud-based anti-spam service, that equates to more than 99.9% of all spam and malicious emails. SpamTitan also has a particularly low false positive rate – less than 0.03% – ensuring genuine emails are still delivered.

No spam solution can be 100% effective, so it is also important to prepare the workforce and train staff how to identify malicious emails. Security awareness and anti-phishing training allows organizations to create a ‘human firewall’ to complement technical solutions.

Spear phishing – highly targeted email attacks – are harder to block, but it is possible to implement solutions to prevent scams such as this from resulting in credentials being obtained. In this campaign, links are sent in emails. By implementing a web filtering solution, those links can be blocked. In tandem with a spam filter, organizations with a security aware workforce will be well protected from phishing attacks.

Further, the use of two-factor authentication is an important security measure to implement. This will prevent attackers from using an unknown device to access an email account.

For further information on web filters and spam filters, and the benefits of installing them at your organization, contact the TitanHQ team today and take the first step toward improving your defenses against sophisticated phishing scams.

IRS Impersonated in Rapid Ransomware Email Scam

by G Hunt | February 21, 2018 | Email Scams

A new IRS-themed rapid ransomware email scam has been detected that uses the threat of significant financial penalties for late tax payments to fool victims into installing ransomware.

Tax season is well underway and cybercriminals have been increasing their efforts to obtain tax credentials to file fraudulent tax returns in the names of their victims. Businesses are the prime targets, as a successful scam can see the tax credentials of hundreds or thousands of employees obtained from a single response to an scam email.

However, it is not only tax fraudsters that are taking advantage of tax season. Ransomware attacks are also likely, as has been highlighted by a recently uncovered email scam that impersonates the IRS.

The purpose of this scam is to install Rapid ransomware. Rapid ransomware is a relatively new ransomware variant first detected in January 2018. In contrast to many ransomware variants that encrypt files and then terminate, rapid ransomware remains active after encryption and will encrypt any further files that are created on the infected device.

In addition to encrypting files, the ransomware deletes Windows shadow volume copies and disables automatic repair to hamper any attempts to restore files without paying the ransom. There is currently no decryptor for Rapid ransomware. Recovery will depend on backups being available or the ransom demand must be paid.

IRS Spoofed to Spread Rapid Ransomware

The Rapid ransomware email scam is similar to many other scams conducted during tax season. The emails are well written and plausible. There is urgency to encourage rapid action and a threat of financial penalties if the emails are ignored.

The emails have the subject line: ‘Please Note – IRS Urgent Message 164’ and contain a zipped notification attachment which email recipients are required to open to obtain further information.

In the body of the email, the recipient is led to believe they have significant tax arrears related to a property. The recipient is told that no action is taken by the IRS when tax arrears are cleared within 4-6 months of their due date, but since the recipient’s tax is 7 months out of date they are liable for a fine. They are told that if they do not respond to the email within one day and attempt to rectify the situation, ‘significant charges and fines may apply’. They are also told to open and study the attached document. The zip file contains a Word file containing a macro. If allowed to run, the macro downloads a PowerShell file, which in turn downloads Rapid ransomware.

Security aware individuals should be able to identify signs that the email is not genuine. First, the email is addressed ‘Dear Customer.’ In the event of the IRS contacting an individual about tax arrears, it would be likely that the email would be addressed using the individual’s name. However, such a situation would not occur. The IRS has confirmed in numerous warnings about phishing emails that it does not initiate contact about tax arrears via email. Further, tax arrears are serious, but not so serious that a response of 1 day would be given for a response.

The scammers behind this campaign have made some glaring mistakes in their campaign. The email address spoofed has the domain nottscc.gov.uk. While the email address looks official, it relates to Nottinghamshire County Council in the UK and the IRS is the American tax agency. However, many devices do not show the full domain so this may not be noticed. Another major error is the use of German language in the Word document, including instructions for enabling the macro.

Scam Highlights Need for Spam Filters and Security Awareness Training

Due to the errors made by the scammers, in particular the use of German and a UK local government email address – this email scam should be easily detected by employees and consumers, but such mistakes are not always made. The email is plausible, and otherwise it would be likely that many individuals would be fooled by such a scam.

For businesses, these scams can prove incredibly costly. In this case, there is no set ransom payment. Victims need to email the scammers to find out how to pay the ransom and how much is being charged. If the emails come from a business domain, the ransom payment would likely be increased. Further, ransomware can spread laterally within a network and result in file encryption on multiple endpoints and servers. With ransoms typically charged for each infected device, the costs can be considerable.

This Rapid ransomware email scam highlights the need for spam protections to be put in place to prevent malicious emails from being delivered. With SpamTitan implemented, more than 99.9% of spam email is blocked, preventing employees from having their phishing email identification skills tested.

It is also important to provide security awareness training to employees to teach them the skills they need to identify scams such as this. Not all email scams will be as easy to detect as this one. Training goes a long way toward ensuring that when emails slip past security defenses they are quickly identified by the workforce.

Saturn Ransomware: A New Ransomware Variant Offered as RaaS

by G Hunt | February 19, 2018 | Email Scams

Saturn ransomware is a new threat recently identified by security researchers at MalwareHunterTeam. Saturn ransomware takes its name from the extension added to encrypted files (.saturn).

While it is easy to determine the ransomware variant used in an attack, this will be of little use to victims. There is currently no decryptor available to recover files.

A single infection can rapidly spread laterally, encrypting files on an infected device as well as network shares. Recovering files from backups may prove difficult. Saturn ransomware searches for and deletes shadow volume copies, clears the Windows backup catalog, and also disables Windows startup repair.

If no viable backup exists, the victim must pay a ransom payment in bitcoin of approximately $300 per infected device. If payment is not made within 7 days of infection, the ransom payment doubles.

As with many new ransomware variants, attacks can come from all angles. That is because the new ransomware variant is being offered to affiliates as ransomware-as-a-service.

Ransomware-as-a-service allows the malware developers to maximize the number of infections – and profits – by recruiting a large team of distributors to send spam emails, load the ransomware onto malicious websites, and install the malicious software by taking advantage of poor security defenses. In exchange for their efforts, affiliates are given a percentage of the ransom payments that are received.

The developers of Saturn ransomware have made it as easy as possible for affiliates. A portal has been developed that allows affiliates to obtain copies of the ransomware binaryeither embedded in exe files or Office, PDF files or other documents. To tempt individuals into using this ransomware variant instead of other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.

The ease of running campaigns together with the high potential rewards for infection means many affiliates are likely to start using the new ransomware variant in attacks. The new malware is already being offered on various darknet forums.

How to Block Saturn Ransomware Attacks

Spam email is the easiest way of spreading ransomware. Massive spam campaigns require little skill and there is no shortage of email addresses for sale on the dark web. We can therefore expect this new ransomware variant to be widely distributed over the coming weeks.

With spam email likely to be the main vector of attack, one of the best defenses to deploy to prevent infection is to use anti spam software such as SpamTitan. SpamTitan blocks more than 99.9% of spam email. With SpamTitan in place, emails can be blocked and will not reach end users inboxes.

However, no single defense can provide total protection from ransomware attacks. Layered defenses are required. Antivirus and antimalware solutions should be used, although signature and heuristics-based defenses will not provide total protection. Businesses should also use a technology that identifies changes to files to ensure that if infection occurs, rapid action can be taken to limit the spread of the ransomware.

Multiple copies of files should also be made to ensure that should the unthinkable happen, data will not be lost. Businesses should make at least three backups, stored on two different media, with at least one copy stored securely off-site. Good patch management policies are also required to prevent vulnerabilities from being leveraged to install the ransomware.

Technical defenses are essential, but don’t forget the human element. Ransomware spread via spam email requires some user interaction – the opening of an email attachment or the clicking of a link. Security awareness training and phishing email simulations are now a necessity to reduce user susceptibility to email-based attacks.

Malware Campaign Uses Microsoft Word Without Macros

by G Hunt | February 16, 2018 | Email Scams

A new malware campaign has been detected that uses Microsoft Word without macros. Opening a Word document sent via email will not generate the usual warnings that macros must be enabled.

Employees may have been warned to be wary of any emails containing attachments, and never to enable macros on documents received via email. However, the use of Microsoft Word without macros means that even opening email attachments can see malware downloaded, if patches have not been applied.

The multi-stage infection process uses the CVE-2017-11822 Word vulnerability to install an information stealer. CVE-2017-11822 was patched by Microsoft last year, although companies that have not patched their systems recently will be vulnerable to this attack.

CVE-2017-11822 is a vulnerability in Office Equation Editor. The bug has been present in Microsoft Office for the past 17 years. Last year, Microsoft rated the code execution vulnerability as important rather than critical, but many security professionals disagreed and claimed the vulnerability was very dangerous as the bug could be exploited to run arbitrary code and the vulnerability was present in all Office versions.

Microsoft Equation Editor is an application that allows the insertion and editing of complex equations in Office documents as OLE items. Last year, security researchers were able to exploit the vulnerability to run a sequence of commands, including the downloading of files from the Internet. This campaign similarly triggers the downloading of a document – a Rich Text File (RTF) via an OLE object embedded in the Word document.

The OLE object opens the RTF file which uses the vulnerability to run a MSHTA command line, which downloads and runs an HTA file containing a VBScript. The VBScript unpacks a PowerShell script, which in turn downloads and runs the information-stealing malware. The purpose of the malware is to steal passwords from web browsers, email accounts and FTP servers.

The email campaign has been developed to target businesses. So far, four email templates have been detected by SpiderLabs researchers, although more will almost certainly be used over the coming days and weeks.

The four emails intercepted by have the subject lines:

• TNT Statement of Account
• Request for Quotation (RFQ)
• Telex Transfer Notification
• Swift Copy for Balance Payment

While a patch was released last year to address the vulnerability, Microsoft has taken further steps this Patch Tuesday by removing some of the functionality of Microsoft Equation Editor to prevent CVE-2017-11882 from being exploited.

Businesses can mitigate this attack in three main ways:

• Ensuring Office installations and operating systems are kept patched and 100% up to date
• Use of anti spam software to prevent malicious emails from being delivered to end users
• Training end users on cybersecurity best practices and the danger of opening Office documents from unknown individuals. Consider sending a warning about this campaign and the email subject lines being used

Cryptocurrency Mining Malware Spreading at Lightning Speed

by G Hunt | January 26, 2018 | Email Scams

The exponential growth in the price of cryptocurrencies has been accompanied by similar growth in email campaigns spreading cryptocurrency mining malware.  There has also been a big rise in new mining malware variants, with three new malware variants detected in the past week. Conservative estimates suggest one malware variant has already been installed on at least 15 million systems, although the true figure could well be closer to 30 million.

The data comes from the cybersecurity firm Palo Alto Networks, which performed an analysis of the URLs used in the campaign using Bitly telemetry. It is difficult to determine how many systems have been affected since Bitly is not the only URL shortening service being used in the campaign. AdFly is also in use, which suggests the number of infected systems could well be twice as high.

The malicious links for this campaign are being sent in spam email. Clicking the links will direct the user to a malicious website containing executable files that install the Monero mining application XMRig using VBS scripts. The popularity of Monero mining is due to the lower processor demands than cryptocurrencies such as Bitcoin. Monero mining can take place on less powerful computers such as those typically at home. In addition to spam email campaigns, the malicious executable files are being loaded to popular file sharing websites

Symantec reports there has been a rise in browser-based cryptocurrency mining. Websites owners are loading cryptocurrency miners onto their websites that is implemented using a scripting language. The ease of access to JavaScript APIs that can be used for this purpose has increased the popularity of this mining technique. Symantec also reports there has been a 34% rise in mobile applications containing cryptocurrency mining code.

Cryptocurrency mining malware does not pose such a big threat to organizations as other forms of malware and ransomware, but there are implications for businesses. The malware does require a considerable amount of processing power, so there will be an impact on performance on infected machines. Infection will see applications slow considerably, and that will have an impact on productivity.

Campaigns are also being conducted that target businesses. The aim is to installing cryptocurrency mining malware on business servers. These attacks are not email-based, instead vulnerabilities are identified and exploited to install the malware, with Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) vulnerabilities commonly exploited.

Preventing Infection with Cryptocurrency Mining Malware

Businesses can prevent cryptocurrency mining malware from being installed on their servers by ensuring all applications are patched and kept up to date. The patch to fix the Apache Struts vulnerability was released in September 2017, yet many businesses have not applied the patch. The DNN vulnerability has also been patched.

The risk of infections on employee and home computers requires antivirus and antimalware software and an advanced spam filter to prevent malicious messages from reaching inboxes. Businesses should also be training their staff how to recognize malicious emails. Training programs and phishing email simulations have been shown to help reduce susceptibility to email-based attacks by up to 95%.

The past few months have also seen a rise in cryptocurrency mining malware infections via unsecured WiFi networks, with cybercriminals performing man-in-the-middle attacks that hack the WiFi sessions of any user connected to one of the rogue WiFi access points. Unsecured public WiFi hotspots should be avoided, or VPNs used.

Its Tax Season: Time to Prepare for W2 Phishing Attacks

by G Hunt | January 23, 2018 | Email Scams

Tax season is open season for cybercriminals and phishers, who increase their efforts to obtain personal information and Social Security numbers in the run up to – and during – tax season. Until April, we can expect many W2 phishing attacks. Make sure you are prepared and do not fall for a scam.

Anatomy of a W2 Phishing Attack

The most common method of stealing the information needed to file fraudulent tax returns is phishing. Phishing emails are sent in the millions to individuals in an effort to obtain their sensitive information. Individuals must be on high alert for malicious emails during tax season, but it is businesses that are most likely to be targeted.

Payroll employees have access to the W2 forms of the entire workforce. If a single worker can be convinced to email the data, the attacker can file thousands of fraudulent tax returns in the names of employees.

The way cybercriminals get payroll staff to part with sensitive data is by impersonating the CEO or CFO in what is referred to as a Business Email Compromise Scam – otherwise known as a BEC attack or CEO fraud.

The most successful attacks require access to the CEO or CFO’s email account to be gained. That means the CEO or CFO must first be targeted with a spear phishing email and lured into parting with his/her login credentials. Once access to the email account is gained, the impostor can craft an email and send it to a select group of individuals in the company: Payroll and accounts department employees.

The company is researched, individuals likely to have access to W2 forms are identified, and emails are sent. A request is made to attach the W2 forms of all employees who worked for the company in the past year, or for a specific group of employees. A series of emails may be sent, rather than asking for the information straight away.

Since the attacker has access to the CEO’s or CFO’s email account, they can delete sent emails and replies before they are seen by the account holder.

An alternative way of conducting BEC attacks is to spoof an email address. The CFO or CEO is identified from social media sites or LinkedIn, the email address is obtained or guessed based on the format used by the company, and the email is made to appear as if it has come from that email account. An alternative is for the attacker to purchase a similar domain to that used by the company, with two transposed letters for instance. Enough to fool an inattentive worker.

Oftentimes, W2 phishing attacks are not detected until days or weeks after the W2 forms have been sent, by which times IRS tax refund checks have been received and cashed.

How to Defend Against W2 Phishing Attacks

There are several methods that can be used to block W2 phishing attacks. A software or cloud-based anti-spam service should be used to block attacks that come from outside the company. Configured correctly, the spam filter should block spoofed emails and emails sent from similar domains to that used by the company. However, a spam filter will not block emails that come from the CFO or CEOs account.

Multi-factor authentication should be set up on all email accounts to help prevent the first phish that gives the attacker access to a C-suite email address. W2 phishing attacks using spoofed email addresses are much easier to identify and block.

It is therefore important to raise awareness of the threat of W2 phishing attacks with accounts and payroll staff, and anyone else with access to W2 forms. Training can greatly reduce susceptibility to W2 phishing attacks. Training should also be provided to the C-suite, not just employees.

The number of staff who have access to W2 forms should be restricted as far as is possible. Policies should also be introduced that require any request for W2 data to be verified. At a minimum, a request for the data should be checked by a supervisor. Ideally, the request should be confirmed face to face with the sender of the email, or with a quick phone call. The scammers rely on this check not taking place.

Spam Campaign Discovered Spreading Zyklon Malware

by G Hunt | January 20, 2018 | Email Scams

The insurance, telecoms, and financial service sectors are being targeted by malicious actors spreading Zyklon malware. A large-scale spam email campaign has been detected that leverages three separate Microsoft Office vulnerabilities to download the malicious payload.

Zyklon malware is not a new threat. The malware variant was first detected at the start of 2016, but it stopped being detected soon after and was not extensively used until the start of 2017.

Zyklon malware is a backdoor with a wide range of malicious functions. The malware acts as a password harvester, keylogger, and data scraper, obtaining sensitive information and stealing credentials for further attacks. The malware can also be used to conduct DoS attacks and mine cryptocurrency.

The latest variant of Zyklon malware can download and run various plugins and additional malware variants. It can identify, decrypt, and steal serial keys and license numbers from more than 200 software packages and can also hijack Bitcoin addresses.  All told, this is a powerful and particularly nasty and damaging malware variant that is best avoided.

While the latest campaign uses spam email, the malware is not included as an attachment. A zip file is attached to the email that contains a Word document. If the document is extracted, opened, and the embedded OLE object executed, it will trigger the download of a PowerShell script, using one of three Microsoft Office vulnerabilities.

The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was patched by Microsoft in October.

The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared through shared memory. This protocol is leveraged to deliver a dropper that will download the malware payload. This vulnerability has not been patched, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.

The third vulnerability is far older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been around for 17 years. The flaw was only recently identified and patched by Microsoft in November.

The second stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.

According to the FireEye researchers who identified the campaign, the malware can remain undetected by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”

Campaigns such as this highlight the importance of applying patches promptly. Two of the vulnerabilities were patched in the fall of 2017, yet many organizations have yet to apply the patches and remain vulnerable. If patches are not applied, it will only be a matter of time before vulnerabilities are exploited.

FireEye researchers have warned that while the campaign is currently only targeting three industry sectors, it is probable that the campaign will be widened to target other industry sectors in the near future.

The advice is to implement an advanced cloud-based anti-spam service such as SpamTitan to identify and quarantine malicious emails,  and ensure that operating systems and software is kept up to date.

Digimine Malware Turns Infected Devices into Cryptocurrency Miners

by G Hunt | December 27, 2017 | Email Scams

Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.

Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.

The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.

Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.

The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.

Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.

The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.

Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.

A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.

Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.

These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.

Q3 Malware Threat Report Shows Malware Threats at an All Time High

by G Hunt | December 20, 2017 | Email Scams

A Q3 malware threat report from McAfee charts the continued rise in malware threats throughout the year. Malware variants have now reached an all time high, with the volume of threats having risen each quarter in 2017.

In 2016, there were high levels of malware in Q1, rising slightly in Q2 before tailing off in Q3 and A4. That trend has not been seen this year. The malware threat report shows Q1 figures were higher than the previous two quarters, with a massive rise in Q3 and a continued increase in Q3. Malware threats rose 10% quarter over quarter, rising to a quarterly total of 57.6 million new samples of malware: The highest quarterly total detected by McAfee. That averages out at a new malware sample detected every quarter of a second!

The ransomware epidemic has also got worse in Q3, with new ransomware variants increasing by 36% last quarter, fueled by a sharp increase in Android screen lockers. In total, new mobile malware variants increased by 60% in Q3.

In its Q3 Malware Threat Report, McAfee noted that attackers were continuing to rely on spam email to distribute malware, with the Gamut botnet the most prevalent spamming botnet in Q3, closely followed by the Necurs botnet. The latter was used to spread ransomware variants such as Locky. Mac malware rose by 7% in Q3, and macro malware increased by 8%.

Technologies such as PowerShell are still commonly used to install malware, along with Office macros. New PowerShell malware variants doubled in Q3, 2017, and while new JavaScript malware declined by 26% quarter over quarter, the level of new JavaScript malware is still substantially higher than the level seen in 2016.

Vulnerabilities in software and operating systems were also extensively exploited, even though patches to address those vulnerabilities were released promptly.

McAfee notes that employees and organizations are making it far too easy for attackers. Employees are responding to phishing emails, are visiting malicious links and are opening attachments and enabling the content. Employers are no better. Patches are released, yet they are not being applied promptly, opening the door to attackers. In many cases, patches have still not been applied several months after they have been released.

One of the most commonly exploited vulnerabilities in Q3, 2017 was CVE-2017-0199 which affected WordPad and Microsoft Office. An exploit for the vulnerability was made available through GitHub, making remote code execution attacks easy; provided employees could be convinced to open specially crafted files. Many employees fell for the scam emails.

The McAfee Q3 Malware Threat Report highlighted several continuing malware trends, including the increase in the use of fileless malware. PowerShell malware increased by 119% in Q3 alone.

Q3 saw a new Locky variant released – Lukitus. Lukitus was spread via spam email, with more than 23 million messages delivered in the first 24 hours since its release. That, combined with other new ransomware threats, have contributed to a 44% increase in ransomware samples in the past 12 months.

Q3 also saw the release of a new variant of the Trickbot Trojan, which incorporated the EternalBlue exploit that was also used in the WannaCry and NotPetya attacks.

While no industry is immune to attack, it is the healthcare and public sectors that are taking the brunt of the attacks, accounting for 40% of all reported security incidents in Q3. In the United States, healthcare was the most commonly attacked industry.

The extensive use of spam and phishing emails to spread malware highlights the importance of using an advanced spam filtering solution such as SpamTitan, especially considering how employees are still struggling to identify malicious emails. Blocking these threats and preventing malicious messages from being delivered will help organizations prevent costly data breaches.

The high level of infections that occurred as a result of exploited vulnerabilities also shows how important it is to apply patches promptly. McAfee notes that many of the exploited vulnerabilities in Q3 were patched as early as January. If patches are not applied promptly, they will be exploited by cybercriminals to install malware.

Spider Ransomware: Your Files Will Permanently Locked in 96 Hours

by G Hunt | December 13, 2017 | Email Scams

A particularly nasty new threat has emerged: Spider ransomware. The new crypto-ransomware variant was discovered by security researchers at Netskope on December 10, and the campaign is ongoing.

While many ransomware variants give victims a week to make contact and pay the ransom, the actors behind Spider ransomware are far less patient. If the ransom payment is not made within 96 hours of infection, the key to unlock files will be blocked and files will be permanently encrypted. Further, victims are warned “do not try anything stupid, the program has several security measures to delete all your files and cause damage to your PC.”

Naturally, that something stupid is not attempting to recover files from backups. If viable backups exist, victims will be able to recover their files without paying the ransom, but the warning may put off some victims from trying.

Such a short window for payment does not give victims much time. Many ransomware attacks occur on a Friday, and are only discovered when employees return to work on a Monday. Discovering a Spider ransomware attack in this scenario means businesses will have to act particularly quickly in order to avoid file loss.

While the threat is severe, the attackers have made it as easy as possible for victims to pay by providing a detailed help section. Payment must be made in Bitcoin via the Tor browser and detailed instructions are provided. The attackers say in the ransom note, “This all may seem complicated to you, actually it’s really easy.” They even provide a video tutorial showing victims how to pay the ransom and unlock their files. They also point out that the process of unlocking files is similarly easy. Pasting the encryption key and clicking on a button to start the decryption process is all that is required.

As with the majority of crypto-ransomware variants, Spider ransomware is being distributed by spam email. The emails use the hook of ‘Debt Collection’ to encourage recipients of the email to open the attachment. That attachment is a Microsoft Office document containing an obfuscated macro. If allowed to run, the macro will trigger the download of the malicious payload via a PowerShell script.

The latest Spider ransomware campaign is being used to attack organizations in Croatia and Bosnia and Herzegovina, with the ransom note and instructions written in Croatian and English. It is possible that attacks will spread to other geographical areas.

There is currently no free decryptor for spider ransomware. Protecting against this latest ransomware threat requires technological solutions to block the attack vector. If spam emails are not delivered to end user’s inboxes, the threat is mitigated.

Using an advanced cloud-based anti-spam service such as SpamTitan is strongly advisable. SpamTitan blocks more than 99.9% of spam emails ensuring malicious email messages are not delivered.

As an additional protection against ransomware and malware threats such as this, organizations should disable macros to prevent them from running automatically if a malicious attachment is opened. IT teams should also enable the ‘view known file extensions’ option on Windows PCs to prevent attacks using double file extensions.

End users should also receive security awareness training to teach them not to engage in risky behaviors. They should be taught never to enable macros on emailed documents, told how to recognize a phishing or ransomware emails, and instructed to forward messages on to the security team if they are received. This will allow spam filter rules to be updated and the threat to be mitigated.

It is also essential for regular backups to be performed, with multiple copies stored on at least two different media, with one copy kept on an air-gapped device. Backups are the only way of recovering from most ransomware attacks without paying the ransom.

Tips to Avoid Holiday Season Email Scams

by G Hunt | November 30, 2017 | Email Scams

Black Friday deals and Cyber Monday discounts see consumers head online in droves looking for bargain Christmas presents, but each year many thousands of consumers are fooled by holiday season email scams. This year will be no different. Scammers are already hard at work developing new ruses to fool unwary online shoppers into parting with their credentials or installing malware.

In the rush to purchase at discounted rates, security awareness often goes out the window and cybercriminals are waiting to take advantage. Hidden among the countless emails sent by retailers to advise past customers of the latest special offers and deals are a great many holiday season email scams. To an untrained eye, these scam emails appear to be no different from those sent by legitimate retailers. Then there are the phishing websites that capture credentials and credit card numbers and websites hosting exploit kits that silently download malware.  It is a dangerous time to be online.

Fortunately, if you take care, you can avoid holiday season email scams, phishing websites, and malware this holiday period. To help you stay safe, we have compiled some tips to avoid holiday season email scams, phishing websites and malware this festive period.

Tips to Keep You Safe This Holiday Season

In the run up to Christmas there will be scams aplenty. To stay safe online, consider the following:

Always carefully check the URL of websites before parting with your card details

Spoofed websites often look exactly like the genuine sites that they mimic. They use the same layouts, the same imagery, and the same branding as retail sites. The only thing different is the URL. Before entering your card details or parting with any sensitive information, double check the URL of the site and make sure you are not on a scam website.

Never allow retailers to store your card details for future purchases

It is a service that makes for quick purchases. Sure, it is a pain to have to enter your card details each time you want to make a purchase, but by taking an extra minute to enter your card details each time you will reduce the risk of your account being emptied by scammers. Cyberattacks on retailers are rife, and SQL injection attacks can give attackers access to retailer’s websites – and a treasure trove of stored card numbers.

Holiday season email scams are rife – Be extra vigilant during holiday season

While holiday season email scams used to be easy to detect, phishers and scammers have become a lot better at crafting highly convincing emails. It is now difficult to distinguish between a genuine offer and a scam email. Emails contain images and company branding, are free from spelling and grammatical errors, and the email requests are highly convincing.  Be wary of unsolicited emails, never open email attachments from unknown senders, and check the destination URL of any links before clicking.

If a deal sounds too good to be true, it probably is

What better time than holiday season to discover you have won a PlayStation 4 or the latest iPhone in a prize draw. While it is possible that you may have won a prize, it is very unlikely if you haven’t actually entered a prize draw. Similarly, if you are offered a 50% discount on a purchase via email, there is a high chance it is a scam. Scammers take advantage of the fact that everyone loves a bargain, and never more so than during holiday season.

If you buy online, use your credit card

Avoid the holiday season crowds and buy presents online, but use your credit card for purchases rather than a debit card.  If you have been fooled by a holiday season scam or your debit card details are stolen from a retailer, it is highly unlikely that you be able to recover stolen funds. With a credit card, you have better protections and getting a refund is much more likely.

Avoid HTTP sites

Websites secured by the SSL protocol are safer. If a website starts with HTTPS it means the connection between your browser and the website is encrypted. It makes it much harder for sensitive information to be intercepted. Never give out your credit card details on a website that does not start with HTTPS.

Beware of order and delivery confirmations

If you order online, you will no doubt want to check the status of your order and find out when your purchases will be delivered. If you recent an email with tracking information or a delivery confirmation, treat the email as potentially malicious. Always visit the delivery company’s website by entering in the URL into your browser, rather than clicking links sent via email. Fake delivery confirmations and parcel tracking links are common. The links can direct you to phishing websites and sites that download malware, while email attachments often contain malware and ransomware downloaders.

Holiday season is a busy, but take your time online

One of the main reason that holiday season email scams are successful is because people are in a rush and fail to take the time to read emails carefully and check attachments and links are genuine. Scammers take advantage of busy people. Check the destination URL of any email link before you click. Take time to think before you take any action online or respond to an email request.

Don’t use the same password on multiple websites

You may choose to buy all of your Christmas gifts on Amazon, but if you need to register on multiple sites, never reuse your password. Password reuse is one of the easiest ways that hackers can gain access to your social media networks and bank accounts. If there is a data breach at one retailer and your password is stolen, hackers will attempt to use that password on other websites.

Holiday season is a time for giving, but take care online and when responding to emails to make sure your hard-earned cash is not given to scammers.

Phishing Warning Issued to Digital Civil Liberties Activists

by G Hunt | September 29, 2017 | Email Scams

A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.

The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.

While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.

Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.

The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.

As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name.  Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.

A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.

The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.

It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.

Redboot Malware Encrypts Files and Replaces MFT

by G Hunt | September 29, 2017 | Email Scams

A new malware threat named RedBoot has been discovered that bears some similarities to NotPetya. Like NotPetya, RedBoot malware appears to be a form of ransomware, when in actual fact it is a wiper at least in its current form.

RedBoot malware is capable of encrypting files, rendering them inaccessible. Encrypted and given the .locked extension. Once the encryption process is completed, a ‘ransom’ note is shown to the user, providing an email address to use to find out how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes changes to the master boot record.

RedBoot includes a module that overwrites the current master boot record and it also appears that changes are made to the partition table, but there is currently no mechanism for restoring those changes. There is also no command and control server and even though an email address is provided, no ransom demand appears to be issued. RedBoot is therefore a wiper, not ransomware.

According to Lawrence Abrams at BeepingComputer who has obtained a sample of the malware and performed an analysis, RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has been contacted by the developer of the malware who claimed the version that was studied is a development version of the malware. He was told an updated version will be released in October. How that new version will be spread is unknown at this stage.

Even if it is the intention of the developer to use this malware to extort money from victims, at present the malware causes permanent damage. That may change, although this malware variant may remain a wiper and be used simply to sabotage computers.

It is peculiar that an incomplete version of the malware has been released and advance notice has been issued about a new version that is about to be released, but it does give businesses time to prepare.

The attack vector is not yet known, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The protections that should be put in place are therefore the same as for blocking any malware variant.

A spam filtering solution should be implemented to block malicious emails, users should be alerted to the threat of phishing emails and should be training how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown individuals.

IT teams should ensure all computers and servers are fully patched and that SMBv1 has been disabled or SMBv1 vulnerabilities have been addressed and antivirus software should be installed on all computers.

It is also essential to back up all systems to ensure that in the event of an attack, systems can be restored and data recovered.

Defray Ransomware Used in Targeted Attacks on Healthcare and Education Sectors

by G Hunt | August 29, 2017 | Email Scams

Defray ransomware is being used in targeted attacks on organizations in the healthcare and education sectors. The new ransomware variant is being distributed via email; however, in contrast to many ransomware campaigns, the emails are not being sent out in the millions. Rather than use the spray and pay method of distribution, small campaigns are being conducted consisting of just a few emails.

To increase the likelihood of infection, the criminals behind Defray ransomware are carefully crafting messages to appeal to specific victims in an organization. Researchers at Proofpoint have captured emails from two small campaigns, one of which incorporates hospital logos in the emails and claims to have been sent by the Director of Information Management & Technology at the targeted hospital.

The emails contain an Microsoft Word attachment that appears to be a report for patients, relatives and carers. The patient report includes an embedded OLE packager shell object. If clicked, this executable downloads and installs Defray ransomware, naming it after a legitimate Windows file.

The ransom demand is considerable. Victims are asked to pay $5,000 per infected machine for the keys to unlock the encryption, although the ransom note does suggest the attackers are prepared to negotiate on price. The attackers suggest victims should backup their files to avoid having to pay ransoms in the future.

There is no known decryptor for defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to maintain file integrity. In addition to encrypting files, the ransomware variant can cause other disruption and will delete volume shadow copies to prevent the restoration of files without paying the ransom.

The developers of the ransomware have not given their malicious code a name and in contrast to most ransomware variants, the extensions of encrypted files are not changed. Proofpoint named the variant Defray ransomware from the C2 server used by the attackers.

A second campaign has been identified targeting the manufacturing and technology sector. In this case, the email appears to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments differ, although the same OLE packager shell object is used to infect end users.

The attackers have been sending these malicious emails to individuals, user groups and distribution lists. Attacks have occurred in both the United States and United Kingdom and are likely to continue.

Protecting against these targeted attacks requires a combination of spam filtering technology and end user training. Organizations in the healthcare, education, technology and manufacturing sectors should consider sending an email alert to end users warning of the risk of ransomware attacks, instructing end users to exercise caution and not to open email attachments from unknown senders and never to click to enable content on email attachments.

Biggest Cybersecurity Threat? Employees, Say 100% of Survey Respondents!

by G Hunt | August 24, 2017 | Email Scams

What is biggest cybersecurity threat currently faced by organizations? According to a recent survey of government IT professionals, the biggest cybersecurity threat is employees. 100% of respondents to the survey said employees were the biggest cybersecurity threat faced by their organziation.

The survey, conducted by Netwrix, explored IT security and compliance risks at a wide range of organizations around the globe, including government agencies.

Government agencies are an attractive target for cybercriminals. They store vast quantities of sensitive data on consumers and cybersecurity protections are often inferior to private sector organizations. Consequently, cyberattacks are easier to pull off. In addition to a treasure trove of consumer data, government agencies hold highly sensitive information critical to national security. With access to that information, hackers can take out critical infrastructure.

There are plenty of hackers attempting to gain access to government networks and oftentimes attacks are successful. The Office of Personnel Management breach in 2015 resulted in the Social Security numbers of 21.5 million individuals being compromised. In 2015, there was also a 6.2 million record breach at the Georgia Secretary of State Office and 191 million individuals were affected by a hack of the U.S. voter database.

The survey revealed 72% of government entities around the world had experienced at least one data breach in 2016 and only 14% of respondents felt their department was well protected against cyberattacks.

Employees Are the Biggest Cybersecurity Threat

Last year, 57% of data breaches at government entities were caused by insider error, while 43% of respondents from government agencies said they had investigated instances of insider misuse. Given the high percentage of security incidents caused by insiders – deliberate and accidental – it is no surprise that insiders are perceived to be the biggest cybersecurity threat.

How Can Employees be Turned from Liabilities into Security Titans?

Employees may be widely regarded as liabilities when it comes to information security, but that need not be the case. With training, employees can be turned into security titans. For that to happen, a onetime security awareness training program is not going to cut it. Creating a security culture requires considerable effort, resources and investment.

Security awareness training needs to be a continuous process with training sessions for employees scheduled at least twice a year, with monthly updates and weekly security bulletins distributed to highlight the latest threats. Training must also be backed up with testing – both to determine how effective training has been and to provide employees with the opportunity to test their skills. Phishing simulations are highly effective in this regard. If an employee fails a simulation it can be turned into a training opportunity. Studies by security training companies have shown susceptibility to phishing attacks can be reduced by more than 90% with effective training and phishing simulation exercises.

However, fail to invest in an effective security awareness program and employees will remain the biggest cybersecurity threat and will continue to cause costly data breaches.

How to Reduce Exposure to Phishing and Malware Threats

With the workforce trained to respond correctly to phishing emails, employees can be turned into a formidable last line of defense. The defensive line should be tested with simulated phishing emails, but technological solutions should be introduced to prevent real phishing emails from being delivered to end users’ inboxes.

The majority of malware and ransomware attacks start with a phishing email, so it is essential that these malicious messages are filtered out. An advanced spam filtering solution should therefore be at the heart of an organization’s email defenses.

SpamTitan is a highly effective enterprise-class spam filtering solution that blocks malicious messages and more than 99.9% of spam email, helping organizations to mount an impressive defense against email-based attacks. Dual anti-virus engines are used to identity and block malware and ransomware, with each email subjected to deep analysis using Sender Policy Framework (SPF), SURBL’s, RBL’s and Bayesian analysis to block threats.

If you want to improve your defenses against phishing and email-based malware attacks, SpamTitan should be at the heart of your email defenses. To find out more about SpamTitan and how it can prevent your employees having their phishing email identification skills frequently put to the test, contact the TitanHQ team today.

Domain Spoofing Spam Campaigns Targeting Customers of Popular UK Banks

by G Hunt | August 16, 2017 | Email Scams

Several domain spoofing spam campaigns have been detected that are targeting customers of popular UK banks. The spam email campaigns include credible messages and realistic spoofed domains and pose a threat to consumers and businesses alike.  The domain spoofing email campaigns are targeting customers of HSBC, Lloyds Bank, Nationwide, NatWest and Santander.

Domain spoofing is the use of a domain similar to that used by a legitimate entity with the aim of fooling email recipients into believing the email and domain is genuine. Domain spoofing is commonly used in phishing attacks, with email recipients fooled into divulging their login credentials or downloading malware. In addition to a similarly named domain, the malicious websites often include the targeted brand’s logos, layouts and color schemes.

According to a warning issued by the SANS Institute’s Internet Storm Center, the latest domain spoofing spam campaigns involve the name of the bank and one of the following additional words: docs; documents; secure; communication; securemessage.

Customers of a targeted back who receive an email and a link from the domain ‘securenatwest.co.uk’ or ‘santandersecuremessage.com’ could easily be fooled into thinking the email is genuine. Other domains being used are hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, and santanderdocs.co.uk. Further, many consumers still believe a website starting with HTTPS is secure. Yet all of these spoofed domains are all encrypted and have SSL certificates.

The domain spoofing spam campaigns involve messages claiming there is a new secure message from the bank along with an attached HTML file. That file downloads a malicious MS Office document containing macros. If those macros are enabled, the malicious payload is delivered. These campaigns are being used to distribute Trickbot malware – a banking Trojan used for man-in-the-middle attacks to steal banking credentials.

HTML documents are used as they download malicious MS documents via an HTTPS connection to reduce the risk of the documents being detected by antivirus software. SANS Institute researcher Brad Duncan pointed out that this method, while not new, can be effective. He also explained that “poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”

The domain spoofing spam campaigns were detected by My Online Security, which notes that “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.”

Businesses can reduce risk by employing a spam filtering solution to prevent the malicious messages from being delivered to end users, ensuring Windows hosts are correctly configured, and ensuring employees are alert to the threat. Macros should be disabled on all devices and employees instructed never to enable macros or enable content on emailed documents.

If you are looking for the best spam filter for business users, be sure to check out SpamTitan – The leading anti-spam solution for SMBs and enterprises. Contact the TitanHQ team today for further information and a product demonstration.

Global Spam Email Levels at 2-Year High

by G Hunt | August 9, 2017 | Email Scams

Global spam email levels have been rising, with spam volume in July soaring to levels not seen since March 2015.

The figures come from the Symantec monthly threat report, which uses data from the Global Intelligence Network (GIN). Last month, global spam email levels increased by 0.6 percentage points to 54.9% of total email volume. The industry that received the most spam emails was the mining sector, with 59.1% of emails categorized as spam.

Spam emails include unsolicited marketing emails, offers of cut price medications and notices about women who have been trawling the internet for a man like you. While many of these emails are simply junk, the volume of malicious messages has been rising. In particular, spam messages containing malware.

Symantec reports that email malware has increased to levels not seen since December 2016. Last month, one in every 359 spam emails was used to deliver malware. The previous month, one in every 451 emails contained malware. The industry that received the most email malware levels was the agriculture, forestry and fishing sector, with one in every 152 emails containing malware.

Malware and Phishing Emails at The Highest Level Seen This Year

Malicious emails are being sent in campaigns targeting medium sized businesses, which registered the highest percentage of malware emails. Businesses with between 251 and 500 employees had the highest volume of malware in their inboxes, according to Symantec’s analysis. Large businesses – organizations with between 1,001 and 1,500 employees – had the highest rate of spam delivery as a whole.

While malware emails increased, the number of malware variants used in those emails dropped to 58.7 million variants from 66.3 million the previous month. Symantec notes that several malware families have now started being spread via email, which has contributed to the malware email volume.

In the past month, malware variants have been detected that are capable of generating their own spam emails from the infected device and sending malware copies to the victims’ entire address books. The Emotet banking Trojan now has this functionality and Reyptson malware also, with the latter sending itself to Thunderbird contacts.

This month, Microsoft has discovered a new tech support scam that is being distributed via spam email. Spam emails spoofing brands are being sent in large campaigns with links to websites that generate popups warning of suspicious activity and malware infections.

Symantec notes the volume of phishing emails has also increased with levels now at a 12-month high. One in 1,968 emails are used for phishing. Phishing attacks on the mining industry sector were the most common with one in 1,263 emails used for phishing, indicating targeted attacks are occurring.

Increase in Global Spam Email Levels Highlights Need for Effective Spam Filtering

The rise in global spam email levels highlights the need for an advanced email spam filter. Spam is a major drain on productivity and malware and phishing attacks are costly to mitigate. Employee security awareness programs are effective at preventing employees from falling for phishing scams, although a technological solution should be implemented to prevent spam emails from reaching inboxes. SpamTitan blocks more than 99.9% of spam and dual antivirus engines prevent the delivery of known malware.

If you are looking for the best spam filter for business use and want to protect your users and network from malicious emails, contact the TitanHQ team today for more information on SpamTitan.

Ransomware and Phishing Attacks in 2017 Have Soared

by G Hunt | July 31, 2017 | Email Scams

A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.

CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.

This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.

IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.

Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.

Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.

More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.

Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.

The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats.  Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.

Supreme Court Phishing Scam Targets Law Firms in Ireland

by G Hunt | July 21, 2017 | Email Scams

Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.

The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.

The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.

The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme.  The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.

Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.

As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.

The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.

The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.

If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.

In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.

IRS Launches Campaign to Raise Awareness of Phishing Attacks on Tax Professionals

by G Hunt | July 14, 2017 | Email Scams

Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.

The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.

Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.

The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings.  The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”

Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.

The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.

Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.

The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.

Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.

Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.

Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.

IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”

The IRS recommends several measures to reduce risk:

• Educate all employees on the risk from spear phishing and phishing in general
• Ensure strong passwords are used
• Always question emails – Never take them at face value
• Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
• Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
• Use security software to block phishing emails and malware and ensure the software is updated automatically
• Use the security settings in tax preparation software
• Report suspicious emails to the IRS

Fake Invoices Used in New Locky Ransomware Campaign

by G Hunt | June 24, 2017 | Email Scams

The WannaCry ransomware attacks may have attracted a lot of press, but Locky ransomware poses a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was first seen in February last year and rapidly became the biggest ransomware threat. In recent months, Cerber has been extensively distributed, but Locky is still being used in widespread attacks on organizations.

The actors behind Locky ransomware are constantly changing tactics to fool end users into downloading the malware and encrypting their files.

The Necurs botnet has recently been used to distribute Jaff ransomware, although now that a decryptor has been developed for that ransomware variant, the actors behind Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages sent via the Necurs botnet, with some reports suggesting approximately 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.

The new Locky ransomware campaign uses a new variant of the ransomware which does not encrypt files on Windows operating systems later than XP. This appears to be an error, with new, updated version of the ransomware is expected to be launched soon. As with past campaigns, the latest batch of emails uses fake invoices to fool end users into installing the ransomware.

Fake invoices are commonly used to spread ransomware because they are highly effective. Even though these campaigns often include scant information in the email body, many end users open the attachments and enable macros. Doing so results in Locky being downloaded. There is still no free decryptor available to unlock Locky-encrypted files. Infections can only be resolved by paying a sizeable ransom payment or restoring files from backups.

Training end users to be more security aware will help organizations to reduce susceptibility to ransomware attacks, although the best defense against email-based ransomware attacks is to use an advanced spam filtering solution to prevent the messages from reaching end users’ inboxes. If emails are blocked, there is no chance of end users opening malicious attachments and installing the ransomware.

SpamTitan is an email security solution that can block these ransomware emails. SpamTitan blocks more than 99.9% of spam messages and dual anti-virus engines ensure malicious emails do not reach inboxes. While some anti-spam solutions have a high false positive rate and block genuine emails, SpamTitan’s false positive rate is extremely low at just 0.003%.

SpamTitan requires no additional hardware purchases, no staff training and the solution can be installed in a matter of minutes.

If you are unhappy with your current anti-spam solution or have yet to start protecting your inboxes from malicious messages, contact the TitanHQ team today for further information on how SpamTitan can benefit your business. TitanHQ also offers SpamTitan on a 30-day no-obligation free trial to allow you to see the benefits of the solution for yourself before committing to a purchase.

URL Padding Used in Latest Facebook Phishing Scam

by G Hunt | June 23, 2017 | Email Scams

A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.

As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.

URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.

What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.

The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.

The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.

One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.

Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts.  PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.

While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.

Restaurants Facing Barrage of Fileless Malware Phishing Attacks

by G Hunt | June 15, 2017 | Email Scams

Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.

The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.

While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.

The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.

The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.

One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.

As with other phishing campaigns, the user is prompted to enable the content in the attached file. Opening the RTF file presents the user with a large image that they must click in order to view the contents of the document. The document is expertly crafted, appears professional and suggests the contents of the document are protected. Double clicking on the image and confirming with a click on OK will launch the infection process, running JavaScript code.

FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.

Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.

Corporate Phishing Emails Increased by 400% in Q2, 2017

by G Hunt | June 14, 2017 | Email Scams

Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.

Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.

The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.

A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.

The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.

Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.

These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.

SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.

If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.

University of Alaska Phishing Attack Results in Exposure of 25,000 Individuals’ Data

by G Hunt | June 6, 2017 | Email Scams

A University of Alaska phishing attack has potentially resulted in attackers gaining access to the sensitive information of 25,000 staff, students and faculty staff.

The University of Alaska phishing attack occurred in December last year, although affected individuals have only just been notified. The phishing emails were sent to university employees. One or more individuals responded and were fooled into following the threat actors’ instructions.

Details of the exact nature of the phishing emails were not disclosed; however, as with other phishing scams, the emails appeared genuine and looked professional. By responding to the emails, the employees accidentally disclosed their usernames and passwords to the attackers. The attack resulted in ‘several’ email accounts being compromised.

The emails in the compromised accounts contained a range of sensitive information including names and Social Security numbers. In total, around 25,000 staff, students and faculty members had their information exposed.

The investigation into the University of Alaska phishing attack could not confirm whether any of the emails in the accounts were accessed or if information was copied by the attackers, although it remains a distinct possibility.

Due to the sensitive nature of data in the accounts, the University of Alaska had to inform all affected individuals by mail and offer credit monitoring and identity theft protection services. Victims will also be protected by a $1 million identity theft insurance policy.

A forensic analysis had to be conducted to determine the exact nature of the attack and which individuals had been affected – A process that took around 5 months. Staff had to be provided with additional training to improve awareness of credential phishing scams and were retrained correct handling of sensitive information. The notifications and mitigations came at a considerable cost.

The University of Alaska phishing attack was just one of many phishing attacks that have taken place in the United States over the past few months. The phishing attacks all have a common denominator. Employees were targeted, phishing emails reached inboxes, and end users followed the instructions in the emails.

Training staff to be aware of the threat of phishing can reduce susceptibility, although training did not prevent the University of Alaska phishing attack.

Even after receiving security awareness training, employees can make mistakes. A technology solution should therefore be implemented to stop phishing emails from being delivered to end users’ inboxes.

SpamTitan from TitanHQ offers excellent protection against phishing attacks, blocking more than 99.9% of spam, phishing emails and other malicious messages. SpamTitan is quick and easy to install, cost effective to implement and easy to maintain.

With SpamTitan installed, organizations can protect themselves against phishing attacks and avoid the considerable cost of data breaches.

For more information on SpamTitan and other TitanHQ security products, contact the sales team today and take the first step toward improving your defences against phishing attacks.

Phishing Attacks Likely to Follow Hotels.com Breach

by G Hunt | June 6, 2017 | Email Scams

The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.

Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.

Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.

A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.

That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.

Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.

The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.

Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.

To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.

Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.

IC3 Issues Warning About Business Email Compromise Scams

by G Hunt | May 5, 2017 | Email Scams

The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.

The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.

In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.

Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.

The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.

Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.

Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.

Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.

IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.

Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.

The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.

IC3 lists the five most common types of business email compromise scams as:

1. Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
2. An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
3. A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
4. The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
5. A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.

There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.

IC3 recommends:

• Using a domain-based email account rather than a web-based account for business email accounts
• Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
• Implement a two-step verification process to validate all transfer requests
• Use two-factor authentication for corporate email accounts
• Never respond to an email using the reply option. Always use forward and type in the address manually
• Register all domains that are similar to the main domain used by the company
• Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
• Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers

Millions Affected by Google Phishing Scam

by G Hunt | May 4, 2017 | Email Scams

A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.

In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.

The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’

This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.

Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.

The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.

Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.

If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.

The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.

58% of UK Office Workers Open Email Attachments from Unknown Senders

by G Hunt | May 3, 2017 | Email Scams

Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.

Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.

Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.

Employees Still Lack Security Awareness

Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.

A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.

Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.

When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.

How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.

The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.

20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.

How to Improve Defenses Against Email Attacks

Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.

Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.

Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.

A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.

Healthcare Ransomware Attacks Accounted for 50% of All Security Incidents

by G Hunt | April 28, 2017 | Email Scams

Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.

Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.

However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).

NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.

Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.

With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.

The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.

Cerber Becomes the Biggest Ransomware Threat

by G Hunt | April 19, 2017 | Email Scams

2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.

As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.

Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.

The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.

Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.

The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.

With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.

All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.

Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.

World’s Largest Spam Operation Exposed: Database of 1.37 Billion Email Addresses Uncovered

by G Hunt | March 7, 2017 | Email Scams

The world’s largest spam operation has been exposed, and along with it, a massive database of email addresses. More than 1.37 billion email addresses, names, addresses, and IP addresses were in the database, which was exposed as a result of an error made during a backup. The company behind the operation is the email marketing firm River City Media – A legitimate email marketing company that uses some decidedly shady email marketing practices.

So how large is the world’s largest spam operation? According to MacKeeper researchers, the company behind the massive spamming campaigns were sending up to one billion spam email messages every day. However, due to the leak, life is likely to get a lot tougher for the email marketing firm. Its entire infrastructure has now been added to the spamming blacklist maintained by Spamhaus: The world leader in providing up to date threat intelligence on email spam and related spamming activity.

So how does a database from the world’s largest spam operation get released on the Internet? Faulty backups! The company failed to configure their Rsync backups correctly, resulting in those backups being available online without any need for a password. The database was discovered by MacKeeper security researcher Chris Vickery.

The revelation that such a large database had been obtained was huge news. In fact, it even drew a response from the Indian government, which felt it necessary to explain that it was not the source of the leak. The Indian government’s federal ID system is one of a very small number of databases that contain that number of records.

The number of records in the database is so large that almost everyone that uses email would either be on the list or would know someone that is.

How does a company amass so many email addresses? According to Vickery, there are various methods used, although he said “credit checks, education opportunities, and sweepstakes,” are typically used to obtain the email addresses, as are legitimate marketing campaigns from major brands. Users divulge their email addresses during these campaigns in order to receive a free gift, special offer, or an online service. Hidden away in the terms and conditions, which few people read, is confirmation that the information collected will be shared with marketing partners. Those marketing partners then share addresses with their partners, and their partners’ partners, and so on. Before long, the email addresses will be made available to a great deal of spammers.

When spammers use those addresses, there is a high probability that the domains used for sending the marketing messages will be blocked. To get around this, companies such as RCM use warm up accounts to send out their campaigns.

New campaigns will be sent to the warm up accounts, and provided they do not generate complaints, the sender of the emails will be marked as a good sender. With a good reputation, the spammers will be able to scale up their operation and send out billions of messages. If at any point messages start to be rejected or complaints start to be received, the domain is dropped and the process starts again. That way, RCM is able to bypass spam filtering controls and continue to send messages.

A detailed insight into the world’s largest spam operation and the techniqus used to send spam messages has been published by CSO Online, which worked with Vickery, MacKeeper, and Spamhaus following the discovery of the huge database.

Yahoo Breach Phishing Campaign Takes Advantage of Latest Yahoo Warnings

by G Hunt | February 20, 2017 | Email Scams

A fresh round of email warnings for Yahoo account holders has been sent; however, cybercriminals are taking advantage: A new Yahoo breach phishing campaign has been detected that piggybacks on the latest news.

New Warnings for Yahoo Email Account Holders

Yahoo has been sending fresh warnings to account holders explaining that their accounts may have been compromised as a result of the Yahoo cyberattacks in 2013 and 2014. The Yahoo cyberattacks were the largest ever seen, resulting in the theft of 1 billion and 500 million users’ credentials. Yahoo has now confirmed that the attacks involved the use of forged cookies to bypass its security controls.

Yahoo’s CISO Bob Lord has told account holders in the email that “We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016.” As was the case in previous Yahoo warnings, accounts should be reviewed for any suspicious activity and users should not click on links or open attachments from unknown senders.

Yahoo Breach Phishing Campaign Detected

Many active Yahoo account holders are concerned about email security following news of the cyberattacks in 2013/2014 and cybercriminals have been quick to take advantage. The fresh round of email warnings has only heightened fears, as well as the risk for account holders. Cybercriminals have been piggybacking on the latest news of account breaches and have been sending their own messages to Yahoo email users. The latest Yahoo breach phishing email campaign play on users’ fears over the security of their accounts. The Yahoo breach phishing emails attempt to fool security conscious account holders into clicking on malicious phishing links and revealing sensitive information.

In the latest round of warnings, Yahoo urged users to take advantage of Yahoo’s password-free security service – the Yahoo Account Key authentication service. The latest round of Yahoo breach phishing emails offer account holders the option of upgrading the security on their accounts as well. To improve take up, the attackers add urgency by saying the target’s account has been temporarily limited for failing an automatic security update. A link is supplied for users to click to re-verify account ownership. If they fail to click on the link and update their details, they will be permanently locked out of their account.

The Yahoo breach phishing campaign is likely to claim many victims, although the phishing emails are fairly easy to identify as fake. The emails appear to have come from an account called ‘Mail’, although checking the actual email address will reveal that the email was not sent from a domain used by Yahoo. There are also some errors with the structure of the email. Slight grammatical errors are a tell-tale sign that the emails are not genuine.

However, not all Yahoo breach phishing emails contain errors. Some have been highly convincing. Users are therefore advised to exercise extreme caution when using their Yahoo accounts and to be on high alert for Yahoo breach phishing emails.

Cost of the Yahoo Cyberattacks

The Yahoo cyberattacks of 2013 and 2014 have cost the company dearly. While it is unclear what the final cost of the Yahoo cyberattacks will be, it will certainly be well in excess of $250 million – That is the price reduction Verizon Communications is seeking following the revelation that Yahoo account holders’ credentials were stolen in the two massive cyberattacks reported last year. The purchase price of $4.8 billion, which was agreed in the summer of 2016, is to be reduced. There was talk that the deal may even not go ahead as a result of the Yahoo cyberattack revelations. While Yahoo will not want a price reduction, there are likely to be a few sighs of relief. Verizon were rumored to be looking for a $1 billing reduction in the price just a few weeks back.

Solicitor Email Scam Targets Homebuyers and Sellers

by G Hunt | February 17, 2017 | Email Scams

In the United Kingdom and Eire, homebuyers and sellers are being targeted by cybercriminals using a new solicitor email scam. The scam, which involves mimicking a solicitor, is costing victims thousands. There have also been some reported cases of cybercriminals sending solicitors emails claiming to be their clients and requesting changes of bank details. Any pending transfers are then made to the criminals’ accounts.

Since funds for home purchases are transferred to solicitors’ accounts before being passed on to the sellers, if cybercriminals are able to change the bank details for the transfers, the funds for the purchase will be paid directly into their accounts.

While email spoofing is commonplace, this solicitor email scam often involves the hacking of solicitors’ email accounts. Once access has been gained, cybercriminals search for emails sent to and from buyers and sellers of homes to identify potential targets.  While the hacking of email accounts is occurring, there have also been instances where emails between buyers, sellers, and their solicitors have been intercepted. When bank details for a transfer are emailed, the hackers change the bank information in the email to their own and then forward the email on.

The solicitor email scam is highly targeted and communications are monitored until the crucial point in the purchasing process when a bank transfer is about to be made. Since the potential rewards are considerable, cybercriminals are willing to put the time and effort into the scam and be patient. Buyers, sellers, and solicitors are well researched and the emails are highly convincing.

Instances of this conveyancing scam have been increasing in recent months and it has now become the most common cybercrime affecting the legal sector. The Law Society, a representative body for solicitors in the UK, has issued a warning about the conveyancing scam due to an increased number of complaints, although it is currently unclear how many fraudulent transfers have been made.

There is of course an easy way for solicitors to prevent such a scam from being successful, and that is to contact the homebuyer or seller before any transfer is made and to verbally confirm the bank details by telephone. Alternatively, policies can be developed requiring bank account information to only be sent via regular mail.

The Solicitors Regulation Authority advises against the use of email for property transactions due to the potential for cybercriminals to intercept and spoof messages. Email may be convenient, but with such large sums being transferred it pays to exercise caution.

While this solicitor email scam is common in the UK and Eire, legal firms in the United States should also exercise caution. Since the conveyancing scam is proving to be lucrative, it will only be a matter of time before U.S. lawyers are targeted.