Email Scams

Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.

Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.

Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.

Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.

To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.

Other measures that can be taken to protect yourself from email scams include:

  • Carefully check the sender’s email. Does it look like it is genuine?
  • Never open email attachments from someone you do not know
  • If you receive an email offering you a prize or refund, stay safe and delete the email
  • Ensure anti-virus software is installed on your computer and is up to date.

Microsoft is the Most Impersonated Brand in Phishing Attacks on Businesses

Phishing scams can be difficult for employees to identify. The emails provide a plausible reason for taking a certain action, such as clicking a link in an email. The websites that users are directed to are virtually indistinguishable from the genuine websites that the scammers spoof and credentials are commonly captured.

The pandemic has seen increasing numbers of employees working from home and accessing their company’s cloud applications remotely. Businesses are now much more reliant on email for communication than when employees were all office based. Cybercriminals have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been successful.

Employees often receive training on cybersecurity and are told to be wary of emails that have been sent from unknown individuals, but many still open the emails and take the requested action. The emails often spoof an individual that is known to the recipient, which increases the likelihood of that email being opened. It is also common for well known brands to be impersonated in phishing attacks, with the attackers exploiting trust in that brand.

A recent analysis of phishing emails by Check Point revealed the most commonly impersonated brand in phishing attacks over the past 3 months is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands impersonate Microsoft.

Microsoft credentials are then captured in these attacks and are used to remotely access accounts. The data stored in a single email account can be substantial. There have been many healthcare phishing attacks that have seen a single account compromised that contained the sensitive data of tens of thousands or even hundreds of thousands of patients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the foothold they need for a much more extensive attack on the organization, often resulting in the theft of large amounts of data and ending with the deployment of ransomware.

Microsoft is far from the only brand impersonated. The analysis revealed DHL to be the second most impersonated brand. DHL-based phishing attacks use failed delivery notifications and shipping notices as the lure to get individuals to either disclose sensitive information such as login credentials or open malicious email attachments that download malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target businesses and especially during a pandemic when there is increased reliance on courier companies.

Other well-known brands that are commonly impersonated include PayPal and Chase to obtain account credentials, LinkedIn to allow professional networking accounts to be compromised, and Google and Yahoo are commonly impersonated to obtain account credentials. Attacks spoofing Amazon, Rakuten, and IKEA also make the top 10 most spoofed brand list.

Phishers mostly target business users as their credentials are far more valuable. Businesses therefore need to ensure that their phishing defenses are up to scratch. Security awareness training for employees is important but given the realistic nature of phishing emails and the plausibility of the lures used, it is essential for more reliable measures to be implemented to block phishing attacks.

Top of the list of anti-phishing measures should be an advanced spam filter. Many businesses rely on the spam filtering capabilities of Office 365, but this only provides a level of protection. The default spam filter in Office 365 is not particularly effective at blocking sophisticated phishing attacks. Businesses that rely on Microsoft’s Exchange Online Protection (EOP) see many phishing emails delivered to inboxes where they can be opened by employees.

To better protect against phishing attacks, a third-party spam filter should be layered on top of Office 365. SpamTitan has been developed to provide enhanced protection for businesses that use Office 365. The solution implements seamlessly with Office 365 and the solution is easy to implement and maintain. The result will be far greater protection from phishing attacks and other malicious emails that employees struggle to identify.

For further information on SpamTitan, to register for a free trial, and for details of pricing, give the TitanHQ team a call today.

Trump-Themed Phishing Emails Attempt to Deliver QRAT Malware

A Trump-themed phishing campaign has been detected that attempts to deliver the Qnode Remote Access Trojan (QRAT) under the guise of a video file that appears to be a Donald Trump sex tape.

QRAT is a Java-based RAT that was first detected in 2015 that has been used in several phishing campaigns over the years, with an uptick in distribution observed from August 2020. Interestingly, the malicious file attachment – named “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no relation to the phishing email body and subject line, which offers a loan as an investment for a dream project or business plan. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be provided if there is a good return on the investment and between $500,000 and $100 million can be provided. It is unclear whether an error has been made and the wrong file attachment was added to the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are unlikely to fool many end users, there may be enough interest in the video to pique the interest of some recipients.

The phishing campaign does appear to be poorly constructed, but the same cannot be said of the malware the campaign attempts to deliver. The version of QRAT delivered in this campaign is more sophisticated than previously detected versions, with several improvements made to evade security solutions. For instance, the malicious code used as the QRAT downloader is obfuscated and split across several different buffers within the .jar file.

Phishing campaigns often take advantage of interest in popular new stories and the Presidential election, allegations of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is likely that this will not be the only Trump-themed phishing campaign to be conducted over the next few days and months.

This campaign appears to target businesses, where the potential returns from a malware infection is likely to be far higher than an attack on consumers. Blocking threats such as this is easiest with an advanced email security solution capable of detecting known and new malware variants.

SpamTitan is an advanced, cost-effective spam filtering for businesses and the leading cloud-based spam filter for managed service providers serving the SMB market. SpamTitan incorporates dual anti-virus engines to identify known malware threats, and a Bitdefender-powered sandbox to identify zero-day malware. The solution also supports the blocking of risky file types such as JARs and other executable files.

SpamTitan is also effective at blocking phishing emails without malicious attachments, such as emails with hyperlinks to malicious websites. The solution has multiple threat detection features that can identify and block spam and email impersonation attacks and machine learning technology and multiple threat intelligence feeds that provide protection against zero-minute phishing attacks.

One of the main reasons why the solution is such as popular choice with SMBs and MSPs is the ease of implementation, use, and maintenance. SpamTitan takes the complexity out of email security to allow IT teams to concentrate on other key tasks.

SpamTitan is the most and top-rated email security solution on Capterra, GetApp and Software Advice, is a top three solution in the three email security categories on Expert Insights and has been a leader in the G2 Email Security grids for 10 consecutive quarters.

If you want a spam filtering solution that is effective and easy to use, look no further than SpamTitan. For more information, give the TitanHQ team a call. SpamTitan is also available on a free trial to allow you to evaluate the solution in your own environment before deciding on a purchase.

2020 Phishing Statistics

The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.

2020 Phishing Statistics

Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.

Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.

Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.

The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.

2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.

How to Detect and Block Phishing Threats

Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.

End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.

Beware of COVID-19 Vaccine Phishing Scams!

Cybercriminals are leveraging interest in COVID-19 vaccination programs and are conducting a range of COVID-19 vaccine phishing scams with the goal of obtaining sensitive data such as login credentials or to distribute malware. Several government agencies in the United States have recently issued warnings to businesses and consumers about the scams including the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services, and law enforcement agencies such as the FBI.

COVID-19 vaccine scams can take many forms. Campaigns have already been detected that offer early access to COVID-19 vaccines. These scams require a payment to be made as a deposit or a fee to get to the top of the waiting list. Other scams offer the recipients a place on the waiting list if they apply and provide personal information.

COVID-19 vaccine phishing scams are being conducted via email; however, it is likely that fraudsters will advertise on websites, social media channels, or conduct scams over the telephone or via SMS messages and instant messaging platforms. While many of these scams target consumers, there is potential for businesses to be affected if employees access their personal emails at work or if the scam emails are sent to work email addresses.

Scam emails often include links to websites where information is harvested. These links may be hidden in email attachments to hide them from email security solutions. Office documents are also commonly used for delivering malware, via malicious macros.

The emails typically impersonate trusted entities or individuals. COVID-19 vaccine scam emails are likely to impersonate healthcare providers, health insurance companies, vaccine centers, and federal, state, or local public health authorities. During the pandemic there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing scams.

The U.S. Department of Justice recently announced that two domains have been seized that impersonated vaccine developers. The domains were virtual carbon copies of the legitimate websites of two biotechnology companies involved in vaccine development. The malicious content has been removed, but there are likely to be many more domains registered and used in COVID-19 vaccine phishing scams over the coming weeks.

Warnings have also been issued about the risk of ransomware attacks that take advantage of interest in COVID-19 vaccines and provide the attackers with the foothold in networks they need to conduct their attacks.

There are four important steps that businesses can take to reduce to risk of falling victim to these scams. Since email is extensively used, it is essential to have an effective spam filtering solution in place. Spam filters use blacklists of malicious email and IP addresses to block malicious emails, but since new IP addresses are constantly being used in these scams, it is important to choose a solution that incorporates machine learning. Machine learning helps to identify phishing threats from IP addresses that have not previously been used for malicious purposes and to identify and block zero-day phishing threats. Sandboxing is also important for identifying and blocking zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.

While spam filters can identify and block emails that contain malicious links, a web filtering solution is also recommended. Web filters are used to control the websites that employees can access and prevent visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are constantly updated via threat intelligence feeds to provide protection against recently discovered malicious URLs.

Businesses should not neglect end user training and should regularly provide refresher training to employees to help them identify phishing threats and malicious emails. Phishing simulation exercises are also beneficial for evaluating the effectiveness of security awareness training.

Multi-factor authentication should also be applied as a last line of defense. In the event of credentials being compromised, multi-factor authentication will help to ensure that stolen credentials cannot be used to remotely access accounts.

With these measures implemented, businesses will be well protected from malware, COVID-19 vaccine phishing scams, and other phishing threats.

For further information on spam filtering, web filtering, and protecting your business from malware and phishing attacks, give the TitanHQ team a call today.

Fake COVID-19 Financial Aid and Remote Working HR Memos Used in New Phishing Campaigns

Phishers are constantly changing their tactics to fool employees into clicking on links and disclosing their credentials. During the pandemic, many scammers switched from their tried and tested campaigns using standard business-themed lures such as fake invoices, purchase orders, and shipping notices to COVID-19 themed lures. These lures were topical and took advantage of people craving information about the coronavirus and COVID-19.

Phishers Use Fake Internal Memos About Changes to HR Work from Home Policies

Now a new phishing campaign has emerged that takes advantage of the changed business practices due to COVID-19. Many employees are still working remotely, even though their employers have started reopening their offices. During the pandemic, employees have got used to receiving regular internal company memos and updates.

The new phishing campaign spoofs the company’s HR department and appears to be an automated internal company email, similar to the messages employees are used to receiving. The emails claim to have voicemail attachments, which will also be familiar to many remote workers. The HTML attachments are personalized with the recipient’s name to add credibility to the message.

If the file attachment is opened, the user will be presented with a link they are required to click to receive the company information. In one campaign, this was a SharePoint link, although other cloud services could similarly be used. The link directs the user to SharePoint and provides an update on the company’s remote working policy. After reading the message, the worker is required to click a link that directs them to the actual phishing page where sensitive information is collected.

This campaign is very realistic. The fake remote working policy is well written and plausible and states that if employees wish to continue working from home after the pandemic, they are required to complete an HR form to provide notice in writing. The SharePoint-hosted Excel form where the user is directed is also plausible, but in addition to the request to continue to work from home, the user is required to supply their email credentials.

Phishing Campaign Offers Government Financial Aid to COVID-Affected Workers

A separate phishing campaign has been identified that is also linked to the pandemic, spoofing government agencies and offering pandemic-related financial assistance for individuals prevented from working due to COVID-19 restrictions or have otherwise been adversely affected. This campaign has targeted U.S. citizens, although similar campaigns could be conducted targeting individuals in other countries.

In this campaign, which has the subject message “US government to give citizens emergency financial aid,” the message states that the government begun issuing payments of cash compensation in October 2020. The message states that payment is only provided to USA residents and the maximum payout is $5,800.

A link is supplied in the email that the user is required to click to make a claim, which the email states will be reviewed by a support representative who will send a personal response within 24 hours. The link directs the user to a domain that spoofs the U.S. government. The user is required to enter their name and date of birth, followed by their address, contact information, Social Security number, and driver’s license number on a second form.

Phishing is the Most Common Type of Cybercrime

A recent Clario/Demos survey confirmed that phishing and email attacks are the most common types of cybercrime reported in both the United States and the United Kingdom.

The pandemic has made it easier for phishing attacks to succeed. Phishers are taking advantage of the uncertainty about changes to new ways of working caused by the pandemic, people working home alone without such a high level of support, and vulnerabilities that have been introduced as a result of the change to a fully remote workforce.

Businesses can better protect their employees by using cloud-based email and web filtering solutions. These solutions work in tandem to block the email and web-based component of phishing attacks and malware distribution campaigns. A cloud-based email filtering solution will filter out the majority of malicious messages and will keep inboxes free of threats. A web filter will prevent end users from visiting malicious links, downloading malicious attachments, or visiting malicious websites either through work-related or non-work-related Internet activity when working from the office or remotely.

TitanHQ has developed two easy to use, easy to implement, and highly effective email and web security solutions for protecting office-based and remote workers from the full range of web and email threats, including previously seen phishing emails and zero-minute attacks and new malware threats.

To better protect your business, your employees, and your networks from threats, give the TitanHQ team a call today to find out more. You will also have the opportunity to trial the SpamTitan Email Security and WebTitan Web Security solutions to see for yourself how easy they are to use and the protection they offer. You are also likely to be pleasantly surprised by how little this level of protection will cost.

Many Healthcare Organizations Lack the Right Solutions to Block Phishing Attacks

The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.

A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.

One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.

Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts.  Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.

That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.

In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.

These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.

The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.

One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.

Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.

TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.

Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.

If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.

COVID-19 Has Created the Perfect Environment for Black Friday Scams

Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.

Surge in Phishing Attacks in the Run Up to Black Friday

The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.

Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.

Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.

Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.

With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.

How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats

This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.

The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.

SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.

WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.

If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.

Phishing Scam Spoofs IRS to Obtain Fraudulent Outstanding Tax Payment

A phishing campaign has been identified that spoofs the U.S. Internal Revenue Service (IRS) and advises recipients that they are facing imminent legal action to recover outstanding tax.

The emails are convincing and well written and are final demands for payment to prevent legal action to recover the outstanding funds. The emails warn the recipient that the IRS has made several attempts to make contact by telephone after no response was received to a written demand for payment that the emails claim was mailed 18 months previously in May 2019. The failure to respond has led to the IRS taking legal action, with charges due to be filed imminently to recover the outstanding tax.

In contrast to many scams that seek login credentials or attempt to get the user to open file attachments to trigger a malware download, this scam uses social engineering techniques to scare the recipient into making contact via email to resolve the fictitious issue. The purpose of the scam is to get the recipient to make a fraudulent payment or disclose their financial account information.

The lack of any hyperlinks or email attachments makes it more likely that the email will be delivered to inboxes and will not be identified as malicious by security solutions. Fortunately, SpamTitan users will be protected from this scam as multiple checks are performed which identify the scam for what it is.

The message body contains all the classic hallmarks of a phishing scam:

  • There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
  • There is a threat of negative consequences if no action is taken – Legal action to recover funds
  • The request is plausible, but an atypical request is made – to only make contact via email

The emails include a case file number, detail the outstanding amount – $1450.61 in this case – and include a docket number and warrant ID for the impending legal action. The recipient is told that legal action will proceed in 4 days if payment is not made, and that the opportunity for voluntary action to rectify the issue is coming to an end.

In addition to the threat of legal action and a court case, the recipient is informed that credit reference bureaus may also be notified about the late/missed payment, which would negatively impact their credit score.

The emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” indicating this is not the first time that the message has been sent, helping to emphasize that this is a final warning.

Steps have been taken to make the email appear official, with the display text of the sender address indicating the message has been sent from support @ irs.gov – the legitimate domain used by the IRS. However, the reply to email address supplied is legal.cc @ outlook.com – Which is clearly not an official IRS domain and the message headers show that the email was not sent from the domain stated.

The email does include a postal address; however, no telephone number is supplied. Full contact information would be provided in official IRS communications, although the IRS would not initiate contact with individuals via email.

The phishing emails highlight the importance of stopping to think about what is being requested and to take time to check emails carefully before responding, no matter how pressing the threat may be. Any request for payment should be verified by phone, with contact information obtained from a trusted source, never the contact details supplied in the email. A call to the IRS would quickly reveal this to be a scam.

The reason these scams succeed is because they rely on individuals responding quickly without thinking. Fortunately, an effective spam filter will detect these scam emails and will quarantine or reject the messages.

Election Interference-Themed Phishing Emails Identified Distributing the QBot Trojan

Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.

Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.

In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.

The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.

The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.

The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.

In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.

Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.

Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training. For further information on protecting your business against email and web-based threats, give the TitanHQ team a call.

Combating Healthcare Phishing Attacks: Tips for Healthcare Organizations

The healthcare industry is one of the main targets for hackers, and while ransomware attacks have increased considerably in recent months and vulnerabilities in VPNs, RDP, and software solutions are frequently exploited, healthcare phishing attacks are far more common.

Phishing attacks on healthcare organizations allow threat actors to steal credentials to gain access to email accounts and other systems and steal highly sensitive data. Phishing emails are also used to deliver malware loaders such as the Emotet Trojan, which delivers other malware payloads such as the TrickBot banking Trojan, which in turn delivers ransomware.

Most cyberattacks start with a phishing email, so it is essential for healthcare organizations to ensure they implement safeguards to block these attacks and by doing so, prevent costly data breaches and regulatory fines.

The HHS’ Office for Civil Rights has imposed substantial fines on HIPAA-covered entities for data breaches that have started with a phishing email, including the two largest ever HIPAA fines issued to date – the $16 million financial penalty for Anthem Inc. for its 78.8 million-record data breach and the $6,850,000 penalty for Premera Blue Cross for its breach of the protected health information 10,466,692 individuals.

Tips to Prevent Healthcare Phishing Attacks…

Unfortunately, as far as phishing goes, there is no silver bullet. No single solution will provide total protection against healthcare phishing attacks. What is required is layered defenses – technical solutions providing overlapping layers of security – and adherence to tried and tested cybersecurity best practices. Some of the most important anti-phishing measures you can implemented to stop healthcare phishing attacks are detailed below:

Implement an Advanced Spam Filter

A spam filter is one of the most important technical controls to block phishing attacks and prevent malicious emails from reaching the inboxes of your employees. Advanced spam filters use a combination of blacklists of known malicious IPs, email header and content scanning, link analysis, anti-virus scans, sandboxing, SPF, DKIM, and DMARC to detect and block email impersonation attacks, and AI and machine learning to identify zero-day phishing attacks.

You should implement an advanced spam filter and set rules to filter out all suspicious emails and reject malicious messages. Outbound scanning is also important to detect compromised email accounts that are being used to conduct further phishing attacks on your organization and vendors.

Use a Web Filter to Block the Web-Based Component of Phishing Attacks

Email filters are effective, but not infallible. New tactics, techniques, and procedures are commonly developed by threat actors to fool email security solutions. You may be able to block all malware and 99.9% or more of all malicious messages, but some messages are likely to sneak past your defenses.

A web filter provided additional protection by preventing your employees from visiting known malicious URLs that have been masked in phishing emails. Web filters block the web-based component of phishing attacks and malware downloads from the internet and work in tandem with spam filters to improve your security posture and block healthcare phishing attacks.

Implement Multi-Factor Authentication

A SANS Institute report suggests multi-factor authentication will block 99% of attempts by threat actors to use stolen credentials to remotely access email accounts, while Microsoft says MFA will stop more than 99.9% of email account attacks, yet many admins have not implemented multi-factor authentication. A recent survey by CoreView researchers suggests 78% of Microsoft 365 admins have not enabled MFA on their M365 accounts.

In the event of credentials being stolen – in a phishing attack or using brute force tactics – MFA should prevent those credentials from being used to remotely access your accounts.

Provide Regular Security Awareness Training

Technical measures are important for preventing healthcare phishing attacks but don’t forget the human element. Employees need to be trained how to recognize phishing emails and taught the correct response when a suspicious email is received. Security awareness training should also cover cybersecurity best practices.

To create a “security aware” culture in your organization, you need to provide regular security awareness training sessions, including an annual training session for all staff and more frequent shorter sessions or online CBT sessions throughout the year, making sure you keep the workforce aware of the latest threats. Not only will training help to prevent healthcare phishing attacks from succeeding, it is also a requirement for HIPAA compliance.

Conduct Phishing Simulation Exercises

Training is important, but so is testing. If you do not test your employees’ security knowledge, you will not know whether your training has been successful. There will always be employees that require more training than others, and through testing you will be able to identify the individuals that need more help.

Phishing simulation exercises are the best way to achieve this. You can find weak links in your workforce as well as your training program and ensure they are addressed.

Take Care with the Information You Make Available Online

In order to conduct a targeted phishing attacks on your organization, an attacker needs to know your email addresses. This information can often easily be found online in organizational charts and staff directories. Limiting the information you publish online will make it harder for email addresses to be harvested and used in attacks on your organization.

How to Reduce the Severity of Successful Healthcare Phishing Attacks

Healthcare phishing attacks are extremely common and often result in the exposure or theft of large amounts of protected health information. The Office for Civil Rights breach portal lists many email security breaches that have exposed the personal and health information of tens of thousands and even hundreds of thousands of patients and health plan members.

When conducting a risk analysis, consider what would happen in the event of a breach and take steps to reduce the severity of a breach should your defenses be penetrated. It is a good best practice to implement an email archiving solution to send all emails to a secure, cloud archive to ensure that no email data is lost and to implement policies requiring emails containing PHI to be deleted from your mail system. In the event of a breach, the PHI exposed will be greatly reduced and so too will the breach costs.

By using an email archive, you will still be able to remain compliant and retain al email data, but you will be able to significantly reduce risk while improving the performance of your mail server.

New Windows Update Lure Used in Phishing Campaign Distributing the Emotet Trojan

The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.

The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.

Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.

Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.

Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to  be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.

Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.

The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.

The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.

As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.

It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.

Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.

To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.

A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.

Phishing Campaigns Targeting Users of Teleconferencing Platforms

Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.

Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.

The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.

At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.

Microsoft Teams Phishing Scams

One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.

Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.

This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.

Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.

Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.

How to Avoid Teleconferencing Platform Phishing Scams

As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.

You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.

Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.

For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.

UK Businesses Targeted in HMRC Phishing Scam

Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.

The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.

One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.

Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.

The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.

A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.

COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.

Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.

Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.

SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.

Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.

5 Ways to Quickly Identify a Phishing Email

Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.

Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.

How to Identify a Phishing Email

Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.

Check the true sender of the email

This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.

Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.

Check for grammatical errors and spelling mistakes

Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google translate to create their emails, which is why the wording may seem a little odd.

Before Google, Netflix, or your bank sends an email, it will be subject to proof checking. Mistakes will be made on occasion by they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.

Phishing emails are often addressed in a way that makes it clear that the sender does not know your name.  “Dear customer” for example. Most companies will use your name in genuine email communications.

Phishers use urgency and a “threat” if no action is taken

Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.

For example, someone has tried to login to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.

Check the true destination of any link in the email

Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.

You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.

On a mobile device this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.

Beware of email attachments

Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.

If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.

Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.

Anti-Phishing Solutions for Businesses

TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.

SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.

WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees visiting known malicious websites, suspicious sites. WebTitan also blocks malware downloads.

Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no obligation free trial of both solutions to evaluate them in your own environment.

Warning for Small Businesses About SBA Loan Phishing Scams

Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.

Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.

Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.

Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.

Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.

Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.

The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.

In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.

These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.

First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.

Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.

Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.

Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.

Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.

CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.

For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.

Phishing Scam Targets Remote Workers Returning to the Office

A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.

This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training.  The emails include the Office 365 logo and are short and to the point.

They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”

The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”

Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.

This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.

Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.

There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.

What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.

Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.

iCalandar Phishing Scam Attempts to Obtain Banking Credentials

A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.

iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.

Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.

The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.

There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.

These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.

TrickBot Malware Operators Adopt Black Lives Matter Malspam Campaign

As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.

In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.

It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries the headlines have been dominated by stories about Black Lives Matter protests and counter protests, and the public mood has presented another opportunity for the gang.

The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.

The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.

TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their initial objective.

The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.

Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.

SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.

For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.

Office 365 Phishing Scam Bypasses Multi-Factor Authentication

A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.

The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.

The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.

Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.

Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.

By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.

The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.

The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.

With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.

This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.

For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.

Two New Phishing Campaigns Targeting Remote Workers

Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.

LogMeIn Spoofed to Steal Credentials

Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.

A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.

The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.

There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or use your standard bookmarks. Never use information provided in the email. If the security update is genuine, you will be advised about it when you login.

NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops

A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by the attackers to take control of a victim’s computer.

The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if content is enabled, and the client will be automatically executed.

The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.

Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud

The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.

WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirects to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.

For further information on these powerful cybersecurity solutions give the TitanHQ a team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.

Cybercriminals Take Advantage of Popularity of Zoom to Phish for Microsoft Credentials

Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.

Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.

According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.

The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.

In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.

Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.

One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.

Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.

Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.

Common Phishing Lures Currently Attracting Clicks

A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.

The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.

Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.

COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.

SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.

SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.

The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.

If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.

PerSwaysion Spear Phishing Attacks Conducted to Obtain Office 365 Credentials of Executives

A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.

Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.

The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.

The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.

Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.

The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.

Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.

It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.

Spike in Skype and Zoom Phishing Attacks Targeting Remote Employees

The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.

Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.

The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.

This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.

A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.

In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.

The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.

This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.

SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.

For further information on improving your phishing defenses, give the TitanHQ team a call today.

Phishing Campaign Piggybacks on Popularity of Dating Apps During Lockdown to Install Remote Access Trojan

Higher education institutions in the United States are being targeted in a phishing campaign that distributes a remote access trojan called Hupigon, a RAT that was first identified in 2010.

The Hupigon RAT has previously been used by advanced persistent threat groups (APT) from China, although this campaign is not believed to have been conducted by APT groups, instead the Hupigon RAT has been repurposed by cybercriminals. While several industries have been targeted in the campaign, almost half of attacks have been on colleges and universities.

The Hupigon RAT allows the operators to download other malware variants, steal passwords, and gain access to the microphone and webcam. Infection could see the attackers take full control of an infected device.

The campaign uses online dating lures to get users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is asked to select the one they find the most attractive. When the user makes their choice, they are directed to a website where an executable file is downloaded, which installs the Hupigon RAT.

The choice of lure for the campaign is no doubt influenced by the huge rise in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the globe, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many singles, has actually led to an uptick in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Several popular dating apps have reported an increase in use during the COVID-19 pandemic. For example, Tinder reports use has increased, with the platform having its busiest ever day, with more than 3 billion profiles swiped in a single day.

As we have already seen with COVID-19 lures in phishing attacks, which account for the majority of lures during the pandemic, when there is interest in a particular event or news story, cybercriminals will take advantage. With the popularity of dating apps soaring, we can expect to see an increase in the number of online dating -themed lures.

The advice for higher education institutions and businesses is to ensure that an advanced spam filtering solution is in place to block the malicious messages and ensure they do not reach end users’ inboxes. It is also important to ensure that security awareness training continues to be provided to staff, students, and remote employees to teach them how to recognize the signs of phishing and other email threats.

TitanHQ can help with the former. If you want to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call today. After signing up, you can be protecting your inboxes in a matter of minutes.

Healthcare Providers Continue to be Targeted with COVID-19 Phishing Emails

Healthcare providers are being targeted by cybercriminals using COVID-19 themed phishing emails, with the campaigns showing no sign of letting up. The volume of attacks has prompted the U.S. Federal Bureau of Investigation (FBI) to issue a further warning to healthcare providers urging them to take steps to protect their networks and block the attacks.

The first major COVID-19 themed phishing attacks targeting healthcare providers started to be detected by around March 18, 2020. The attacks have grown over the following weeks and the lures have diversified.

Campaigns have been conducted targeting at-home healthcare employees who are providing telehealth services to patients, and there has been an increase in business email compromise scams. The latter see vendors impersonated and requests sent for early or out-of-band payments due to difficulties that are being experienced due to COVID-19.

The phishing attacks are being conducted to obtain login credentials and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the exfiltration of sensitive data.

The malware being distributed in these campaigns is highly varied and includes information stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently reported that Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced documents. In addition to being a dangerous malware variant in its own right, Trickbot also downloads other malicious payloads, including RYUK ransomware.

A diverse range of malware is delivered by a similarly diverse range of email attachments and malicious scripts. Microsoft Word documents containing malicious macros are commonly used, as are 7-zip compressed files, Microsoft executables, and JavaScript and Visual Basic scripts. The emails are being sent from a combination of domestic and international IP addresses.

While the number of COVID-19 themed phishing emails has been increasing, the overall volume of phishing emails has not increased by a major amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be opened.

The campaigns can be highly convincing. The lures and requests are plausible, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been spoofed. Oftentimes the emails are sent from a known individual and trusted contact, which makes it more likely that the email attachment will be opened.

The advice offered from the FBI is to follow cybersecurity best practices such as never opening unsolicited email attachments, regardless of who appears to have sent the email. Ensuring software is kept up to date and patches are applied promptly is also important, as is turning off automatic email attachment downloads. The FBI has also recommended filtering out certain types of attachments through email security software, something that is easy to do with SpamTitan.

The FBI has stressed the importance of not opening email attachments, even if antivirus software says that the file is clean. As the Trickbot campaign shows, new variants of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up. This is another area where SpamTitan can help. In addition to using dual antivirus engines to identify known malware variants faster, SpamTitan includes sandboxing to identify and block zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.

Training is important to teach healthcare employees cybersecurity best practices to help them identify phishing emails, but it is also important to ensure that your technical controls are capable of blocking these threats. For more information on the latter, give the TitanHQ team a call today.

Study Reveals Extent of University Cyberattacks

Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.

Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.

Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.

It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.

Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.

Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.

Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.

Nation state sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a significant competitive advantage.

Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.

With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.

The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.

Independent test show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages and controls to detect potential email account compromises.

If you want to improve cybersecurity defenses, start with upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.

Phishing Attack Ends in Ryuk Ransomware Infection for City of Durham, NC


The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.

Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.

There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.

Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.

Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.

TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.

In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.

The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.

To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.

Beware of COVID-19 Phishing Emails

Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.

People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.

Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.

The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.

The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.

The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.

Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.

In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.

Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.

With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.

Emotet Phishing Campaigns Continue and New Wi-Fi Infection Method Identified

Emotet is the biggest malware threat faced by businesses and activity has increased considerably in recent weeks after a lull in December. Several new campaigns are now being identified each week, most of which are target businesses. One of the most recent campaigns uses a tried and tested technique to install the |Emotet Trojan. Malicious Word documents masquerading as invoices, estimates, renewals, and bank details.

The campaign mostly targets organizations in the United States and United Kingdom, although attacks have also been detected in India, Spain, and the Philippines. Approximately 90% of emails in this campaign target the financial services, with around 8% of attacks on companies in the food and drink industry.

The malicious Word documents are either attached to emails or hyperlinks are included in the emails that direct the user to a compromised website where the Word document is downloaded. The websites used are frequently changed and new Emotet variants are frequently released to prevent detection. Email security solutions that rely on AV engines to detect malware are unlikely to detect these zero-day threats as malicious.

Since Emotet is a massive botnet, emails spreading the Emotet Trojan come from many different sources. Email security solutions that rely on real-time blacklists are unlikely to detect these sources as malicious.

Emotet is primarily distributed via email from infected devices, but recently another distribution method has been identified. Emotet also spreads via Wi-Fi networks. This method has been used for almost two years, but it has only just been detected by security researchers at Binary Defense.

When Emotet is installed, a worm.exe binary is dropped that runs automatically. It attempts to connect to nearly Wi-Fi networks and brute forces weak passwords. Once connected to a Wi-Fi network, a search is conducted for non-hidden shares on the network. An attempt is made to enumerate all users connected to the Wi-Fi network, devices are brute forced, and the Emotet binary is dropped.

How to Block Emotet

The constantly changing tactics of the Emotet gang make detection difficult and no single solution will provide protection against all forms of attack. What is needed is a defense in depth approach and layered defenses.

The primary defense against a predominantly email-based threat such as Emotet is an advanced spam filtering solution. Many businesses have use Office 365 and rely on the protection provided by Exchange Online Protection (EOP), which is included as standard with Office 365 licenses. However, EOP alone will not provide enough protection against Emotet. EOP will block all known malware threats, but it struggles to identify zero-day attacks. To block zero-day attacks, more advanced detection methods are required.

SpamTitan has been developed to work seamlessly with EOP to protect Office 365 email from zero-day threats. SpamTitan uses a variety of techniques to identify Emotet, including dual antivirus engines to block known Emotet variants and sandboxing to block zero-day attacks. Suspicious or unknown attachments are sent to the sandbox where they are subjected to in depth analysis to identify command and control server call backs and other malicious actions. SpamTitan also scans outgoing emails to identify attempts to spread Emotet from an already-infected machine. SpamTitan also incorporates DMARC to identify email impersonation and domain spoofing, which are commonly used in emails spreading Emotet.

To provide protection against the web-based element of attacks, including Emotet emails that use malicious hyperlinks rather than email attachments, another layer needs to be added to cybersecurity defenses – a DNS filtering solution such as WebTitan.

WebTitan uses real-time URL threat detection powered by 650 million end users. The real-time database includes more than 3 million malicious URLs and IP addresses and each day around 100,000 new malicious URLs are detected and blocked. WebTitan also includes real-time categorization and detection of malicious domains, full-path URLs, and IPs, with up to the minute updates performed to block new malicious sources. As soon as a URL is identified as being used to distribute Emotet (or other malware) it is blocked by WebTitan. WebTitan also conducts link & content analysis, static, heuristic, & behavior anomaly analysis, and features in-house and 3rd party tools and feeds to keep users protected from web-based threats.

Other essential steps to take to tackle the threat from Emotet include:

  • Disable macros across the organization
  • Ensure operating systems are kept up to date and vulnerabilities are promptly patched.
  • Set strong passwords to thwart brute force attacks
  • Ensure endpoint protection solutions are deployed on all devices
  • Provide security awareness training to employees
  • Conduct phishing simulation exercises to identify employees that require further training

New PayPal Phishing Scam Seeks Extensive Amount of Personal Information

A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.

The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.

The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.

If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.

First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.

This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.

There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.

Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.

Tax Season Phishing Scams and Malspam Campaigns Start in Earnest

Tax season is now underway and business email compromise scammers have stepped up their efforts to obtain W-2 forms for tax fraud. These attacks often start with spear phishing emails targeting the CEO and the executive board. Once email credentials have been obtained, the accounts are then accessed, and emails are sent internally to payroll and the HR department requesting the W-2 forms of employees who have worked in the previous tax year.

Scammers targets businesses as there is much greater potential for profit than attacks on individual taxpayers, although consumers also need to be wary of IRS-related phishing scams. This time of year sees an increase in IRS phishing scams. Scammers impersonate the IRS and send emails informing taxpayers about a tax refund that is due and demands are sent for outstanding tax, with threats of dire consequences if prompt action is not taken to address issues.

Advances in email security have meant cybercriminals have had to get creative as it is harder to sneak phishing emails past email defenses. Phishing scams are now commonly initiated via text message, post, and over the telephone. There has already been one campaign identified where consumers are being targeted using robocalls warning that Social Security numbers have been suspended after suspicious activity was detected.

While many of these scams seek personal information, others are conducted to spread malware. One threat group that started its tax-related scams early this year is the Emotet gang. A campaign is currently being conducted that uses emails containing fake signed W-9 forms.

Signed W-9 forms are requested by companies from their contractors if they have been paid in excess of $600 during the tax year. Many companies will have requested signed W-9 forms from their contractors to confirm addresses and tax identification numbers, so they will be expecting copies of these forms in their inboxes.

The Emotet emails are short and to the point, saying “Thank you for your help. Pleased see attached file.” The emails include a Word document attachment named W-9.doc. When the document is opened, the Office 365 logo is displayed along with text stating the document was created in OpenOffice and requires the user to enable editing and enable content. Doing so triggers the silent download of the Emotet Trojan.

This is just one of the tax-related messages being used by the Emotet gang. There are likely to be many more variants sent over the next few weeks. Other cybercriminals gangs will similarly be conducting their own tax-themed phishing campaigns to spread different malware variants and ransomware.

Businesses, tax preparers, and consumers need to be on high alert during tax season for phishing scams and emails spreading malware.

Now is a good time for businesses to review their cybersecurity defenses and enhance protection against phishing and malware attacks. If you use Office 365 and rely on the anti-phishing protections built into Office 365 (EOP), you should consider enhancing your anti-phishing and anti-malware protection with a third-party spam filter – One that has superior malspam detection capabilities.

This is an area where TitanHQ can help. SpamTitan uses a variety of advanced techniques to detect and block phishing threats and zero-day malware, including a sandbox where unknown and suspicious email attachments are subject to in-depth analysis. Give the TitanHQ team a call to find out more about SpamTitan, improving office 365 malware and phishing protection, and to arrange a product demonstration and free trial of SpamTitan.

In the meantime, take steps to alert your workforce about tax-season phishing scams and prepare them in case a phishing email arrives in their inbox. An email alert sent to your employees about the threat of tax-season scams could prevent a costly phishing attack or malware infection.

Novel Coronavirus Phishing Scam Uses Scare Tactics to Spread Emotet Trojan

A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.

The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.

A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.

A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.

The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.

If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.

To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.

More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.

Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.

For further information on protecting your email system, contact TitanHQ today.

Emotet Botnet Springs Back to Life and Massive Phishing and Spamming Campaigns Resume

The Emotet botnet took a Christmas holiday but its now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro which runs a PowerShell command that downloads and executes the Emotet Trojan.

The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.

The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.

Emotet sprung back to life on January 13, 2020 with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese and Chinese.

The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host no new lures can be expected in 2020.

The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.

There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.

SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.

Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.

Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.

Warnings Issued About Travelex Phishing Scams

Whenever there is a major event that attracts a lot of media attention cybercriminals will be poised to take advantage, so it is no surprise that warnings are being issued about Travelex phishing scams.

The Travelex ransomware attack that struck on New Year’s Eve involved a ransomware variant called Sodinokibi. The gang responsible is one of the most prolific threat groups using ransomware. The group’s attacks are highly targeted and seek to encrypt entire networks and the ransom demands reflect the scale of encryption. Travelex was initially issued with a demand for a payment of $3 million. That soon doubled to $6 million when payment was not made within the allocated timescale.

The fallout from the attack has been immense, which is unsurprising given that Travelex is the largest provider of currency exchange services worldwide. Many banks and retailers rely on Travelex to provide for their currency exchange services. Without access to those online services, currency exchange services came to a grinding halt. It has taken two weeks for Travelex to start bringing some of its services back online, but its website remains down and the disruption continues.

The attackers claimed to have stolen large quantities of customer data from Travelex. The attackers threatened to publish or sell the data if the ransom was not paid. This tactic is becoming increasingly common with ransomware gangs. In this case, the sodinokibi gang claimed to have gained access to Travelex systems 6 months previously and said they had stolen customer data including names, payment card information, and Social Security numbers and National Insurance numbers. The gang had also recently attacked the American IT company Artech Systems and had posted 337MB of data stolen in that attack, demonstrating to others that it was not an empty threat. Travelex maintained that no customer data had been stolen, but that has yet to be confirmed.

Warning Issued About Travelex Phishing Scams

Travelex customers should naturally err on the side of caution and monitor their accounts for signs of fraudulent use of their information but there are other risks from an attack such as this.

Travelex has issued a warning to its customers recommending they should be alert to the threat of phishing attacks via email and over the phone. Opportunistic scammers often take advantage of major events such as this and Travelex phishing scams are to be expected, as was the case following the TalkTalk data breach. These phishing scams are likely to be most effective on Travelex customers who have lost money as a result of the attack. Any offer of compensation or a refund is likely to attract a response.

For consumers, the advice is never to open email attachments or click on links in unsolicited emails. Businesses should also take steps to protect their networks from malware and phishing attacks.

Businesses should adopt a defense in depth strategy to protect against phishing scams and malware attacks. An advanced email security solution such as SpamTitan should be used to protect Office 365 accounts. SpamTitan improves protection against zero-day malware and phishing threats and blocks threats at the gateway.

A web filtering solution such as WebTitan should be used to block the web-based component of phishing and malspam campaigns and prevent end users from visiting malicious websites. End user training is also a must. It is important to teach employees how to identify phishing emails and malspam, and condition them how to respond when suspicious emails are received.

Ako Ransomware: A New Malware Threat Delivered via Spam Email

A new ransomware threat – Ako ransomware – has emerged which is targeting business networks and is being distributed via spam email. The ransomware is being offered to affiliates under the ransomware-as-a-service model and the aim of the attackers is clear. To maximize the probability of payment of the ransom by making recovery harder, and to steal data prior to encryption to ensure the attack is still profitable if the ransom is not paid. Having the data could also help convince the victims to pay up, as we have seen in recent attacks involving Maze and Sodinokibi ransomware, where threats are issued to publish stolen data if the ransom is not paid.

The developers of Ako ransomware appear to be going for large ransom payments, as they are not targeting individual workstations, rather the entire network. The ransomware scans local networks for other devices and will encrypt network shares. The ransomware deletes shadow copies and recent backups and disables Windows recovery to make recovery more difficult without paying the ransom.

Encrypted files are given a randomly generated file extension and retain the original file name. No ransom amount is stated in the ransom note. Victims are required to contact the attackers to find out how much they will need to pay for the keys to decrypt their files.

One of the intercepted emails being used to distribute the ransomware uses a password-protected zip file as an attachment. The email appears to be a business agreement which the recipient is asked to check. The password to open and extract the file is included in the message body. The zip file attachment – named agreement.zip – contains an executable file which will install Ako ransomware if it is run. The malicious file is called agreement.scr.

There is no free decryptor for Ako ransomware. Recovery without paying the ransom will depend on whether viable backups exist that have not also been encrypted. It is therefore important to make sure backups are regularly performed and at least one copy of the backup is stored on a non-networked device to prevent it also being encrypted by the ransomware. Backups should also be tested to make sure file recovery is possible.

Since Ako ransomware is being distributed via spam email, this gives businesses an opportunity to block an attack. An advanced spam filtering solution should be implemented that scans all inbound messages using a variety of detection mechanisms to identify malware and ransomware threats. A sandbox is an important feature as this will allow email attachments to be analyzed for malicious activity. This feature will improve detection rates of zero-day threats.

nd user training is important to ensure that employees do not open potentially malicious files. Training should condition employees never to open email attachments in unsolicited emails from unknown senders. As this campaign shows, any password protected file sent in an unsolicited email is a big red flag. This is a common way that ransomware and malware is delivered to avoid detection by antivirus solutions and spam filters.

Anti-spam solutions and antivirus software will not be able to detect the threat directly if malicious files are sent in password-protected archives, which can only be opened if the password is entered. Rules should therefore be set to quarantine password-protected files, which should only be released after they have been manually checked by an administrator. With SpamTitan, these rules are easy to set.

Ako ransomware is one of many new ransomware threats that have been released in recent months. High profile attacks on companies such as Travelex that see massive ransom demands issued, which in many cases are paid, show a huge payday is possible.

Ransomware developers will keep developing new threats for as long as attacks remain profitable, and there is not likely to be a shortage of affiliates willing to run spamming campaigns to get their slice of the ransom payments.

With the attacks increasing, it is essential for you to have strong defenses that can detect and block malware, ransomware, and phishing threats, and that is an area where TitanHQ can help.

To find out more about how you can improve your defenses against email and web-based threats, give the TitanHQ team a call today.

2-Year Phishing Attack Detected Targeting Canadian Bank Customers

Customers of Canadian banks have been targeted by cybercriminals in an extensive phishing campaign that has been ongoing for at least the past two years, according to Check Point Research which uncovered the campaign. As with many other financial phishing scams, the attackers spoof the website of a well-known bank and create a virtual carbon copy of the home page of the bank on a lookalike domain, which often only differs from the genuine domain name by a letter or two.

A link to the fraudulent site is then sent in a mass spamming campaign to email addresses on the specific country top level domain where the bank operates. The emails instruct users to visit the banks website and login, usually under the guise of a security alert. When the link in the email is clicked, the user is directed to the spoofed site and may not notice the domain name is not quite right. They then enter their login credentials which are captured by the scammers. The credentials are then used to make fraudulent wire transfers to accounts controlled by the attackers.

In this campaign, the emails include a PDF email attachment. PDF files tend to be trusted to a higher degree than Word documents and spreadsheets, which end users have usually been instructed to treat as suspicious. The PDF file includes a hyperlink, which the user is instructed to click. Since the hyperlink is in the document rather than the email body, it is less likely to be scanned by email security solutions and has a higher chance of being delivered.

The user is told that they are required to update their digital certificate to continue using the online banking service. The PDF file includes the bank logo and a security code, which the user is required to enter when logging in. The code is included in the PDF attachment rather than email body for security reasons. As with most phishing scams, there is urgency. The recipient is told that the code expires in 2 days and that they must register within that time frame to avoid being locked out of their account.

The landing pages on the websites are identical to those used by the banks as the attackers have simply taken a screen shot of the bank’s landing page. Text boxes have been added where the username, password, and token number must be entered. Users are then asked to confirm the details they entered while the attackers attempt to access their account in real-time and make a fraudulent transfer.

These tactics are nothing new. Scams such as this are commonplace. What is surprising is how long the campaign has been running undetected. The scammers have been able to operate undetected by registering many lookalike domains which are used for a short period of time. Hundreds of different domains have been registered and used in the scam. At least 14 leading banks in Canada have had their login pages spoofed including TD Canada Trust, Scotiabank, Royal Bank of Canada, and BMO Bank of Montreal.

All of the websites used in the scam have now been taken down, but it is all but guaranteed that other lookalike domains will be registered and further scams will be conducted.

Greta Thunberg Spam Emails Used to Spread Emotet Banking Trojan

A spamming campaign has been detected that is piggybacking on the popularity of Greta Thunberg and is using the climate change activist’s name to trick individuals into installing the Emotet Banking Trojan.

Emotet is one of the most active malware threats. Emotet was first detected in 2014 and was initially used to steal online banking credentials from Windows users by intercepting internet traffic. Over the years it has undergone several updates to add new functionality. It has had a malspam module added, which allows it to send copies of itself via email to a user’s contacts. Emotet also includes a malware downloader, allowing it to download a range of other malware variants such as other banking Trojans and ransomware.

The malware is used indiscriminately in attacks on individuals, businesses, and government agencies, with the latter two being the main targets. Emotet is primarily spread via spam email, and while exploits are not used to spread to other devices on the network – EternalBlue for instance – other malware variants downloaded by Emotet can. TrickBot for instance.

The Greta Thunberg spam campaign aims to get users to open a malicious Word attachment and enable content. If that happens, Emotet will be silently downloaded to the user’s device, sensitive banking information will be stolen, and further malware may be downloaded.

The campaign was active over the holiday period and used a variety of Christmas-themed lures to entice users into opening the email attachment. Some of the emails did not include an attachment and instead used a hyperlink to direct the user to a website where the malicious document could be downloaded.

One of the emails wished the recipient a Merry Christmas and urged them to consider the environment this Christmastime and join a demonstration in protest against the lack of action by governments to tackle the climate crisis. The email claimed details about the time and location of the protest were included in the Word document. The email also requested the recipient to send the email on to all their colleagues, friends, and relatives immediately to get their support as well. Several variations along that theme have been detected.

To increase the likelihood of the recipient enabling content, when opened the document displays a warning that appears to have been generated by Microsoft Office. The user is told that the document was created in OpenOffice and it is necessary to first enable editing first and then enable content. Doing the latter will enable macros which will start the infection process.

The emails are well written and have been crafted to get an emotional response, which increases the likelihood of the user taking the requested action. The emails have been sent in multiple languages in many different countries.

Whenever there is a major news event, popular sports tournament, or other event that attracts global interest, there will be cybercriminals taking advantage.  Regardless of the theme of any email, if it is unsolicited and asks you to click a link or open an email attachment, it is best to assume that it is malicious.

Businesses can protect their networks against threats such as these by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan will identify threats such as phishing attacks and will prevent the messages from reaching inboxes. SpamTitan also includes dual anti-virus engines to detect known malware and machine learning techniques and sandboxing to identify and block zero-day malware.

For further information on how SpamTitan can protect your business from email threats such as this, contact TitanHQ today.

New PayPal Phishing Scam Uses Unusual Activity Alerts to Obtain Credentials

A new PayPal phishing scam has been detected that uses unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign is different as the attackers are after much more than just account credentials.

This PayPal phishing campaign attempts a clean sweep – PayPal credentials, credit card details, email addresses and passwords, and security questions and answers.

The PayPal phishing scam is one of the most dangerous to date in terms of the financial harm that could be caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.

The PayPal phishing scam starts with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.

The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.

If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained.  The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.

The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.

The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.

All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.

Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. This PayPal scam shows that those warnings may not always be genuine and that you should always exercise caution.

The golden rule? Never click links in emails. Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials. This is important as there has been an increase in typosquatting attacks, where cybercriminals take advantage of careless typists who misspell domain names when entering them into the address bar of their browser.

Employees Frequently Respond to Phishing Emails and Business Phishing Protections are Coming Up Short

Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.

The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.

71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.

A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.

The Importance of Layered Phishing Defenses

To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.

With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.

One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.

What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.

As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.

If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.

Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.

Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.