Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.
Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.
Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.
Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.
To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.
Other measures that can be taken to protect yourself from email scams include:
Carefully check the sender’s email. Does it look like it is genuine?
Never open email attachments from someone you do not know
If you receive an email offering you a prize or refund, stay safe and delete the email
Ensure anti-virus software is installed on your computer and is up to date.
Virtually everyone uses email which makes it an attractive attack vector for cybercriminals who use phishing emails to steal credentials, deliver malware, and gain a foothold in corporate networks, but what is a common indicator of a phishing attempt? How can these malicious emails be identified and avoided?
In this post we will list some of the main signs of phishing emails that that all email users should be looking out for in their inboxes.
Phishing is the Number 1 Attack Vector!
In 2021, and for several years previously, phishing has been the main way that cybercriminals obtain login credentials to allow them to access sensitive business data and gain the foothold they need in business networks for more extensive compromises. Phishing emails are also used to deliver malware that provides persistent access to computers and the networks to which they connect. Malware downloaders are commonly delivered via email that download other malicious payloads such as ransomware. Most data breaches start with a phishing email!
Phishing emails were once easy to detect, but that is not always the case now. Many phishing attempts are extremely sophisticated. Emails may only be sent to a handful of people, and even individuals are targeted. The emails are convincing and can be almost impossible to distinguish from the genuine email messages that they spoof.
With an advanced email security solution in place, the majority of these messages will be blocked; however, no email security solution will block every malicious message without blocking an unacceptable number of genuine messages. That means all employees must have the necessary skills to identify a phishing email when it arrives in their inbox.
What is a Common Indicator of a Phishing Attempt?
In order to identify a phishing email, you need to know what to look for, so what is a common indicator of a phishing attempt? Listed below are some of the most common signs of phishing emails for you to look out for.
Unfortunately, there is no single common indicator of a phishing attempt. Tactics, techniques, and procedures are constantly changing, but if you identify any of these signs in an email in your inbox or spam folder, there is a reasonable chance that the message is not genuine and should be reported to your security team. Chances are, there will be other copies of the message in the email system that will need to be removed.
The message is in your spam folder
There is a reason why messages are classified as spam by email security solutions. Analysis of the message has highlighted telltale signs of spam or phishing, but not enough for the message to be blocked at the email gateway. If a message is sent to your spam folder you should exercise caution when opening the message.
It is an unsolicited message
Phishing emails are unsolicited – You certainly didn’t ask to be phished! There may be a seemingly valid reason why you have been sent the message, but if you didn’t request the email and are not on a marketing list for the company or individual sending the message it should be treated as suspect.
Important information is in an attachment
One of the ways that phishers attempt to conceal their malicious intent is to use email attachments. This could be a link in an attached file that you need to click (why not just add it to the message body?) or commonly, you must enable content in an Office file to view the content of the attachment. Doing so will allow macros to run that will download a malicious file. Zip files are also commonly used as they are hard for spam filters to access, or files may be password protected. The files must always be scanned with AV software prior to opening and, even then, treat them with extreme caution.
Urgent action is required and there is a threat in the email
Phishing emails often convey a sense of urgency to get people to respond quickly without thinking too much about the request. There may be a threat of bad consequences if no action is taken – your account will be closed – or some other sense of urgency, such as missing out on an amazing opportunity. Always take time to carefully consider what is being asked and check the email for other signs of phishing.
You are asked to click a link in an email
Spam filters scan messages for malware, so it is common for the malware to be hosted on a website. A link is included that users must click to obtain information or to download a file. The link may take you to a website where you are required to enter your login credentials, and that site may have an exact copy of your usual login prompt – for Google or Office 365 for example. You should carefully check the link to find out the true destination (hover your mouse arrow over it) and then double check the full URL on the destination site. You may have been redirected to a different site after clicking. Is the page on the genuine website used by that company?
The sender of the email is not known to you or the email address is suspect
Phishers spoof email addresses and change the display name to make it appear that the email has been sent from a contact or official source. Check that the actual email address is legitimate – it is the correct domain for the company or individual. Check against past messages received from that individual or company to make sure the email address is the same. Remember, the sender’s email account may have been compromised, so even if the email address is correct that doesn’t necessarily mean the account holder sent the message!
The message has grammatical and spelling errors
Grammatical and spelling errors are common in phishing emails. This could be because English is not the first language of the sender or be deliberate to only get people to respond who are likely to fall for the next stage of the scam. Business emails, especially official communications and marketing emails, do not contain spelling errors or have grammatical mistakes.
The request is unusual, or the tone seems odd
Often the language used in phishing emails is a little odd. Emails impersonating known contacts may be overly familiar or may seem rather formal and different to typical emails you receive from the sender. If the tone is off or you are addressed in a strange way, it could well be a phishing attempt. Phishing emails will also try to get you to take unusual actions, such as send data via email that you have not been asked to send before. A quick phone call using trusted contact information is always wise to verify the legitimacy of an unusual request.
How Businesses can Improve their Phishing Defenses
If you want to block more phishing emails and malware you will need an advanced email security solution. The email security gateway is the first line of defense against malicious emails, but it is not necessary to spend a fortune to have good protection. If you have a limited budget or simply want to save money on email security, TitanHQ is here to help.
SpamTitan is an award-winning advanced email security solution that blocks in excess of 99.97% of malicious messages and spam. The solution is easy to implement, configure, maintain and use, the pricing policy is transparent and extremely competitive, and with TitanHQ you will benefit from industry-leading customer support. You can even try SpamTitan for free to see for yourself how effective it is. Get in touch with us today to find out more via email or just pick up the phone and speak to our friendly and knowledgeable sales team.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
Threat actors are constantly changing their tactics, techniques, and procedures (TTP) to increase the chances of getting their malicious payloads delivered. Spam and phishing emails are still the most common methods used for delivering malware, with the malicious payloads often downloaded via the web via hyperlinks embedded in emails.
A new tactic that has been adopted by the threat group behind the IcedID banking Trojan cum malware downloader involves hijacking contact forms on company websites. Contact forms are used on most websites to allow individuals to register interest. These contact forms typically have CAPTCHA protections which limit their potential for use in malicious campaigns, as they block bots and require each contact request to be performed manually.
However, the threat actors behind the IcedID banking Trojan have found a way of bypassing CATCHA protections and have been using contact forms to deliver malicious emails. The emails generated by contact forms will usually be delivered to inboxes, as the contact forms are trusted and are often whitelisted, which means email security gateways will not block any malicious messages.
In this campaign, the contact forms are used to send messages threatening legal action over a copyright violation. The messages submitted claim the company has used images on its website that have been added without the image owner’s permission. The message threatens legal action if the images are not immediately removed from the website, and a hyperlink is provided in the message to Google Sites that contains details of the copyrighted images and proof they are the intellectual property of the sender of the message.
Clicking the hyperlink to review the supplied evidence will result in the download of zip file containing an obfuscated .js downloader that will deliver the IcedID payload. Once IcedID is installed, it will deliver secondary payloads such as TrickBot, Qakbot, and Ryuk ransomware.
IcedID distribution has increased in recent weeks, not only via this method but also via phishing emails. A large-scale phishing campaign is underway that uses a variety of business-themed lures in phishing emails with Excel attachments that have Excel 4 macros that deliver the banking Trojan.
The increase in IcedID malware distribution is likely part of a campaign to infect large numbers of devices to create a botnet that can be rented out to other threat groups under the malware-as-a-service model. Now that the Emotet botnet has been taken down, which was used to deliver different malware and ransomware variants, there is a gap in the market and IcedID could be the threat that takes over from Emotet. In many ways the IcedID Trojan is very similar to Emotet and could become the leading malware-as-a-service offering for delivering malware payloads.
To find out how you can protect your business against malware and phishing threats at a reasonable price, give the TitanHQ team a call today and discover for yourself why TitanHQ email and web security solutions consistently get 5-star ratings from users for protection, price, ease of use, and customer service and support.
During tax season, tax professionals and tax filers are targeted with a variety of IRS phishing scams that attempt to obtain sensitive information that can be used by the scammers to steal identities and file fraudulent tax returns in the names of their victims. The potential rewards for the attackers are significant, with the fake tax returns often resulting in refunds of thousands of dollars being issued by the U.S. Internal Revenue Service (IRS).
This year is certainly no exception. Several tax season phishing scams have been identified in 2021 with one of the latest scams using phishing lures related to tax refund payments. The phishing emails have subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” which are likely to attract the recipient’s attention and get them to open the emails.
The emails use the genuine IRS logo and inform recipients that they are eligible to receive an additional tax refund, but in order to receive the payment they must click a link and complete a form. The form appears to be an official IRS.gov form, with the page an exact match of the IRS website, although the website on which the form is hosted is not an official IRS domain.
The form asks for a range of highly sensitive personal information to be provided in order for the refund to be processed. The form asks for the individual’s name, date of birth, Social Security number, driver’s license number, current address, and electronic filing PIN. For added realism, the phishing page also displays a popup notification stating, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.
The attackers appear to be targeting universities and other educational institutions, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.
Educational institutions should take steps to reduce the risk off their staff and students being duped by these scams. Alerting all .edu account holders to warn them about the campaign is important, especially as these messages are bypassing Office 365 anti-phishing measures and are arriving in inboxes.
Any educational institution that is relying on Microsoft Exchange Online Protection (EOP) for blocking spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly consider improving their anti-phishing defenses with a third-party spam filter.
SpamTitan has been developed to provide superior protection for Office 365 environments. The solution is layered on top of Office 365 and seamlessly integrates with Office 365 email. In addition to significantly improving spam and phishing email protection, dual antivirus engines and sandboxing provide excellent protection from malware.
For further information on SpamTitan anti-phishing protection for higher education, give the SpamTitan team a call today. You can start protecting your institution immediately, with installation and configuration of SpamTitan taking just a few minutes. The solution is also available on a free trial to allow you to assess SpamTitan in your own environment to see the difference it makes before deciding on a purchase.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. In 2020, ransomware attacks ran amok. Security experts estimate the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.
Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation. Cybersecurity defenses are being tested like never before.
Personal Data is Targeted
Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.
Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.
One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.
The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.
Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.
One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.
DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.
Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.
DMARC seems complex, but with the right setup, it’s an invaluable security tool that defends against phishing and malicious email content. With phishing one of the most common ways attackers steal data, it’s important for organizations to implement the right solutions and rules that stop these messages before they can reach a user’s inbox.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan email security incorporates DMARC authentication to provide even greater protection against email spoofing attacks. DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.
Phishing, Impersonation attacks, ransomware – all must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat.
Endpoint protection is clearly not enough. A powerful anti-spam solution like SpamTitan can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.
TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to stop email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.
For further information securing email accounts and blocking email impersonation attacks, contact TitanHQ today.
A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.
Fake PayPal Email Notifications
The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.
The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.
If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.
First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.
Request for Excessive Information
This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.
There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.
Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.
To find out more about current phishing scams and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.
Do you use the same password across online accounts?
Make your password hard to guess – use a combination of upper and lower case letters, numbers, and special characters.
Change your password frequently.
Never use the same password with more than one account. If you do and you password is stolen you are exposed and hackers could potentially gain access to every single account that that email address is associated.
If you receive one of these Paypal texts, to delete it immediately. Always read your messages before you click, or even better – don’t click on the link and contact PayPal directly.
Phishing messages can come from a range of sources, including:
Social Media messages
SpamTitan provides phishing protection to prevent whaling and spear phishing by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content. SpamTitan also performs reputation analysis on all links (including shortened URLs) contained in emails and block malicious emails before being delivered to the end user. How SpamTitan protects from phishing attempts:
URL reputation analysis during scanning against multiple reputations.
Detect and block malicious spear-phishing emails with either existing or new malware.
Heuristic rules to detect phishing based on message headers. These are updated frequently to address new threats.
Easy synchronization with Active Directory and LDAP.
Spam Confidence Levels can be applied by user, user-group and domain.
Whitelisting or blacklisting senders/IP addresses.
Infinitely scalable and universally compatible.
SpamTitan checks every URL in an email against known blacklists – with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. SpamTitan’s sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files.
Our free trial gives you the opportunity to evaluate our industry-leading email security solution in your own environment, and your clients the opportunity to provide feedback on how effective SpamTitan is at preventing all types of malware, ransomware and phishing attacks from entering your network.
Phishing attacks are extremely complex and increasing. The best way to protect against phishing scams is with a modern, robust email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
A PayPal phishing scam was first detected in 2019 – the scam used unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign was different as the attackers are after much more than just account credentials. This PayPal phishing campaign stole credentials, credit card details, email addresses and passwords, and security questions and answers.
This PayPal phishing scam has mutated over the years and has proved to be one of the most dangerous to date in terms of the financial harm caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.
The PayPal phishing scams usually start with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.
The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.
If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained. The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.
The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.
The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.
All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.
Security experts are still finding fake paypal websites that impersonate PayPal. Using advanced social engineering techniques they try to trick users into handing over sensitive data including log in credentials.
Read more on current phishing scams and how to prevent attacks.
IT professionals are seeing an enormous number of Covid-19 themed email phishing attacks. SpamTitan is blocking increasing levels of these phishing emails. What started out as dozens of Covid 19 phishing websites has morphed to tens of thousands – more are being identified and blocked daily. With a large percentage of the workforce working from home, cybercriminals are trying to capitalize on the heightened anxieties of the public during the current crisis.
COVID-19 phishing scams are the most sophisticated versions of phishing emails the industry has seen. Are your employees and customers aware and are they protected?
COVID-19 vaccine scams
Cybercriminals are now shifting their focus to phishing email around Covid-10 vaccines. These vaccine themed phishing emails use subject lines referencing vaccine registration, locations to receive the vaccine, how to reserve a vaccine, and vaccine requirements.
For your employees looking for vaccination information on company devices the consequences are obvious. If the user falls for the scam email they may divulge sensitive or financial information, open malicious links or attachments exposing the organization to attack. These phishing campaigns are sophisticated and may impersonate trusted entities, such as health or government agencies playing a central role in the COVID vaccination rollout.
Preventing Phishing Attacks
Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. These warnings may not always be genuine and that you should always exercise caution.
The golden rule? Never click links in emails.
Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials.
Without the right security tools in place, organizations are vulnerable to phishing attacks. SpamTitan provides phishing protection by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content and performs reputation analysis on all email links, ultimately blocking malicious emails before they reach the end-user.
SpamTitan checks every URL in an email against known blacklists – with 100% active web coverage. SpamTitan’s sandboxing feature protects against sophisticated email attacks by providing a powerful environment to run in-depth analysis of unknown or suspicious programs.
Phishing attacks are increasingly complex and growing in number. One of the most effective ways to protect against phishing scams is with a powerful email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
To protect against advanced phishing threats you need advanced protection.
A round up of some of the phishing campaigns and phishing tactics identified over the past few days in campaigns targeting businesses in the banking and IT sectors, and individuals seeking unemployment benefits.
Fake Google ReCAPTCHA Used in Ongoing Phishing Campaigns
The use of CAPTCHA, an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”, is now common in phishing campaigns. CAPTCHA involves an image test, such as identifying all images in a group that contain cars, a test to identify characters in a slightly obfuscated image, or simply confirming that “I am not a robot.”
The Google reCAPTCHA is used on websites to distinguish human traffic from machines to protect against abusive activities by malicious code and software. ReCAPTCHA is a sign of security and the use of this system on a website helps to inspire trust. That trust is being abused by cybercriminals who have added fake Google ReCAPTCHAs to phishing sites. This tactic is becoming much more common.
One recently identified campaign uses emails with a message about a voicemail message that impersonate company communication tools. The attachment directs the user to a phishing website where they are presented with a CAPTCHA challenge. In this campaign, the user must complete the standard ‘I am not a robot’ challenge and will then be presented with a Microsoft 365 login prompt. In addition to using Microsoft logos, the corporate logo of the company being targeted is also included. When credentials are entered, the user is told they have successfully validated and will proceed to a generic voicemail message. The lures used in these campaigns change frequently, with requests to review documents also common.
This campaigns targets business executives in the banking and IT sectors, although the same tactic has been used throughout 2020 on targets in other industry sectors.
NFA Impersonated in Phishing Campaign Targeting Member Firms
A phishing campaign has been detected targeting the financial industry which impersonates the National Futures Association (NFA). The tactics used in this campaign are common in phishing scams – Impersonating a trusted entity and abusing that trust to get individuals to install malware.
The emails in this campaign have been sent from an email address on a domain that closely resembles the legitimate NFA domain. The official NFA domain is nfa.futures.org, whereas the phishing emails have been sent from the domain nfa-futures[.]org.
The emails appear to have been sent by legitimate NFA staff members, with the signature including their name, job title, and the correct address of the office, with fake phone numbers. The signature of the email lists two websites: The official domain and also the fake domain.
As with many phishing campaigns, the recipient is told urgent action must be taken. The message says the NFA has made many attempts to contact the recipient about a matter that requires an urgent response. These emails are being used to direct individuals to malicious website or convince them to open malicious attachments with the aim of delivering malware.
Phishing Campaign Impersonates State Workforce Agencies Offering Unemployment Benefits
Cybercriminals are creating fake websites that mimic genuine state workforce agencies (SWAs) in the United States in order to steal sensitive personal information that can be used for identity theft and fraud. The tactics are similar to the above campaign, although the aim is to obtain sensitive information rather than install malware on a business network.
The state workforce agency websites that the malicious sites impersonate are used by individuals to apply for unemployment benefits. In order to receive those benefits, individuals must provide personally identifiable information. Campaigns are being conducted to impersonate these sites and trick people into believing they are on the genuine website. After landing on the malicious page, a series of questions must be answered as part of a fake application for unemployment insurance benefits.
Traffic to the fake unemployment benefit websites is generated through phishing emails and text messages that impersonate an SWA, encouraging recipients to apply for benefits. These messages have been created to closely resemble official communications, using the official logos and color schemes of each SWA, with the domain linked in the email closely resembling the official SWA website.
Solutions to Improve Defenses Against Phishing Attacks
Phishing attacks are often sophisticated and highly targeted, and tactics, techniques, and procedures continually change to bypass technical and human defenses. To stay one step ahead of the scammers, businesses need to adopt a defense in depth approach to cybersecurity and implement multiple overlapping layers of security to block threats. If phishers and hackers manage to bypass one layer of security defenses, others will be in place to provide protection.
Human defenses, such as training the workforce how to identify phishing emails is important. When a threat is encountered, employees will know how to react. It is also possible to condition employees not to take risks, such as opening emails attachments in unsolicited messages from unknown senders. The sophistication of campaigns, spoofing of email addresses, lookalike domains, and email impersonation tactics make it difficult for some phishing emails to be distinguished from genuine email communications.
Technical defenses will ensure most threats are blocked and do not reach inboxes. An email security gateway solution is a must and should also be used on Office 365 environments. The standard Office 365 spam filter is simply not good enough at blocking threats. Spam filters with machine learning capabilities and greylisting will help to ensure more threats are blocked, and multiple malware detection methods should be used, including sandboxing to detect new malware threats. A web filter should also be considered for blocking the web-based component of phishing attacks. A web filter will provide time-of click protection and prevent individuals from visiting malicious sites and downloading potentially malicious files.
For more information on improving your phishing defenses and to register for a free trial of two award-winning anti-phishing solutions, contact the TitanHQ team today.
A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 93rd anniversary and is giving 3000 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.
“Adidas is giving away 3000 Free Pair of Shoes to celebrate its 93rd anniversary. Get your free shoes at <link>”
The very same scam was run in 2019 claiming to celebrate 69th anniversary and on that occasion was giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription. The scammer saw success previously and have clearly decided it’s worth trying again.
The Scam Adidas Email
There is also an email version of the scam. The fake Adidas email claims the recipient has won a large sum of money and all they need to do to claim the cash is send their personal details via email.
A successful breach can cost an organization millions but defending against this kind of attack requires powerful anti-spam and malware technology. To defend against this kind of phishing attack you need a cutting edge email security solution to stop scam emails, a security aware workforce to identify a scam email and spot a spoof email, and powerful web protection that blocks user from accessing dangerous websites
WhatsApp phishing scam
The WhatsApp phishing scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.
On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified spoofing different shoe manufacturers.
The link supplied in the WhatsApp phishing message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.
There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.
Be warned. If you receive any unsolicited WhatsApp message offering you free goods, best to assume it is a phishing scam.
To find out more about some of the key protections you can put in place to improve your resilience against email scams and phishing attacks, contact the SpamTitan team today.
A new phishing campaign has been identified that abuses the Windows Finger command to download a malware variant called MineBridge.
The Finger command in Windows can be used by a local user to obtain a list of users on a remote machine or, alternatively, to obtain information about a specific remote user. The Finger utility originated in Linux and Unix operating systems but is also included in Windows. The utility allows commands to be executed to find out whether a particular user is logged on, although this is now rarely used.
There are also security concerns with the finger utility, and it has been abused in the past to find out basic information about users that can be targeted in social engineering attacks. Vulnerabilities in the finger protocol have also been exploited in the past by some malware variants.
Recently, security researchers discovered Finger can be used as a LOLBin to download malware from a remote server or to exfiltrate data without triggering alerts from security solutions. Finger is now being used in at least one phishing campaign to download malware.
MineBridge malware is a Windows backdoor written in C++ that has previously been used in attacks on South Korean companies. The malware was first identified in December 2020 by researchers at FireEye and in January 2020 several campaigns were identified distributing the malware via phishing emails with malicious Word attachments.
The latest campaign sees the attackers impersonate a recruitment company. The email is a recommendation of a candidate for consideration for a position at the targeted firm. The sender recommends even if there are no current openings, the CV should be checked, and the candidate considered. The email is well written and believeable.
As is common in phishing campaigns, if the document is opened a message will be displayed that tells the user the document has been created in an old version of Windows and to view the content the user needs to ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will fetch and download a Base64 encoded certificate using the Finger command. The certificate is a malware downloader that used DLL hijacking to sideload the MineBridge backdoor. Once installed, MineBridge will give the attacker control over an infected device and allow a range of malicious actions to be performed.
It is easiest to block attacks like this by installing an advanced spam filtering solution to block the malicious emails and prevent them from reaching inboxes. As an additional protection against this and other campaigns that abuse the Finger.exe utility in Windows, admins should consider disabling finger.exe if it is never used.
Phishing scams can be difficult for employees to identify. The emails provide a plausible reason for taking a certain action, such as clicking a link in an email. The websites that users are directed to are virtually indistinguishable from the genuine websites that the scammers spoof and credentials are commonly captured.
The pandemic has seen increasing numbers of employees working from home and accessing their company’s cloud applications remotely. Businesses are now much more reliant on email for communication than when employees were all office based. Cybercriminals have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been successful.
Employees often receive training on cybersecurity and are told to be wary of emails that have been sent from unknown individuals, but many still open the emails and take the requested action. The emails often spoof an individual that is known to the recipient, which increases the likelihood of that email being opened. It is also common for well known brands to be impersonated in phishing attacks, with the attackers exploiting trust in that brand.
A recent analysis of phishing emails by Check Point revealed the most commonly impersonated brand in phishing attacks over the past 3 months is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands impersonate Microsoft.
Microsoft credentials are then captured in these attacks and are used to remotely access accounts. The data stored in a single email account can be substantial. There have been many healthcare phishing attacks that have seen a single account compromised that contained the sensitive data of tens of thousands or even hundreds of thousands of patients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the foothold they need for a much more extensive attack on the organization, often resulting in the theft of large amounts of data and ending with the deployment of ransomware.
Microsoft is far from the only brand impersonated. The analysis revealed DHL to be the second most impersonated brand. DHL-based phishing attacks use failed delivery notifications and shipping notices as the lure to get individuals to either disclose sensitive information such as login credentials or open malicious email attachments that download malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target businesses and especially during a pandemic when there is increased reliance on courier companies.
Other well-known brands that are commonly impersonated include PayPal and Chase to obtain account credentials, LinkedIn to allow professional networking accounts to be compromised, and Google and Yahoo are commonly impersonated to obtain account credentials. Attacks spoofing Amazon, Rakuten, and IKEA also make the top 10 most spoofed brand list.
Phishers mostly target business users as their credentials are far more valuable. Businesses therefore need to ensure that their phishing defenses are up to scratch. Security awareness training for employees is important but given the realistic nature of phishing emails and the plausibility of the lures used, it is essential for more reliable measures to be implemented to block phishing attacks.
Top of the list of anti-phishing measures should be an advanced spam filter. Many businesses rely on the spam filtering capabilities of Office 365, but this only provides a level of protection. The default spam filter in Office 365 is not particularly effective at blocking sophisticated phishing attacks. Businesses that rely on Microsoft’s Exchange Online Protection (EOP) see many phishing emails delivered to inboxes where they can be opened by employees.
To better protect against phishing attacks, a third-party spam filter should be layered on top of Office 365. SpamTitan has been developed to provide enhanced protection for businesses that use Office 365. The solution implements seamlessly with Office 365 and the solution is easy to implement and maintain. The result will be far greater protection from phishing attacks and other malicious emails that employees struggle to identify.
For further information on SpamTitan, to register for a free trial, and for details of pricing, give the TitanHQ team a call today.
A Trump-themed phishing campaign has been detected that attempts to deliver the Qnode Remote Access Trojan (QRAT) under the guise of a video file that appears to be a Donald Trump sex tape.
QRAT is a Java-based RAT that was first detected in 2015 that has been used in several phishing campaigns over the years, with an uptick in distribution observed from August 2020. Interestingly, the malicious file attachment – named “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no relation to the phishing email body and subject line, which offers a loan as an investment for a dream project or business plan. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be provided if there is a good return on the investment and between $500,000 and $100 million can be provided. It is unclear whether an error has been made and the wrong file attachment was added to the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are unlikely to fool many end users, there may be enough interest in the video to pique the interest of some recipients.
The phishing campaign does appear to be poorly constructed, but the same cannot be said of the malware the campaign attempts to deliver. The version of QRAT delivered in this campaign is more sophisticated than previously detected versions, with several improvements made to evade security solutions. For instance, the malicious code used as the QRAT downloader is obfuscated and split across several different buffers within the .jar file.
Phishing campaigns often take advantage of interest in popular new stories and the Presidential election, allegations of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is likely that this will not be the only Trump-themed phishing campaign to be conducted over the next few days and months.
This campaign appears to target businesses, where the potential returns from a malware infection is likely to be far higher than an attack on consumers. Blocking threats such as this is easiest with an advanced email security solution capable of detecting known and new malware variants.
SpamTitan is an advanced, cost-effective spam filtering for businesses and the leading cloud-based spam filter for managed service providers serving the SMB market. SpamTitan incorporates dual anti-virus engines to identify known malware threats, and a Bitdefender-powered sandbox to identify zero-day malware. The solution also supports the blocking of risky file types such as JARs and other executable files.
SpamTitan is also effective at blocking phishing emails without malicious attachments, such as emails with hyperlinks to malicious websites. The solution has multiple threat detection features that can identify and block spam and email impersonation attacks and machine learning technology and multiple threat intelligence feeds that provide protection against zero-minute phishing attacks.
One of the main reasons why the solution is such as popular choice with SMBs and MSPs is the ease of implementation, use, and maintenance. SpamTitan takes the complexity out of email security to allow IT teams to concentrate on other key tasks.
SpamTitan is the most and top-rated email security solution on Capterra, GetApp and Software Advice, is a top three solution in the three email security categories on Expert Insights and has been a leader in the G2 Email Security grids for 10 consecutive quarters.
If you want a spam filtering solution that is effective and easy to use, look no further than SpamTitan. For more information, give the TitanHQ team a call. SpamTitan is also available on a free trial to allow you to evaluate the solution in your own environment before deciding on a purchase.
The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.
2020 Phishing Statistics
Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.
Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.
Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.
The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.
2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.
How to Detect and Block Phishing Threats
Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.
End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.
Cybercriminals are leveraging interest in COVID-19 vaccination programs and are conducting a range of COVID-19 vaccine phishing scams with the goal of obtaining sensitive data such as login credentials or to distribute malware. Several government agencies in the United States have recently issued warnings to businesses and consumers about the scams including the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services, and law enforcement agencies such as the FBI.
COVID-19 vaccine scams can take many forms. Campaigns have already been detected that offer early access to COVID-19 vaccines. These scams require a payment to be made as a deposit or a fee to get to the top of the waiting list. Other scams offer the recipients a place on the waiting list if they apply and provide personal information.
COVID-19 vaccine phishing scams are being conducted via email; however, it is likely that fraudsters will advertise on websites, social media channels, or conduct scams over the telephone or via SMS messages and instant messaging platforms. While many of these scams target consumers, there is potential for businesses to be affected if employees access their personal emails at work or if the scam emails are sent to work email addresses.
Scam emails often include links to websites where information is harvested. These links may be hidden in email attachments to hide them from email security solutions. Office documents are also commonly used for delivering malware, via malicious macros.
The emails typically impersonate trusted entities or individuals. COVID-19 vaccine scam emails are likely to impersonate healthcare providers, health insurance companies, vaccine centers, and federal, state, or local public health authorities. During the pandemic there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing scams.
The U.S. Department of Justice recently announced that two domains have been seized that impersonated vaccine developers. The domains were virtual carbon copies of the legitimate websites of two biotechnology companies involved in vaccine development. The malicious content has been removed, but there are likely to be many more domains registered and used in COVID-19 vaccine phishing scams over the coming weeks.
Warnings have also been issued about the risk of ransomware attacks that take advantage of interest in COVID-19 vaccines and provide the attackers with the foothold in networks they need to conduct their attacks.
There are four important steps that businesses can take to reduce to risk of falling victim to these scams. Since email is extensively used, it is essential to have an effective spam filtering solution in place. Spam filters use blacklists of malicious email and IP addresses to block malicious emails, but since new IP addresses are constantly being used in these scams, it is important to choose a solution that incorporates machine learning. Machine learning helps to identify phishing threats from IP addresses that have not previously been used for malicious purposes and to identify and block zero-day phishing threats. Sandboxing is also important for identifying and blocking zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.
While spam filters can identify and block emails that contain malicious links, a web filtering solution is also recommended. Web filters are used to control the websites that employees can access and prevent visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are constantly updated via threat intelligence feeds to provide protection against recently discovered malicious URLs.
Businesses should not neglect end user training and should regularly provide refresher training to employees to help them identify phishing threats and malicious emails. Phishing simulation exercises are also beneficial for evaluating the effectiveness of security awareness training.
Multi-factor authentication should also be applied as a last line of defense. In the event of credentials being compromised, multi-factor authentication will help to ensure that stolen credentials cannot be used to remotely access accounts.
With these measures implemented, businesses will be well protected from malware, COVID-19 vaccine phishing scams, and other phishing threats.
For further information on spam filtering, web filtering, and protecting your business from malware and phishing attacks, give the TitanHQ team a call today.
Phishers are constantly changing their tactics to fool employees into clicking on links and disclosing their credentials. During the pandemic, many scammers switched from their tried and tested campaigns using standard business-themed lures such as fake invoices, purchase orders, and shipping notices to COVID-19 themed lures. These lures were topical and took advantage of people craving information about the coronavirus and COVID-19.
Phishers Use Fake Internal Memos About Changes to HR Work from Home Policies
Now a new phishing campaign has emerged that takes advantage of the changed business practices due to COVID-19. Many employees are still working remotely, even though their employers have started reopening their offices. During the pandemic, employees have got used to receiving regular internal company memos and updates.
The new phishing campaign spoofs the company’s HR department and appears to be an automated internal company email, similar to the messages employees are used to receiving. The emails claim to have voicemail attachments, which will also be familiar to many remote workers. The HTML attachments are personalized with the recipient’s name to add credibility to the message.
If the file attachment is opened, the user will be presented with a link they are required to click to receive the company information. In one campaign, this was a SharePoint link, although other cloud services could similarly be used. The link directs the user to SharePoint and provides an update on the company’s remote working policy. After reading the message, the worker is required to click a link that directs them to the actual phishing page where sensitive information is collected.
This campaign is very realistic. The fake remote working policy is well written and plausible and states that if employees wish to continue working from home after the pandemic, they are required to complete an HR form to provide notice in writing. The SharePoint-hosted Excel form where the user is directed is also plausible, but in addition to the request to continue to work from home, the user is required to supply their email credentials.
Phishing Campaign Offers Government Financial Aid to COVID-Affected Workers
A separate phishing campaign has been identified that is also linked to the pandemic, spoofing government agencies and offering pandemic-related financial assistance for individuals prevented from working due to COVID-19 restrictions or have otherwise been adversely affected. This campaign has targeted U.S. citizens, although similar campaigns could be conducted targeting individuals in other countries.
In this campaign, which has the subject message “US government to give citizens emergency financial aid,” the message states that the government begun issuing payments of cash compensation in October 2020. The message states that payment is only provided to USA residents and the maximum payout is $5,800.
A link is supplied in the email that the user is required to click to make a claim, which the email states will be reviewed by a support representative who will send a personal response within 24 hours. The link directs the user to a domain that spoofs the U.S. government. The user is required to enter their name and date of birth, followed by their address, contact information, Social Security number, and driver’s license number on a second form.
Phishing is the Most Common Type of Cybercrime
A recent Clario/Demos survey confirmed that phishing and email attacks are the most common types of cybercrime reported in both the United States and the United Kingdom.
The pandemic has made it easier for phishing attacks to succeed. Phishers are taking advantage of the uncertainty about changes to new ways of working caused by the pandemic, people working home alone without such a high level of support, and vulnerabilities that have been introduced as a result of the change to a fully remote workforce.
Businesses can better protect their employees by using cloud-based email and web filtering solutions. These solutions work in tandem to block the email and web-based component of phishing attacks and malware distribution campaigns. A cloud-based email filtering solution will filter out the majority of malicious messages and will keep inboxes free of threats. A web filter will prevent end users from visiting malicious links, downloading malicious attachments, or visiting malicious websites either through work-related or non-work-related Internet activity when working from the office or remotely.
TitanHQ has developed two easy to use, easy to implement, and highly effective email and web security solutions for protecting office-based and remote workers from the full range of web and email threats, including previously seen phishing emails and zero-minute attacks and new malware threats.
To better protect your business, your employees, and your networks from threats, give the TitanHQ team a call today to find out more. You will also have the opportunity to trial the SpamTitan Email Security and WebTitan Web Security solutions to see for yourself how easy they are to use and the protection they offer. You are also likely to be pleasantly surprised by how little this level of protection will cost.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
A phishing campaign has been identified that spoofs the U.S. Internal Revenue Service (IRS) and advises recipients that they are facing imminent legal action to recover outstanding tax.
The emails are convincing and well written and are final demands for payment to prevent legal action to recover the outstanding funds. The emails warn the recipient that the IRS has made several attempts to make contact by telephone after no response was received to a written demand for payment that the emails claim was mailed 18 months previously in May 2019. The failure to respond has led to the IRS taking legal action, with charges due to be filed imminently to recover the outstanding tax.
In contrast to many scams that seek login credentials or attempt to get the user to open file attachments to trigger a malware download, this scam uses social engineering techniques to scare the recipient into making contact via email to resolve the fictitious issue. The purpose of the scam is to get the recipient to make a fraudulent payment or disclose their financial account information.
The lack of any hyperlinks or email attachments makes it more likely that the email will be delivered to inboxes and will not be identified as malicious by security solutions. Fortunately, SpamTitan users will be protected from this scam as multiple checks are performed which identify the scam for what it is.
The message body contains all the classic hallmarks of a phishing scam:
There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
There is a threat of negative consequences if no action is taken – Legal action to recover funds
The request is plausible, but an atypical request is made – to only make contact via email
The emails include a case file number, detail the outstanding amount – $1450.61 in this case – and include a docket number and warrant ID for the impending legal action. The recipient is told that legal action will proceed in 4 days if payment is not made, and that the opportunity for voluntary action to rectify the issue is coming to an end.
In addition to the threat of legal action and a court case, the recipient is informed that credit reference bureaus may also be notified about the late/missed payment, which would negatively impact their credit score.
The emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” indicating this is not the first time that the message has been sent, helping to emphasize that this is a final warning.
Steps have been taken to make the email appear official, with the display text of the sender address indicating the message has been sent from support @ irs.gov – the legitimate domain used by the IRS. However, the reply to email address supplied is legal.cc @ outlook.com – Which is clearly not an official IRS domain and the message headers show that the email was not sent from the domain stated.
The email does include a postal address; however, no telephone number is supplied. Full contact information would be provided in official IRS communications, although the IRS would not initiate contact with individuals via email.
The phishing emails highlight the importance of stopping to think about what is being requested and to take time to check emails carefully before responding, no matter how pressing the threat may be. Any request for payment should be verified by phone, with contact information obtained from a trusted source, never the contact details supplied in the email. A call to the IRS would quickly reveal this to be a scam.
The reason these scams succeed is because they rely on individuals responding quickly without thinking. Fortunately, an effective spam filter will detect these scam emails and will quarantine or reject the messages.
Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.
Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.
In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.
The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.
The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.
The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.
In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.
Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.
Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training.
The healthcare industry is one of the main targets for hackers, and while ransomware attacks have increased considerably in recent months and vulnerabilities in VPNs, RDP, and software solutions are frequently exploited, healthcare phishing attacks are far more common.
Phishing attacks on healthcare organizations allow threat actors to steal credentials to gain access to email accounts and other systems and steal highly sensitive data. Phishing emails are also used to deliver malware loaders such as the Emotet Trojan, which delivers other malware payloads such as the TrickBot banking Trojan, which in turn delivers ransomware.
Most cyberattacks start with a phishing email, so it is essential for healthcare organizations to ensure they implement safeguards to block these attacks and by doing so, prevent costly data breaches and regulatory fines.
The HHS’ Office for Civil Rights has imposed substantial fines on HIPAA-covered entities for data breaches that have started with a phishing email, including the two largest ever HIPAA fines issued to date – the $16 million financial penalty for Anthem Inc. for its 78.8 million-record data breach and the $6,850,000 penalty for Premera Blue Cross for its breach of the protected health information 10,466,692 individuals.
Tips to Prevent Healthcare Phishing Attacks…
Unfortunately, as far as phishing goes, there is no silver bullet. No single solution will provide total protection against healthcare phishing attacks. What is required is layered defenses – technical solutions providing overlapping layers of security – and adherence to tried and tested cybersecurity best practices. Some of the most important anti-phishing measures you can implemented to stop healthcare phishing attacks are detailed below:
Implement an Advanced Spam Filter
A spam filter is one of the most important technical controls to block phishing attacks and prevent malicious emails from reaching the inboxes of your employees. Advanced spam filters use a combination of blacklists of known malicious IPs, email header and content scanning, link analysis, anti-virus scans, sandboxing, SPF, DKIM, and DMARC to detect and block email impersonation attacks, and AI and machine learning to identify zero-day phishing attacks.
You should implement an advanced spam filter and set rules to filter out all suspicious emails and reject malicious messages. Outbound scanning is also important to detect compromised email accounts that are being used to conduct further phishing attacks on your organization and vendors.
Use a Web Filter to Block the Web-Based Component of Phishing Attacks
Email filters are effective, but not infallible. New tactics, techniques, and procedures are commonly developed by threat actors to fool email security solutions. You may be able to block all malware and 99.9% or more of all malicious messages, but some messages are likely to sneak past your defenses.
A web filter provided additional protection by preventing your employees from visiting known malicious URLs that have been masked in phishing emails. Web filters block the web-based component of phishing attacks and malware downloads from the internet and work in tandem with spam filters to improve your security posture and block healthcare phishing attacks.
Implement Multi-Factor Authentication
A SANS Institute report suggests multi-factor authentication will block 99% of attempts by threat actors to use stolen credentials to remotely access email accounts, while Microsoft says MFA will stop more than 99.9% of email account attacks, yet many admins have not implemented multi-factor authentication. A recent survey by CoreView researchers suggests 78% of Microsoft 365 admins have not enabled MFA on their M365 accounts.
In the event of credentials being stolen – in a phishing attack or using brute force tactics – MFA should prevent those credentials from being used to remotely access your accounts.
Provide Regular Security Awareness Training
Technical measures are important for preventing healthcare phishing attacks but don’t forget the human element. Employees need to be trained how to recognize phishing emails and taught the correct response when a suspicious email is received. Security awareness training should also cover cybersecurity best practices.
To create a “security aware” culture in your organization, you need to provide regular security awareness training sessions, including an annual training session for all staff and more frequent shorter sessions or online CBT sessions throughout the year, making sure you keep the workforce aware of the latest threats. Not only will training help to prevent healthcare phishing attacks from succeeding, it is also a requirement for HIPAA compliance.
Conduct Phishing Simulation Exercises
Training is important, but so is testing. If you do not test your employees’ security knowledge, you will not know whether your training has been successful. There will always be employees that require more training than others, and through testing you will be able to identify the individuals that need more help.
Phishing simulation exercises are the best way to achieve this. You can find weak links in your workforce as well as your training program and ensure they are addressed.
Take Care with the Information You Make Available Online
In order to conduct a targeted phishing attacks on your organization, an attacker needs to know your email addresses. This information can often easily be found online in organizational charts and staff directories. Limiting the information you publish online will make it harder for email addresses to be harvested and used in attacks on your organization.
How to Reduce the Severity of Successful Healthcare Phishing Attacks
Healthcare phishing attacks are extremely common and often result in the exposure or theft of large amounts of protected health information. The Office for Civil Rights breach portal lists many email security breaches that have exposed the personal and health information of tens of thousands and even hundreds of thousands of patients and health plan members.
When conducting a risk analysis, consider what would happen in the event of a breach and take steps to reduce the severity of a breach should your defenses be penetrated. It is a good best practice to implement an email archiving solution to send all emails to a secure, cloud archive to ensure that no email data is lost and to implement policies requiring emails containing PHI to be deleted from your mail system. In the event of a breach, the PHI exposed will be greatly reduced and so too will the breach costs.
By using an email archive, you will still be able to remain compliant and retain al email data, but you will be able to significantly reduce risk while improving the performance of your mail server.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.
Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.
The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.
At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.
Microsoft Teams Phishing Scams
One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.
Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.
This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.
Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.
Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.
How to Avoid Teleconferencing Platform Phishing Scams
As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.
You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.
Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.
For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.
Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.
The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.
One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.
Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.
The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.
A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.
COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.
Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.
Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.
SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.
Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.
Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.
Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.
How to Identify a Phishing Email
Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.
Check the true sender of the email
This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.
Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.
Check for grammatical errors and spelling mistakes
Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google translate to create their emails, which is why the wording may seem a little odd.
Before Google, Netflix, or your bank sends an email, it will be subject to proof checking. Mistakes will be made on occasion by they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.
Phishing emails are often addressed in a way that makes it clear that the sender does not know your name. “Dear customer” for example. Most companies will use your name in genuine email communications.
Phishers use urgency and a “threat” if no action is taken
Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.
For example, someone has tried to login to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.
Check the true destination of any link in the email
Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.
You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.
On a mobile device this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.
Beware of email attachments
Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.
If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.
Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.
Anti-Phishing Solutions for Businesses
TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.
SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.
WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees visiting known malicious websites, suspicious sites. WebTitan also blocks malware downloads.
Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no obligation free trial of both solutions to evaluate them in your own environment.
Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.
Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.
Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.
Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.
Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.
Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.
The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.
In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.
These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.
First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.
Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.
Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.
Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.
Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.
CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.
For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.
A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.
This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training. The emails include the Office 365 logo and are short and to the point.
They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”
The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”
Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.
This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.
Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.
There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.
What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.
Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.
A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.
iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.
Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.
As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.
If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.
The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.
There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.
These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.
As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.
In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.
It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries the headlines have been dominated by stories about Black Lives Matter protests and counter protests, and the public mood has presented another opportunity for the gang.
The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.
The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.
TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their initial objective.
The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.
Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.
SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.
For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.
A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.
The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.
The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.
Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.
Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.
By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.
The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.
The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.
With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.
This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.
For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.
Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.
LogMeIn Spoofed to Steal Credentials
Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.
A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.
The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.
There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or use your standard bookmarks. Never use information provided in the email. If the security update is genuine, you will be advised about it when you login.
NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops
A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by the attackers to take control of a victim’s computer.
The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if content is enabled, and the client will be automatically executed.
The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.
Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud
The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.
WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirects to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.
For further information on these powerful cybersecurity solutions give the TitanHQ a team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.
Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.
Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.
According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.
The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.
In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.
Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.
One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.
Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.
Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.
A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.
The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.
Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.
COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.
SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.
SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.
The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.
If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.
A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.
Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.
The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.
The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.
Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.
The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.
Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.
It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.
The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.
Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.
The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.
This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.
A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.
In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.
The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.
This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.
SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.
For further information on improving your phishing defenses, give the TitanHQ team a call today.
Higher education institutions in the United States are being targeted in a phishing campaign that distributes a remote access trojan called Hupigon, a RAT that was first identified in 2010.
The Hupigon RAT has previously been used by advanced persistent threat groups (APT) from China, although this campaign is not believed to have been conducted by APT groups, instead the Hupigon RAT has been repurposed by cybercriminals. While several industries have been targeted in the campaign, almost half of attacks have been on colleges and universities.
The Hupigon RAT allows the operators to download other malware variants, steal passwords, and gain access to the microphone and webcam. Infection could see the attackers take full control of an infected device.
The campaign uses online dating lures to get users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is asked to select the one they find the most attractive. When the user makes their choice, they are directed to a website where an executable file is downloaded, which installs the Hupigon RAT.
The choice of lure for the campaign is no doubt influenced by the huge rise in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the globe, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many singles, has actually led to an uptick in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Several popular dating apps have reported an increase in use during the COVID-19 pandemic. For example, Tinder reports use has increased, with the platform having its busiest ever day, with more than 3 billion profiles swiped in a single day.
As we have already seen with COVID-19 lures in phishing attacks, which account for the majority of lures during the pandemic, when there is interest in a particular event or news story, cybercriminals will take advantage. With the popularity of dating apps soaring, we can expect to see an increase in the number of online dating -themed lures.
The advice for higher education institutions and businesses is to ensure that an advanced spam filtering solution is in place to block the malicious messages and ensure they do not reach end users’ inboxes. It is also important to ensure that security awareness training continues to be provided to staff, students, and remote employees to teach them how to recognize the signs of phishing and other email threats.
TitanHQ can help with the former. If you want to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call today. After signing up, you can be protecting your inboxes in a matter of minutes.
Healthcare providers are being targeted by cybercriminals using COVID-19 themed phishing emails, with the campaigns showing no sign of letting up. The volume of attacks has prompted the U.S. Federal Bureau of Investigation (FBI) to issue a further warning to healthcare providers urging them to take steps to protect their networks and block the attacks.
The first major COVID-19 themed phishing attacks targeting healthcare providers started to be detected by around March 18, 2020. The attacks have grown over the following weeks and the lures have diversified.
Campaigns have been conducted targeting at-home healthcare employees who are providing telehealth services to patients, and there has been an increase in business email compromise scams. The latter see vendors impersonated and requests sent for early or out-of-band payments due to difficulties that are being experienced due to COVID-19.
The phishing attacks are being conducted to obtain login credentials and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the exfiltration of sensitive data.
The malware being distributed in these campaigns is highly varied and includes information stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently reported that Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced documents. In addition to being a dangerous malware variant in its own right, Trickbot also downloads other malicious payloads, including RYUK ransomware.
While the number of COVID-19 themed phishing emails has been increasing, the overall volume of phishing emails has not increased by a major amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be opened.
The campaigns can be highly convincing. The lures and requests are plausible, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been spoofed. Oftentimes the emails are sent from a known individual and trusted contact, which makes it more likely that the email attachment will be opened.
The advice offered from the FBI is to follow cybersecurity best practices such as never opening unsolicited email attachments, regardless of who appears to have sent the email. Ensuring software is kept up to date and patches are applied promptly is also important, as is turning off automatic email attachment downloads. The FBI has also recommended filtering out certain types of attachments through email security software, something that is easy to do with SpamTitan.
The FBI has stressed the importance of not opening email attachments, even if antivirus software says that the file is clean. As the Trickbot campaign shows, new variants of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up. This is another area where SpamTitan can help. In addition to using dual antivirus engines to identify known malware variants faster, SpamTitan includes sandboxing to identify and block zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.
Training is important to teach healthcare employees cybersecurity best practices to help them identify phishing emails, but it is also important to ensure that your technical controls are capable of blocking these threats.
Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.
Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.
Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.
It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.
Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.
Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.
Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.
Nation state sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a significant competitive advantage.
Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.
With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.
The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.
Independent test show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages and controls to detect potential email account compromises.
If you want to improve cybersecurity defenses, start with upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.
The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.
Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.
There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.
Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.
Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.
TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.
In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.
The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.
To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.