Email Scams

Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.

Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.

Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.

Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.

To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.

Other measures that can be taken to protect yourself from email scams include:

  • Carefully check the sender’s email. Does it look like it is genuine?
  • Never open email attachments from someone you do not know
  • If you receive an email offering you a prize or refund, stay safe and delete the email
  • Ensure anti-virus software is installed on your computer and is up to date.

Phishing Attack Ends in Ryuk Ransomware Infection for City of Durham, NC


The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.

Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.

There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.

Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.

Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.

TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.

In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.

The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.

To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.

Beware of COVID-19 Phishing Emails

Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.

People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.

Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.

The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.

The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.

The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.

Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.

In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.

Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.

With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.

Emotet Phishing Campaigns Continue and New Wi-Fi Infection Method Identified

Emotet is the biggest malware threat faced by businesses and activity has increased considerably in recent weeks after a lull in December. Several new campaigns are now being identified each week, most of which are target businesses. One of the most recent campaigns uses a tried and tested technique to install the |Emotet Trojan. Malicious Word documents masquerading as invoices, estimates, renewals, and bank details.

The campaign mostly targets organizations in the United States and United Kingdom, although attacks have also been detected in India, Spain, and the Philippines. Approximately 90% of emails in this campaign target the financial services, with around 8% of attacks on companies in the food and drink industry.

The malicious Word documents are either attached to emails or hyperlinks are included in the emails that direct the user to a compromised website where the Word document is downloaded. The websites used are frequently changed and new Emotet variants are frequently released to prevent detection. Email security solutions that rely on AV engines to detect malware are unlikely to detect these zero-day threats as malicious.

Since Emotet is a massive botnet, emails spreading the Emotet Trojan come from many different sources. Email security solutions that rely on real-time blacklists are unlikely to detect these sources as malicious.

Emotet is primarily distributed via email from infected devices, but recently another distribution method has been identified. Emotet also spreads via Wi-Fi networks. This method has been used for almost two years, but it has only just been detected by security researchers at Binary Defense.

When Emotet is installed, a worm.exe binary is dropped that runs automatically. It attempts to connect to nearly Wi-Fi networks and brute forces weak passwords. Once connected to a Wi-Fi network, a search is conducted for non-hidden shares on the network. An attempt is made to enumerate all users connected to the Wi-Fi network, devices are brute forced, and the Emotet binary is dropped.

How to Block Emotet

The constantly changing tactics of the Emotet gang make detection difficult and no single solution will provide protection against all forms of attack. What is needed is a defense in depth approach and layered defenses.

The primary defense against a predominantly email-based threat such as Emotet is an advanced spam filtering solution. Many businesses have use Office 365 and rely on the protection provided by Exchange Online Protection (EOP), which is included as standard with Office 365 licenses. However, EOP alone will not provide enough protection against Emotet. EOP will block all known malware threats, but it struggles to identify zero-day attacks. To block zero-day attacks, more advanced detection methods are required.

SpamTitan has been developed to work seamlessly with EOP to protect Office 365 email from zero-day threats. SpamTitan uses a variety of techniques to identify Emotet, including dual antivirus engines to block known Emotet variants and sandboxing to block zero-day attacks. Suspicious or unknown attachments are sent to the sandbox where they are subjected to in depth analysis to identify command and control server call backs and other malicious actions. SpamTitan also scans outgoing emails to identify attempts to spread Emotet from an already-infected machine. SpamTitan also incorporates DMARC to identify email impersonation and domain spoofing, which are commonly used in emails spreading Emotet.

To provide protection against the web-based element of attacks, including Emotet emails that use malicious hyperlinks rather than email attachments, another layer needs to be added to cybersecurity defenses – a DNS filtering solution such as WebTitan.

WebTitan uses real-time URL threat detection powered by 650 million end users. The real-time database includes more than 3 million malicious URLs and IP addresses and each day around 100,000 new malicious URLs are detected and blocked. WebTitan also includes real-time categorization and detection of malicious domains, full-path URLs, and IPs, with up to the minute updates performed to block new malicious sources. As soon as a URL is identified as being used to distribute Emotet (or other malware) it is blocked by WebTitan. WebTitan also conducts link & content analysis, static, heuristic, & behavior anomaly analysis, and features in-house and 3rd party tools and feeds to keep users protected from web-based threats.

Other essential steps to take to tackle the threat from Emotet include:

  • Disable macros across the organization
  • Ensure operating systems are kept up to date and vulnerabilities are promptly patched.
  • Set strong passwords to thwart brute force attacks
  • Ensure endpoint protection solutions are deployed on all devices
  • Provide security awareness training to employees
  • Conduct phishing simulation exercises to identify employees that require further training

New PayPal Phishing Scam Seeks Extensive Amount of Personal Information

A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.

The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.

The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.

If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.

First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.

This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.

There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.

Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.

Tax Season Phishing Scams and Malspam Campaigns Start in Earnest

Tax season is now underway and business email compromise scammers have stepped up their efforts to obtain W-2 forms for tax fraud. These attacks often start with spear phishing emails targeting the CEO and the executive board. Once email credentials have been obtained, the accounts are then accessed, and emails are sent internally to payroll and the HR department requesting the W-2 forms of employees who have worked in the previous tax year.

Scammers targets businesses as there is much greater potential for profit than attacks on individual taxpayers, although consumers also need to be wary of IRS-related phishing scams. This time of year sees an increase in IRS phishing scams. Scammers impersonate the IRS and send emails informing taxpayers about a tax refund that is due and demands are sent for outstanding tax, with threats of dire consequences if prompt action is not taken to address issues.

Advances in email security have meant cybercriminals have had to get creative as it is harder to sneak phishing emails past email defenses. Phishing scams are now commonly initiated via text message, post, and over the telephone. There has already been one campaign identified where consumers are being targeted using robocalls warning that Social Security numbers have been suspended after suspicious activity was detected.

While many of these scams seek personal information, others are conducted to spread malware. One threat group that started its tax-related scams early this year is the Emotet gang. A campaign is currently being conducted that uses emails containing fake signed W-9 forms.

Signed W-9 forms are requested by companies from their contractors if they have been paid in excess of $600 during the tax year. Many companies will have requested signed W-9 forms from their contractors to confirm addresses and tax identification numbers, so they will be expecting copies of these forms in their inboxes.

The Emotet emails are short and to the point, saying “Thank you for your help. Pleased see attached file.” The emails include a Word document attachment named W-9.doc. When the document is opened, the Office 365 logo is displayed along with text stating the document was created in OpenOffice and requires the user to enable editing and enable content. Doing so triggers the silent download of the Emotet Trojan.

This is just one of the tax-related messages being used by the Emotet gang. There are likely to be many more variants sent over the next few weeks. Other cybercriminals gangs will similarly be conducting their own tax-themed phishing campaigns to spread different malware variants and ransomware.

Businesses, tax preparers, and consumers need to be on high alert during tax season for phishing scams and emails spreading malware.

Now is a good time for businesses to review their cybersecurity defenses and enhance protection against phishing and malware attacks. If you use Office 365 and rely on the anti-phishing protections built into Office 365 (EOP), you should consider enhancing your anti-phishing and anti-malware protection with a third-party spam filter – One that has superior malspam detection capabilities.

This is an area where TitanHQ can help. SpamTitan uses a variety of advanced techniques to detect and block phishing threats and zero-day malware, including a sandbox where unknown and suspicious email attachments are subject to in-depth analysis. Give the TitanHQ team a call to find out more about SpamTitan, improving office 365 malware and phishing protection, and to arrange a product demonstration and free trial of SpamTitan.

In the meantime, take steps to alert your workforce about tax-season phishing scams and prepare them in case a phishing email arrives in their inbox. An email alert sent to your employees about the threat of tax-season scams could prevent a costly phishing attack or malware infection.

Novel Coronavirus Phishing Scam Uses Scare Tactics to Spread Emotet Trojan

A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.

The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.

A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.

A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.

The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.

If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.

To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.

More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.

Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.

For further information on protecting your email system, contact TitanHQ today.

Emotet Botnet Springs Back to Life and Massive Phishing and Spamming Campaigns Resume

The Emotet botnet took a Christmas holiday but its now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro which runs a PowerShell command that downloads and executes the Emotet Trojan.

The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.

The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.

Emotet sprung back to life on January 13, 2020 with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese and Chinese.

The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host no new lures can be expected in 2020.

The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.

There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.

SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.

Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.

Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.

Warnings Issued About Travelex Phishing Scams

Whenever there is a major event that attracts a lot of media attention cybercriminals will be poised to take advantage, so it is no surprise that warnings are being issued about Travelex phishing scams.

The Travelex ransomware attack that struck on New Year’s Eve involved a ransomware variant called Sodinokibi. The gang responsible is one of the most prolific threat groups using ransomware. The group’s attacks are highly targeted and seek to encrypt entire networks and the ransom demands reflect the scale of encryption. Travelex was initially issued with a demand for a payment of $3 million. That soon doubled to $6 million when payment was not made within the allocated timescale.

The fallout from the attack has been immense, which is unsurprising given that Travelex is the largest provider of currency exchange services worldwide. Many banks and retailers rely on Travelex to provide for their currency exchange services. Without access to those online services, currency exchange services came to a grinding halt. It has taken two weeks for Travelex to start bringing some of its services back online, but its website remains down and the disruption continues.

The attackers claimed to have stolen large quantities of customer data from Travelex. The attackers threatened to publish or sell the data if the ransom was not paid. This tactic is becoming increasingly common with ransomware gangs. In this case, the sodinokibi gang claimed to have gained access to Travelex systems 6 months previously and said they had stolen customer data including names, payment card information, and Social Security numbers and National Insurance numbers. The gang had also recently attacked the American IT company Artech Systems and had posted 337MB of data stolen in that attack, demonstrating to others that it was not an empty threat. Travelex maintained that no customer data had been stolen, but that has yet to be confirmed.

Warning Issued About Travelex Phishing Scams

Travelex customers should naturally err on the side of caution and monitor their accounts for signs of fraudulent use of their information but there are other risks from an attack such as this.

Travelex has issued a warning to its customers recommending they should be alert to the threat of phishing attacks via email and over the phone. Opportunistic scammers often take advantage of major events such as this and Travelex phishing scams are to be expected, as was the case following the TalkTalk data breach. These phishing scams are likely to be most effective on Travelex customers who have lost money as a result of the attack. Any offer of compensation or a refund is likely to attract a response.

For consumers, the advice is never to open email attachments or click on links in unsolicited emails. Businesses should also take steps to protect their networks from malware and phishing attacks.

Businesses should adopt a defense in depth strategy to protect against phishing scams and malware attacks. An advanced email security solution such as SpamTitan should be used to protect Office 365 accounts. SpamTitan improves protection against zero-day malware and phishing threats and blocks threats at the gateway.

A web filtering solution such as WebTitan should be used to block the web-based component of phishing and malspam campaigns and prevent end users from visiting malicious websites. End user training is also a must. It is important to teach employees how to identify phishing emails and malspam, and condition them how to respond when suspicious emails are received.

Ako Ransomware: A New Malware Threat Delivered via Spam Email

A new ransomware threat – Ako ransomware – has emerged which is targeting business networks and is being distributed via spam email. The ransomware is being offered to affiliates under the ransomware-as-a-service model and the aim of the attackers is clear. To maximize the probability of payment of the ransom by making recovery harder, and to steal data prior to encryption to ensure the attack is still profitable if the ransom is not paid. Having the data could also help convince the victims to pay up, as we have seen in recent attacks involving Maze and Sodinokibi ransomware, where threats are issued to publish stolen data if the ransom is not paid.

The developers of Ako ransomware appear to be going for large ransom payments, as they are not targeting individual workstations, rather the entire network. The ransomware scans local networks for other devices and will encrypt network shares. The ransomware deletes shadow copies and recent backups and disables Windows recovery to make recovery more difficult without paying the ransom.

Encrypted files are given a randomly generated file extension and retain the original file name. No ransom amount is stated in the ransom note. Victims are required to contact the attackers to find out how much they will need to pay for the keys to decrypt their files.

One of the intercepted emails being used to distribute the ransomware uses a password-protected zip file as an attachment. The email appears to be a business agreement which the recipient is asked to check. The password to open and extract the file is included in the message body. The zip file attachment – named agreement.zip – contains an executable file which will install Ako ransomware if it is run. The malicious file is called agreement.scr.

There is no free decryptor for Ako ransomware. Recovery without paying the ransom will depend on whether viable backups exist that have not also been encrypted. It is therefore important to make sure backups are regularly performed and at least one copy of the backup is stored on a non-networked device to prevent it also being encrypted by the ransomware. Backups should also be tested to make sure file recovery is possible.

Since Ako ransomware is being distributed via spam email, this gives businesses an opportunity to block an attack. An advanced spam filtering solution should be implemented that scans all inbound messages using a variety of detection mechanisms to identify malware and ransomware threats. A sandbox is an important feature as this will allow email attachments to be analyzed for malicious activity. This feature will improve detection rates of zero-day threats.

nd user training is important to ensure that employees do not open potentially malicious files. Training should condition employees never to open email attachments in unsolicited emails from unknown senders. As this campaign shows, any password protected file sent in an unsolicited email is a big red flag. This is a common way that ransomware and malware is delivered to avoid detection by antivirus solutions and spam filters.

Anti-spam solutions and antivirus software will not be able to detect the threat directly if malicious files are sent in password-protected archives, which can only be opened if the password is entered. Rules should therefore be set to quarantine password-protected files, which should only be released after they have been manually checked by an administrator. With SpamTitan, these rules are easy to set.

Ako ransomware is one of many new ransomware threats that have been released in recent months. High profile attacks on companies such as Travelex that see massive ransom demands issued, which in many cases are paid, show a huge payday is possible.

Ransomware developers will keep developing new threats for as long as attacks remain profitable, and there is not likely to be a shortage of affiliates willing to run spamming campaigns to get their slice of the ransom payments.

With the attacks increasing, it is essential for you to have strong defenses that can detect and block malware, ransomware, and phishing threats, and that is an area where TitanHQ can help.

To find out more about how you can improve your defenses against email and web-based threats, give the TitanHQ team a call today.

2-Year Phishing Attack Detected Targeting Canadian Bank Customers

Customers of Canadian banks have been targeted by cybercriminals in an extensive phishing campaign that has been ongoing for at least the past two years, according to Check Point Research which uncovered the campaign. As with many other financial phishing scams, the attackers spoof the website of a well-known bank and create a virtual carbon copy of the home page of the bank on a lookalike domain, which often only differs from the genuine domain name by a letter or two.

A link to the fraudulent site is then sent in a mass spamming campaign to email addresses on the specific country top level domain where the bank operates. The emails instruct users to visit the banks website and login, usually under the guise of a security alert. When the link in the email is clicked, the user is directed to the spoofed site and may not notice the domain name is not quite right. They then enter their login credentials which are captured by the scammers. The credentials are then used to make fraudulent wire transfers to accounts controlled by the attackers.

In this campaign, the emails include a PDF email attachment. PDF files tend to be trusted to a higher degree than Word documents and spreadsheets, which end users have usually been instructed to treat as suspicious. The PDF file includes a hyperlink, which the user is instructed to click. Since the hyperlink is in the document rather than the email body, it is less likely to be scanned by email security solutions and has a higher chance of being delivered.

The user is told that they are required to update their digital certificate to continue using the online banking service. The PDF file includes the bank logo and a security code, which the user is required to enter when logging in. The code is included in the PDF attachment rather than email body for security reasons. As with most phishing scams, there is urgency. The recipient is told that the code expires in 2 days and that they must register within that time frame to avoid being locked out of their account.

The landing pages on the websites are identical to those used by the banks as the attackers have simply taken a screen shot of the bank’s landing page. Text boxes have been added where the username, password, and token number must be entered. Users are then asked to confirm the details they entered while the attackers attempt to access their account in real-time and make a fraudulent transfer.

These tactics are nothing new. Scams such as this are commonplace. What is surprising is how long the campaign has been running undetected. The scammers have been able to operate undetected by registering many lookalike domains which are used for a short period of time. Hundreds of different domains have been registered and used in the scam. At least 14 leading banks in Canada have had their login pages spoofed including TD Canada Trust, Scotiabank, Royal Bank of Canada, and BMO Bank of Montreal.

All of the websites used in the scam have now been taken down, but it is all but guaranteed that other lookalike domains will be registered and further scams will be conducted.

Greta Thunberg Spam Emails Used to Spread Emotet Banking Trojan

A spamming campaign has been detected that is piggybacking on the popularity of Greta Thunberg and is using the climate change activist’s name to trick individuals into installing the Emotet Banking Trojan.

Emotet is one of the most active malware threats. Emotet was first detected in 2014 and was initially used to steal online banking credentials from Windows users by intercepting internet traffic. Over the years it has undergone several updates to add new functionality. It has had a malspam module added, which allows it to send copies of itself via email to a user’s contacts. Emotet also includes a malware downloader, allowing it to download a range of other malware variants such as other banking Trojans and ransomware.

The malware is used indiscriminately in attacks on individuals, businesses, and government agencies, with the latter two being the main targets. Emotet is primarily spread via spam email, and while exploits are not used to spread to other devices on the network – EternalBlue for instance – other malware variants downloaded by Emotet can. TrickBot for instance.

The Greta Thunberg spam campaign aims to get users to open a malicious Word attachment and enable content. If that happens, Emotet will be silently downloaded to the user’s device, sensitive banking information will be stolen, and further malware may be downloaded.

The campaign was active over the holiday period and used a variety of Christmas-themed lures to entice users into opening the email attachment. Some of the emails did not include an attachment and instead used a hyperlink to direct the user to a website where the malicious document could be downloaded.

One of the emails wished the recipient a Merry Christmas and urged them to consider the environment this Christmastime and join a demonstration in protest against the lack of action by governments to tackle the climate crisis. The email claimed details about the time and location of the protest were included in the Word document. The email also requested the recipient to send the email on to all their colleagues, friends, and relatives immediately to get their support as well. Several variations along that theme have been detected.

To increase the likelihood of the recipient enabling content, when opened the document displays a warning that appears to have been generated by Microsoft Office. The user is told that the document was created in OpenOffice and it is necessary to first enable editing first and then enable content. Doing the latter will enable macros which will start the infection process.

The emails are well written and have been crafted to get an emotional response, which increases the likelihood of the user taking the requested action. The emails have been sent in multiple languages in many different countries.

Whenever there is a major news event, popular sports tournament, or other event that attracts global interest, there will be cybercriminals taking advantage.  Regardless of the theme of any email, if it is unsolicited and asks you to click a link or open an email attachment, it is best to assume that it is malicious.

Businesses can protect their networks against threats such as these by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan will identify threats such as phishing attacks and will prevent the messages from reaching inboxes. SpamTitan also includes dual anti-virus engines to detect known malware and machine learning techniques and sandboxing to identify and block zero-day malware.

For further information on how SpamTitan can protect your business from email threats such as this, contact TitanHQ today.

New PayPal Phishing Scam Uses Unusual Activity Alerts to Obtain Credentials

A new PayPal phishing scam has been detected that uses unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign is different as the attackers are after much more than just account credentials.

This PayPal phishing campaign attempts a clean sweep – PayPal credentials, credit card details, email addresses and passwords, and security questions and answers.

The PayPal phishing scam is one of the most dangerous to date in terms of the financial harm that could be caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.

The PayPal phishing scam starts with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.

The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.

If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained.  The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.

The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.

The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.

All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.

Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. This PayPal scam shows that those warnings may not always be genuine and that you should always exercise caution.

The golden rule? Never click links in emails. Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials. This is important as there has been an increase in typosquatting attacks, where cybercriminals take advantage of careless typists who misspell domain names when entering them into the address bar of their browser.

Employees Frequently Respond to Phishing Emails and Business Phishing Protections are Coming Up Short

Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.

The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.

71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.

A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.

The Importance of Layered Phishing Defenses

To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.

With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.

One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.

What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.

As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.

If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.

Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.

Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.

8 Essential Email Security Best Practices for SMBs

The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.

Email is the Most Common Attack Vector!

It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.

Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.

Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.

You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.

With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.

Email Security Best Practices to Implement Immediately

Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.

Develop a Cybersecurity Plan for Your Business

We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.

There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.

Implement an Advanced Spam Filtering Solution

A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.

If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed 25% of phishing emails bypass Office 365 defenses.

There are many spam filtering services for SMBs, but for all round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.

Ensure Your Anti-Virus Solution Scans Incoming Emails

You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The sandbox his used to detect and block zero-day malware – New, never-before seen malware variants that have yet to have their signatures incorporated into AV engines.

Create and Enforce Password Policies

Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.

It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.

Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse

DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.

By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.

Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.

Implement Multi-Factor Authentication

Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.

This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.

Train Your Employees and Train Them Again

No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.

Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.

You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.

One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.

Conduct Phishing Awareness Simulation Exercises

You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.

The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.

TitanHQ is Here to Help!

TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.

Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.

Fake Court Subpoenas Used as Phishing Lure for Malware Distribution

Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.

In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.

This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.

Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.

The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).

The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.

The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.

The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.

Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.

Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes.  SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.

SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.

With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.

New Stripe Phishing Campaign Masks URL to Get Credentials and Bank Account information

A new Stripe phishing campaign has been detected that uses fake warnings advising users about an invalid account to lure people into divulging their credentials and bank account information.

Stripe is an online payment processor used by many online firms on their e-commerce websites to accept payments from their customers. As such, the company is perfect for spoofing as many people will be aware that the company processes payments and will think it reasonable that they need to provide credentials and bank account information to ensure payments are processed.

The scam starts with a phishing email supposedly from the Stripe Support department. The email advises the customer that the information associated with their account is currently invalid. The message is sent as a courtesy notice warning the user that their account will be placed on hold until the matter is corrected. The user is asked to review their details to correct the issue. A button is included in the email for users to click to do this.

The emails contain spelling mistakes and questionable grammar, so are likely to be identified as suspect by vigilant individuals. Security awareness training often teaches employees to hover their mouse arrow over a hyperlink to find out the true URL, but in this campaign it will not work. The attackers have added a title to the HTML tag of the embedded hyperlink so when the mouse arrow is hovered over the “Review your Details” button, that text will be displayed instead of the URL.

If that button is clicked, the user will be directed to a seemingly legitimate Stripe login page. The login box is a clone of the real login page and a series of boxes will be displayed, each requiring different information to be entered, including bank account and contact information.

When the user is required to enter their password, regardless of what is typed, the user will be advised that they have entered an incorrect password and will be asked to enter the password again. The user is then directed to the legitimate Stripe login page to make it appear they have been on the correct Stripe website all along.

Similar tactics are used in countless other phishing campaigns targeting other well-known companies. The presence of spelling mistakes and grammatical errors in messages should tip off end users that the email is a phishing attempt, but all too often end users fail to notice these errors and click and divulge sensitive information.

One issue is a lack of cybersecurity training in the workplace. If employees are not trained how to identify phishing emails, it is inevitable that some will end up falling for these scams and will divulge their credentials. Those credentials can be used to gain access to bank accounts or email accounts, with the latter often used to conduct further phishing attacks on the organization. One email account breach can easily lead to dozens of breached accounts.

For example, a phishing attack on a U.S. healthcare provider started with a single phishing email and led to 73 email accounts being compromised. As for cybersecurity awareness training, this is often nonexistent. One recent study on 2,000 employees in the United Kingdom revealed three quarters had received no workplace cybersecurity training whatsoever.

Protected by Microsoft Office 365 Anti-Phishing Controls? Are You Sure?

One in every 99 emails is a phishing email, so it is important to ensure your defenses are capable of blocking those messages. Many businesses mistakenly believe they are protected against these emails by Microsoft’s Office 365 anti-phishing controls. While those measures do block spam email and some phishing messages, one recent study by Avanan has shown 25% of phishing attacks sneak past Office 365 defenses and are delivered to inboxes. For an average firm that means several phishing emails will reach end users’ inboxes every day. To ensure your business is protected against phishing attacks, additional anti-phishing controls are required on top of Office 365.

Businesses can protect their Office 365 accounts against phishing by layering SpamTitan on top of Office 365. SpamTitan is an advanced anti-phishing and anti-malware solution that provides superior protection against phishing, malware, spear phishing, and zero-day attacks.

Heuristics rules are used to analyze message headers and these rules are constantly updated to include the latest threats. Bayesian analysis and heuristics are used to check message content, and along with machine learning techniques, new threats are blocked and prevented from reaching inboxes. Sandboxing is also used to assess email attachments for malicious code used to install malware in addition to dual-AV engines that scan for known malware.

These advanced measures ensure that Office 365 inboxes are kept free from malware and phishing emails. These advanced capabilities along with the ease of implementation and use and industry-leading customer support are why SpamTitan is the leading provider of anti-spam and anti-phishing solutions for SMBs and managed service providers that serve the SMB market.

For further information on SpamTitan, to book a product demonstration or set up a free trial, contact the TitanHQ team today.

Beware of Thomas Cook Phishing Scams

The collapse of the package holiday operator Thomas Cook left thousands of holidaymakers stranded, hundreds of thousands of holiday bookings have been cancelled, and more than 9,000 staff have lost their jobs. The company and other UK firms in its group have been forced into compulsory liquidation and cybercriminals have been quick to take advantage. Dozens of Thomas Cook-related domains were registered following the collapse of the firm and several Thomas Cook phishing scams have been detected.

Customer that have incurred out-of-pocket expenses as a result of the collapse of the company and anyone who has paid for a package holiday that has been cancelled may be entitled to a refund or compensation. That has given scammers the perfect opportunity to launch phishing attacks seeking bank account an credit card information.

Customers who have booked Thomas Cook holidays are protected under the ATOL scheme and refunds are being processed by the Civil Aviation Authority, which has set up a subdomain on its website – thomascook.caa.co.uk – where customers can submit claims for refunds. More than 360,000 holidays have been booked for more than 800,000 holidaymakers, who are entitled to refunds. More than 60,000 customers submitted refund forms on the first day that the website was set up and claims for out-of-pocket expenses are being processed by travel insurance firms. The CAA has stated that it will take 60 days for the refunds to be issued.

Anyone who has yet to submit their claim should exercise caution as there are multiple phishing scams being conducted offering money back on canceled holidays, reimbursement of out-of-pocket expenses, compensation, and fake updates on the status of refund claims. Any email received in relation to Thomas Cook should be treated as a potential scam.

Scams may be conducted with the aim of spreading malware or ransomware. Malicious code is contained in file attachments that trigger a malware download when the attachment is opened. However, far more common in situations when people are demanding refunds is to send phishing emails containing hyperlinks to malicious websites. Those websites require sensitive information such as credit card information and bank account details to be entered. Scammers are well aware that in order for refunds to be processed, bank account information would be required and phishing forms have been set up on fake Thomas Cook domains to do just that.

While there may be some giveaways that emails are not genuine – spelling mistakes and grammatical errors – some Thomas Cook phishing scams are virtually impossible to distinguish from genuine communications. Banks have also been notifying customers by email, which has presented scammers with even more opportunities to hoodwink Thomas Cook customers. There have also been reports of former employees being targeted by scammers offering compensation.

The golden rule to avoid becoming a victim of Thomas Cook phishing scams is never to respond to a request in an unsolicited email. Attachments should not be opened, hyperlinks in emails should not be followed, and contact information included in the message body should not be used. Only use official channels such as the CAA website, and contact banks and travel insurance firms directly using verified contact information.

Free Copy of Edward Snowden’s Book Used as Lure in New Emotet Malspam Campaign

The Emotet botnet sprung back to life following a 4-month period of dormancy over the summer. The first campaigns, which involved hundreds of thousands of messages, used lures such as fake invoices, payment remittance advice notices, and statements to lure recipients into opening a malicious Word document, enabling content, and inadvertently launching a string of actions that result in the downloading of Emotet: One of the most dangerous malware variants currently being distributed via email.

It has only been a few days since those campaigns were detected, but now a new campaign has been detected. The latest malspam campaign also delivers Emotet but this time the lure is a free copy of Edward Snowden’s book – Permanent Record. The book is an account of Edward Snowden’s life that led up to his whistleblowing actions in 2013.

The campaign includes English, Italian, Spanish, and German language versions which claim to offer a free scanned copy of the former CIA staffer’s book. The English language version of the book is being distributed via email, so the attackers claim, because it is “Time to organize collective readings of Snowden book everywhere.” The email tells the recipient to “Go buy the book now, read it, share it, discuss it,” but conveniently a scanned copy is attached called Scan.doc.

As with the previous campaign, opening the attachment will display a Microsoft Product Notice – with appropriate logo – informing the user that Word has not been activated. The user is required to enable content to continue using Word and view the content of the document. At this point, all it takes is a single click to silently install Emotet. Once installed, Emotet will download other malware variants, including the TrickBot Trojan. Emotet is also being used to distribute ransomware payloads.

While the lures in the Emotet campaigns are regularly changed, they have all used malicious scripts in Word documents which download Emotet. The emails may be sent from unknown individuals or email addresses may be spoofed to make the emails appear to have come from a contact or work colleague.

The lures are convincing and are likely to fool may end users into opening the attachments and enabling content. For businesses, that can lead to a costly malware infection, theft of credentials, fraudulent bank transfers, and ransomware attacks.

Businesses can reduce risk by ensuring employees are told never to open email attachments in unsolicited emails from unknown senders, but also to verify the authenticity of any email attachment by phone before taking any action. It is also important to condition employees never to enable content in any document sent via email.

While end user security awareness training is essential, advanced anti-malware solutions are also required to prevent those messages from ever reaching inboxes.

SpamTitan includes DMARC authentication to block email impersonation phishing attacks and a Bitdefender-powered sandbox where suspicious email attachments can be safely executed and studied for malicious actions.

Along with a wide range of other content checks, including Bayesian analysis and greylisting, emails such as these can be blocked and prevented from being delivered to end users.

Businesses Beware! The Emotet Botnet is Back With a Vengeance

After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.

Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.

The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.

Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.

The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.

After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.

The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.

The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.

Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.

This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.

It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.

The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.

How to Block Google Calendar Phishing Scams

Google has acknowledged a vulnerability in the Google Calendar app is being exploited by cybercriminals to inject fake and malicious items into Google Calendar.

Several Google Calendar phishing campaigns were detected over the summer of 2019 which were exploiting this flaw. The campaigns saw Google Calendar spam sent to large numbers of users, including invites to events and other requests and special offers that popped up on unsuspecting users’ screens.

These notifications contained links to webpages where users could find out more information about the events and special offers. If events were accepted, they would be inserted into users’ calendars and would trigger automatic notifications. The offers and invites would keep on appearing until the users’ clicked the link. Those links directed users to phishing pages where credentials were harvested.

Some of the scams required credit card information to be entered, others required the user to login using their Office 365 credentials. Links could also direct users to webpages where drive-by malware downloads take place.

Most people are aware of the threat of phishing emails, malicious text messages, and social media posts that harvest sensitive information, but attacks on calendar services are relatively unheard of. Consequently, many users will fail to recognize these notifications and calendar items as malicious, especially when they appear in a trusted app such as Google Calendar.

Unfortunately, these attacks are possible because in the default setting, anyone can send a calendar event to a user. That event will be inserted into the user’s calendar and will automatically trigger notifications, as is the case with legitimate events.

In addition to events, messages can include special offers, notifications of cash prizes, alerts about money transfers, and all manner of other messages to entice the user to click a malicious link and disclose sensitive information or download malware.

Google Calendar is not the only calendar service that is prone to these attacks. Apple users have also been targeted, as have users of other calendar apps.

How to Block Google Calendar Phishing Attacks

Recently, a Google employee acknowledged the increase in ‘calendar spam’ and confirmed action was being taken by Google to address the problem.

In the meantime, users can prevent these spam and phishing messages from appearing by making a change to the app settings. Users should navigate to Event Settings > Automatically Add Invitations, and select the option “No, only show invitations to which I’ve responded” and uncheck the “show declined events” option in View Options.

Businesses should also consider including Google Calendar phishing scams in their security awareness training programs to ensure employees are aware that phishing attacks are not limited to email, text message, telephone calls, and social media posts.

Business Email Compromise Scams Now the Leading Cause of Losses to Cybercrime

Business email compromise scams are now the leading cause of cyberattack-related losses. Billion are being lost each year and there are no signs of the attacks abating. In fact, it has been predicted that the number of attacks and losses will continue to increase.

Around 1% of global GDP is lost to cybercrime each year and that figure is increasing rapidly. Currently, around $600 billion is lost each year to cybercrime. A FinCEN report from July 2018 shows that suspicious activity report (SAR) filings have increased from $110 million per month in 2016 to $301 million per month in 2018 and Cybersecurity Ventures predicts losses will increase to $6 trillion globally by 2021. According to the FBI, more than $1.2 billion was lost to business email compromise scams in the United States alone in 2018.

Business email compromise (BEC) scams involve the impersonation of an executive or other individual, whose compromise email account is used to send fraudulent wire transfer requests. A variation sees a business associate of the company spoofed and requests sent demanding outstanding involves be paid.  The latter is now more common than attacks spoofing the CEO.

BEC attacks usually start with a spear phishing attack to obtain email account credentials. Once email credentials are compromised, the account is used to send messages to other individuals in the organization, such as employees in the payroll, HR, or finance department. Since the emails come from a trusted source within the organization and the wire transfer requests are not unusual, payment is often made.

A successful attack can see sizable wire transfers made to accounts controlled by the attackers. Payments are often for tens of thousands of dollars or, in some cases, millions of dollars. A recent attack on a subsidiary of the car manufacturer Toyota Boshoku Corporation saw a fraudulent transfer of $37 million made to the attackers.

While that incident stands out due to the scale of the loss, fraudulent transfers of millions of dollars are far from unusual. In many cases, only a small percentage of the transferred funds are recovered. Since these attacks can be extremely profitable, it is no surprise that the so many cybercriminal gangs are getting in on the act and are conducting campaigns.

A new report from the insurer AIG shows BEC attacks are now the leading reason for cybersecurity-related insurance claims, having overtaken ransomware attacks for the first time. 23% of all cyberattack-related claims are due to BEC scams.

In the most part, these BEC attacks can be prevented with basic cybersecurity measures. AIG attributes the rise in claims to poor security measures at the targeted organizations. Investigations have uncovered numerous basic cybersecurity failures such as not providing security awareness training to employees, the failure to enforce the use of strong passwords, no multi-factor authentication, and poor email security controls.

If businesses fail to implement these basic cybersecurity measures, attacks are inevitable. Cyber-insurance policies may cover some of the losses, but many SMBs will not be in a position to make a claim. For them, BEC attacks can be catastrophic.

If you run a business and are concerned about your defenses against phishing, spear phishing, and BEC attacks, contact TitanHQ to find out more about effective cybersecurity solutions that can block BEC attacks.

Office 365 Phishing Campaign Uses Scraped Branded Office 365 Tenant Login Pages

An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.

The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.

If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.

The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.

Microsoft Office 365 Users are Under Attack!

Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.

What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.

When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.

How to Protect Your Business and Block Office 365 Phishing Attacks

There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.

SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.

No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.

Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.

2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.

If you want to find out more about improving Office 365 defenses, give the TitanHQ team a call today and book a product demonstration. SpamTitan is also available on a free trial to let you see the difference the solution makes before you make a purchase decision.

New CAPTCHA Phishing Scam Targets Android Users and Steals SMS Security Codes

A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.

When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.

A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.

On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account.  With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.

A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.

This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.

A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.

As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.

Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.

It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.

Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.

SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.

Equifax Phishing Scams Offer Victims Compensation But Steal Bank Credentials

Equifax phishing scams have been detected which are attempting to take advantage of individuals who were affected by the 143-million record data breach and want to make a claim to recover their out-of-pocket expenses.

Several lawsuits have been filed against Equifax over the breach. One of those lawsuits, filed by the Federal Trade Commission, has recently been settled for $700 million. That figure includes a fund of $425 million to cover claims from victims of the breach.

Anyone who was affected by the breach is entitled to submit a claim, and with so many people affected, scammers have a more than reasonable chance of landing an email in the inbox of an individual who was affected by the breach. More than half the population of the United States had their information exposed.

In order to make a claim, victims of the breach must visit a website set up by Equifax where claims can be processed. The name of the correct domain reflects its purpose – equifaxbreachsettlement.com – which does have a hint of phishiness about it.

Cybercriminals have set up a plethora of fake sites that closely resemble the genuine website, with similarly phishy but realistic names. Those sites similarly allow victims of the breach to submit a claim.

When submitting a claim on the genuine website, the claimant must enter their contact information and make their claim. They can choose to have the payment sent on a pre-paid card or by check in the mail. At no point must a Social Security number, bank account information, or credit card information be entered.

Large-scale spam campaigns are being conducted inviting victims of the breach to submit their claim and receive their share of the settlement amount.  Hyperlinks are embedded in the messages which link to fake Equifax claim webpages.

After landing on these phishing webpages, users are guided through making a claim. Contact information is requested along with other sensitive information to confirm identity. Bank account information is also requested to process direct deposit refunds.

After entering in all that information, the claim is submitted, and the user is likely to be unaware that their sensitive information has been stolen.

Any email received in relation to the Equifax data breach settlement should be treated as potentially suspicious. Anyone wanting to make a claim should visit equifaxbreachsettlement.com

New Tactics Identified in Ongoing Office 365 Phishing Scams

Microsoft Office 365 is being adopted by businesses at a staggering rate. Office 365 is now the most widely used cloud service in terms of number of users. One in 5 corporate employees use an Office 365 cloud service and, according to Gartner, 56% of businesses using cloud services use Office 365.

Any platform that attracts such high numbers of business users is a major target for cybercriminals. Hackers are developing innovative ways of attacking businesses and bypassing Office 365 protections to get their phishing emails delivered to inboxes.

Campaigns are tested on genuine Office 365 accounts to ensure Office 365 defenses are bypassed, before targeted campaigns are conducted on business users. Microsoft’s standard Exchange Online Protection (EOP) is not sufficient to block these threats. At a minimum, users need to pay for Advanced Threat Protection (APT) to provide the level of protection required to block the types of sophisticated phishing attacks that are fast becoming the norm.

Four campaigns that have recently been identified use novel tactics to evade detection and fool end users into disclosing their login credentials.

Custom 404 Error Pages Used to Host Office 365 Phishing Forms

Microsoft researchers identified a novel tactic being used in a phishing campaign targeting office 365 users – 404 error pages to host phishing forms. 404 error pages are displayed when a website visitor attempts to visit a page that does not exist. By customizing the 404 page and using it to host a phishing form, the attackers have a virtually unlimited supply of phishing URLs to use. Any random URL would bring up the 404 page and the phishing form. Many email security solutions would not detect the link as malicious.

Voicemail Notifications Used as Lure in Office 365 Phishing Campaign

Avanan researchers recently identified a phishing campaign that uses voicemail notifications as a lure to obtain Office 365 credentials.  The emails include Microsoft Office 365 logos and notification of the time of a call, the caller number, and the length of the voicemail message.

The text and logos are combined into three images in the email and an HTML file is attached which the email claims is the voicemail message. If opened, the HTML attachment uses meta refresh to redirect a user from the locally stored HTML page to an Internet-hosted page where they are presented with an Office 365 login box. Credentials are required to listen to the message through the spoofed voicemail management system.

Office 365 Admin Credentials Targeted

Office 365 credentials are valuable, but none more so than administrator credentials. A typical employee may have an email account containing sensitive data and their credentials may allow a limited number of cloud resources to be accessed. A set of administrator credentials would give an attacker the ability to create new accounts, access other users’ accounts, send messages from their email accounts, and access a much greater range of resources.

Office 365 admins are being targeted in a campaign that uses Office admin alerts about time-sensitive issues to lure them into disclosing their credentials. Two common lures are a critical problem with the mail service and the discovery of an unauthorized access incident.

Attacks Use Credentials in Real Time

A phishing campaign has been detected in which the attackers use the data captured from fake Office 365 login forms to access the genuine Office 365 account in real-time. If the login fails, a warning is displayed requesting the user re-enter their credentials.  When the correct credentials have been entered, the user is redirected to their real Office 365 inbox, most likely totally unaware that their credentials have been stolen.

These are just four new tactics being used by cybercriminals to gain access to the Office 365 credentials of business users. Without advanced anti-phishing defenses in place, many of these sophisticated phishing emails will be delivered to end users’ inboxes. Security awareness training for employees will go a long way toward strengthening your last line of defense, but unless the majority of email threats are blocked, data breaches will occur.

Businesses using Office 365 need to ensure their email security defenses are up to scratch and can detect and block advanced phishing threats. That means paying for Office 365 ATP or using a third-party anti-spam and anti-phishing solution.

With SpamTitan layered over Office 365, businesses will be protected from the full range of email-based threats. Advanced phishing techniques such as those detailed above are detected and neutralized by SpamTItan.

TitanHQ’s DNS filtering solution, WebTitan, adds another layer of security to protect against phishing attacks. WebTitan blocks all known malicious web pages and scans new websites for malicious content. Threats are detected and webpages are blocked before any content can be downloaded.

For further information on securing Office 365 accounts and improving your anti-phishing defenses, contact the TitanHQ team today.

U.S Hotels Targeted In Malspam Campaign Spreading NetWiredRC RAT

Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.

The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.

If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots.  The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.

The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.

There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.

Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.

The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.

Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source.  SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.

For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.

North Carolina County Loses $1.7 Million to BEC Scam

Cabarrus County in North Carolina is the latest victim of a major Business Email Compromise attack. The scammers impersonated a building contractor that was constructing a new high school in the County and succeeded in redirecting a $2.5 million payment to their account.

One of the contractor’s email accounts was compromised and an email was sent to a contact at the County requesting a change to the usual bank account.

Any request for such a change naturally needed to pass checks, but since the scammers had sent through all the appropriate documentation, the banking information was changed. The scammers then waited until the next regular payment was made. That payment was for $2,504,601.

The missing payment was queried by the contractor, Branch and Associates, and an investigation uncovered the scam. The relevant banks were informed to freeze the accounts to prevent the money from being withdrawn, but despite the quick response, the banks were only able to recover $776,518.40. The scammers had managed to divert $1,728,082.60 to a variety of accounts and had pocketed the funds.

The County was protected by an insurance policy, but it only provided $75,000 of coverage. $1,653,082.60 of the funds had to be covered by the County, in addition to the costs of investigating the attack, implementing additional security measures, and the cost increase of its insurance premiums after making such a large claim.

In this case the transfer was substantially larger than the average fraudulent BEC wire transfer, but transfers of this magnitude are far from unusual. Figures released by the U.S. Financial Crimes Enforcement Network (FinCEN) show there has been a 172% increase in losses to BEC attacks since 2016. Attacks are also increasing in frequency. In 2018, 1,100 BEC attacks were reported by businesses and $310 million per month was lost to BEC attacks.

FinCEN’s report shows businesses in the manufacturing and construction industries are the most commonly targeted and face the greatest risk of attack, although all businesses need to be aware of the threat and should take steps to reduce risk.

Defending against BEC attacks requires a variety of technical and administrative safeguards. There is no single solution that can be implemented which will detect and block all BEC attacks.

BEC scams usually start with a phishing email, so steps should be taken to improve email security. Advanced email security solutions such as SpamTitan can identify and block these BEC threats. SpamTitan also provides protection against the second stage of the attack. In addition to scanning all incoming emails, SpamTitan also scans outbound email for potential threats coming from within the organization.

Not all threats can be blocked, even with highly advanced email security defenses, so it is essential for the workforce to be trained how to identify potential email threats. Policies and procedures should also be developed covering amendments to banking credentials and email requests for bank transfers over a certain size.

Companies that fail to take action to reduce risk could well find their losses included in next year’s FinCEN BEC financial losses report.

If you have not implemented an anti-spam solution, if you are unhappy with your current provider, or if you use Office 365 for email, contact the TitanHQ team today to find out more about improving your security posture and increasing your defenses against BEC attacks.

Business Email Compromise Attacks Cost $310 Million a Month in 2018

New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.

Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.

Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.

More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks

The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.

FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.

BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.

There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.

As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.

If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.

FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.

FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.

How to Improve Defenses Against BEC Attacks

With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.

Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam and anti-phishing solution such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.

For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.

New Office 365 Phishing Scams Detected

Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.

The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.

A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.

If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.

The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.

Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.

This is a professional campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.

Office 365 Admins Targeted

A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.

Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.

The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.

Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.

Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.

There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.

However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.

WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.

Contact TitanHQ today to find out more about SpamTitan and WebTitan for SMBs and MSPs, the different deployment options, pricing information, and to book a product demonstration.

An Easy Way to Block Email Impersonation Attacks on Businesses

Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. Cybersecurity defenses are being tested like never before.

Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.

Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.

One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.

The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.

Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.

One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.

DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.

Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.

DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.

TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to protect against email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.

For further information securing your email channel and blocking email-based threats, contact TitanHQ today.

Increase in Cyberattacks on Ships Prompts U.S. Coast Guard Warning

The past few months have seen an increase in reported cyberattacks on ships. The rise in cyberattacks on the commercial shipping network has prompted the U.S. Coast Guard to issue a warning.

This is the second such warning to be issued by the U.S. Coast Guard in the past three months. Together with a recent shipping industry report, they confirm that shipping companies and commercial vessels are being targeted by hackers and many of those attacks are succeeding.

Ships are now largely controlled by computers and mouse clicks and there is increasing reliance on electronic navigation systems. It is now common for operational technology and information technology to be linked together via onboard networks and certain systems are now connected to the internet. When devices are networked and connect to the Internet, hackers are given the opportunity to attack.

The cyberattack that prompted the latest warning occurred in February 2019. A ship bound for the Port of New York started experiencing severe disruption to its shipboard network. Vessel control systems were not affected, although the functionality of the network was severely degraded. The U.S. Coast Guard led a forensic investigation which revealed malware had been installed on the network.

The ship was known to be vulnerable to attack so the crew did not typically use the network for personal matters such as email. The network was only used for business purposes, which involved contact with third parties to maintain charts, manage cargo data, and communicate with shore-side facilities. It is currently unclear how the malware was installed, but what is clear is that cybersecurity defenses were nowhere near sufficient.

The advice from the Coast Guard is to implement network segmentation to limit the harm that can be caused in the event of an attack. Network profiles should be created for each user, and the rule of least privilege should be applied. Anti-virus software should be installed, all software should be kept up to date, and care should be taken connecting any external device to a networked computer due to the risk of malware.

If hackers can gain access to the network, they can steal sensitive data, cause serious disruption to internal networks, and systems could even be rendered inoperable. An extortion attack involving ransomware, for instance, could leave shipping firms with no alternative other than to pay up.

These attacks are the latest in a string of cyberattacks on commercial vessels. In December 2018, 21 shipping associations and industry groups produced a set of guidelines on cybersecurity onboard ships to help commercial vessel operators improve security, secure their networks, and make it difficult for hackers.

The report details recent USB-based attacks, RDP-based attacks, phishing attacks, ransomware attacks, and attacks involving malware, viruses, and worms. The attacks have caused major delays to shipping firms, financial losses, and in some cases have jeopardized safety.

Just as captains must make sure that access to the engine room is restricted, the same should be the case for computer systems. If systems are not secured, cyberattacks are inevitable.

TitanHQ can help shipping firms protect against email and web-based attacks and block the two main vectors that are used to attack commercial vessels.

Contact the team today to ask about SpamTitan and WebTitan: TitanHQ’s award winning antispam and DNS filtering solutions.

U.S. Cybersecurity Agency Warns of Wiper Malware Attacks

Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.

Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.

Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.

Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.

Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.

More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard.  The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.

Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.

As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.

Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.

A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.

Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.

U.S Universities Targeted in Widespread Phishing Campaign

A phishing campaign targeting university employees has already claimed several victims and has seen many email accounts compromised.

Emails are tailored to the institution and use a range of social engineering tricks to convince employees to click a link in the email and enter their Office 365 login credentials to access online content. The credentials are captured and used to gain access to university email accounts.

Once credentials have been obtained, a treasure trove of sensitive data can be plundered. Emails and email attachments contain personally identifiable information of staff, students, and parents, which can be used to commit identity theft and other fraudulent acts. Proprietary information can be obtained, along with details of contacts. The compromised accounts can also be used to conduct further phishing attacks on the university and externally on business contacts and other educational institutions.

Campaigns convincing users to install malware can give the attackers full control of university computers and a foothold to move laterally throughout the network. Access to university email accounts and backdoors in university computers are sold on the dark web, along with a range of stolen and forged university documents.

The healthcare industry is heavily targeted by cybercriminals due to the high value of health data. Health data is versatile and can be used for a multitude of fraudulent purposes. It also has a long-life span and can be used for much longer than financial information.  Cybercriminals are also now realizing the potential rewards from attacks on universities. Student data is similarly versatile, and the wealth of data stored in university email accounts provides plenty of opportunities for profit.

Oregon State University is the latest university to announce it is the victim of a phishing attack. The Office 365 email account of an employee was compromised, through which the attacker had access to the records of 636 students. The account was used to send phishing emails to other entities throughout the United States.

Graceland University in Iowa and Southern Missouri State University recently announced that several email accounts had been compromised in recent phishing attacks, which would have allowed access to be gained to sensitive information.

It is unclear whether this is a single campaign or part of a wave of separate attacks on universities. What is clear is the attacks are increasing, so universities should take steps to improve email and web security.

Employees are being targeted so it is important to ensure that staff members are taught email security best practices and are shown how to identify phishing emails.

Technological defenses can also be improved to prevent malicious messages from arriving in Office 365 inboxes. As an additional protection, a DNS filter can be used to prevent users from accessing phishing websites and other known malicious web pages.

TitanHQ has developed powerful anti-phishing and anti-malware solutions for universities that help them protect against email and web-based attacks.

SpamTitan is a powerful anti-spam solution that incorporates DMARC authentication and sandboxing to provide superior protection against impersonation and malware attacks for Office 365 users.

WebTitan is a DNS filtering solution that prevents users from accessing known malicious websites, such as those used for phishing and distributing malware.

To improve Office 365 phishing defenses and better protect your email accounts and networks from malware attacks, contact TitanHQ for further information on these two powerful cybersecurity solutions for educational institutions.

Ransomware Attacks on the Rise Once More and Cities are in Attackers’ Crosshairs

The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.

However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.

The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.

Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.

The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.

Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.

Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.

There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.

A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.

Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.

The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.

As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.

Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.

Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.

To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.

One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.

While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.

Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.

United States Businesses Targeted in Shade Ransomware Attacks

Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.

Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.

The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.

An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.

Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.

SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.

The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.

These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.

If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.

Business Email Compromise Losses Doubled to $1.2 Billion in 2018

Malware and ransomware attacks are causing major problems for businesses, but the biggest threat in terms of losses are business email compromise scams.

The 2018 Internet Crime Report from the FBI clearly shows how serious the threat of BEC attacks has become. In 2017, reported losses from BEC attacks reached $675 million. In 2018, losses to BEC scams doubled to reach a staggering $1.2 billion.

It is no surprised that so many cybercriminal gangs are conducting BEC attacks. In contrast to many other forms of cybercrime, BEC scams can be extremely profitable and they require little in the way of technical skill to perform. As with phishing attacks, they often involve an attacker sending an email to trick an individual into making a wire transfer.

The scams often start with a spear phishing email targeting an executive in a company. The aim of the initial phase of the attack is to gain access to that individual’s email account. Once the email account is compromised, emails are then sent to finance department employees or payroll staff requesting a wire transfer be made.

Highly convincing emails are sent, and since they come from a genuine internal email account, the recipient is less likely to question the request.

Large enterprises often make large wire transfers, so a sizable transfer request for tens or hundreds of thousands of dollars may be authorized without question. There have even been cases where much more substantial wire transfers have been made. A town in New Jersey discovered that, as a result of a BEC attack, a transfer of $1 million had been made to a criminal’s account. In that case, the FBI was able to freeze the funds in time, but with many scams, funds are withdrawn before the scam is identified.

In many cases, the first step in the attack is skipped and emails are simply spoofed to make them appear to have been sent from within the organization, from a contractor, or another individual with a relationship with the targeted entity.

The tactics and techniques being used are constantly changing. In addition to requests for wire transfers, cybercriminals often request tax (W2) forms of employees. This year has also seen an increase in gift card related BEC attacks. Instead of requesting wire transfers, requests are made to send gift cards for iTunes and online retailers. Cybercriminals then exchange the gift cards for Bitcoin online.

Confidence fraud and romance scams were the second main cause of losses. $362 million was lost to those scams and investment-related scams resulted in losses of over $252 million.

The real estate sector was extensively targeted in 2018. Criminals have attempted to get deposits and payments for house purchases diverted, often posing as the buyer, seller, real estate agents, or lawyers.

Phishing attacks are also on the rise. In 2018, the FBI’s Internet Crimes Complaint Center (IC3) received 26,379 complaints about phishing, smishing, and vishing, More than $48 million was lost to those scams in 2018.

Many of these scams are either conducted over email or start with a phishing email. It is therefore important for businesses to implement solutions that protect the email gateway and block these attacks at source to prevent malicious messages from reaching end users. It is also essential to provide training to staff to ensure they if they do encounter a phishing email or other scam, they have the skills to identify it as such.

 

Email Campaign Uses CDC Flu Pandemic Warning to Fool Users into Installing GandCrab Ransomware

Cybercriminals are constantly coming up with new scams to convince people to part with their login credentials or install botnets, viruses, malware, or ransomware.

Email is one of the easiest ways to get these scams out to the masses, accompanied with a good hook to get the user to open the message. Various tactics are used to achieve the latter, one of the most common being fear. Scaring people into taking action is very effective. A recently identified campaign is a good example. It uses fear of a flu pandemic to get users to take action.

According to the U.S. Centers for Disease Control and Prevention, flu killed about 80,000 in the 2017 to 2018 season, which was a record year for flu deaths. The previous record in the past three decades was beaten by 24,000.

For any phishing email to stand a good chance of fooling large numbers of people, the emails must be credible. This campaign provides that credibility by spoofing the CDC. The subject lines used in the campaign warn of a flu pandemic, and the email addresses used and the logos in the message body make the messages appear to have genuinely been sent by the CDC.

The message included an attachment – named Flu Pandemic Warning – provides important information that users need to know to prevent infection and stop the disease from spreading. The fear of contracting flu combined with the realistic looking emails make it likely that this campaign will fool many individuals.

That document contains malicious code that downloads and runs GandCrab ransomware v5.2, for which there is currently no free decryptor. Once downloaded, GandCrab ransomware will encrypt files on the infected computer preventing them from being accessed. The average ransom demand is $800 per infected computer.

In order for the malicious code to download the ransomware, the content must be enabled. In the message body, recipients are told that in order to view all the information in the document they must enable content. This prior instruction is intended to get the user to click ‘enable content’ quickly when the document is opened, rather than to stop and think.

All users should be alert to these kind of email scams. Caution should be exercised before opening any email attachment, no matter how urgent the message appears to be. Any unsolicited email should be carefully checked as there will usually be signs that indicates all is not what it seems.

Businesses are particularly at risk and can suffer major losses as a result of ransomware attacks, especially when several employees are fooled by these email scams.

Signature-based email defenses were once effective at blocking malware, but malware developers are constantly releasing new versions that have never before been seen. Signature-based AV software struggles to maintain pace and is not effective against zero-day malware variants and malicious code that downloads the malware.

End user training certainly goes a long way and can help to prevent mass infections, but what is really needed is an advanced anti-phishing solution that blocks phishing emails and email scams at source before they are delivered to inboxes. That is an area where TitanHQ can help.

To protect against email-based attacks, TitanHQ developed SpamTitan – A highly effective anti-phishing and anti-spam solution with advanced features that provide superior protection against phishing and malware attacks.

In addition to dual anti-virus engines, SpamTitan incorporates a wide range of checks to distinguish malicious emails from genuine messages. Recently, Spamtitan has had two new features incorporated: DMARC email authentication and sandboxing. DMARC helps to ensure that spoofed email messages, such as those that appear to have been sent by the CDC, are identified as scams and are blocked. Sandboxing is important for protecting against zero-day malware threats and malicious downloaders.

Potentially malicious attachments are executed and analyzed in a Bitdefender-powered sandbox, where the actions performed by malware and malicious code can be assessed without causing harm. When malicious code is detected it is blocked across all users’ inboxes.

With SpamTitan in place, businesses will be well protected against campaigns such as this. For further information on TitanHQ’s award-winning anti-spam solution, for a product demonstration, or to register for a free trial, contact the TitanHQ team today and take the first step toward making your email channel much more secure.

Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates

Emotet malware was first identified in 2014 and its original purpose was to obtain banking credentials and other sensitive information; however, the malware is regularly updated and new functionality is added. Emotet malware is now one of the most prevalent and dangerous malware threats faced by businesses.

The malware can detect whether it is running in a virtual environment and will generate false indicators in such cases. The malware is polymorphic, which means it changes every time it is downloaded. That makes it difficult to detect using the signature-based detection methods employed by standard anti-virus software.

The malware also has worm-like features which allows it to rapidly spread to other networked computers. Emotet is also capable of spamming and forwarding itself to email contacts. As if infection with Emotet is not bad enough, it can also download other malware variants onto infected devices.

Emotet malware is one of the most destructive malware variants currently in use and cleaning up Emotet attacks can be incredibly costly. The Department of Homeland Security has reported that some attacks on state, local, tribal, and territorial governments have cost more than $1 million to resolve.

Emotet malware is primarily distributed via spam email, either through malicious attachments or hyperlinks to websites where the malware is silently downloaded. The lures used in the messages are highly varied and include most of the commonly used phishing lures such as shipping notifications, fake invoices, payment requests, PayPal receipts.

Now the threat actors behind the malware have adopted a new tactic to increase infection rates. Once installed on a device, the malware accesses email conversation threads and forwards the message to individuals named in the thread.

The original email conversation is unaltered, but a hyperlink is added to the top of the message. The link directs the recipient to a webpage where a file download is triggered. Opening the document and enabling macros will see Emotet downloaded. Email attachments may also be added to previous conversation threads in place of hyperlinks.

Since the messages come from a known individual with whom an email conversation has taken place in the past, the probability of the document being opened is greater than if messages come out of the blue or are sent from an unknown individual.

Several cybersecurity firms have identified a campaign using this tactic, including phishing intelligence provider Cofense and security researcher Marcus Hutchins (MalwareTech).

The current campaign uses revived conversations from before November 2018, although more recent conversations may be revived in further campaigns. Any revived old email conversation that contains a link or an attachment could indicate a user has been targeted and that at least one member of the email exchange has been infected with Emotet.

The current campaign is not only extensive, it is also proving to be extremely successful. Spamhaus reports that there have been 47,000 new infections in the past two months alone, while Cofense reports that it has identified more than 700,000 infections in the past 12 months.

Protecting against this dangerous malware requires a powerful anti-spam solution and good security awareness training for staff. SpamTitan’s new features can help to detect malicious emails spreading Emotet malware to better protect businesses from attack.

To find out more about SpamTitan and how the solution can protect your business, give TitanHQ a call today.

Tax-Related Phishing Scams Delivering TrickBot Trojan

Monday April 15 is Tax Day in the United States – the deadline for submitting 2018 tax returns. Each year in the run up to Tax Day, cybercriminals step up their efforts to obtain users’ tax credentials. In the past few weeks, many tax-related phishing scams have been detected which attempt to install information stealing malware.

One of the main aims of these campaigns is to obtain tax credentials. These are subsequently used to file fraudulent tax returns with the IRS. Tax is refunded to accounts controlled by the attackers, checks are redirected, and a range of other methods are used to obtain the payments.

Attacks on tax professionals are commonplace. If access can be gained to a tax professional’s computer, the tax credentials of clients can be stolen, and fraudulent tax returns can be filed in their names. A single successful attack on a tax professional can see the attacker obtain many thousands of dollars in tax rebates.

There has been the usual high level of tax-related phishing scams during the 2019 tax season and businesses of all types have been targeted. It is not only tax credentials that cybercriminals are after. Many tax-themed phishing scams have been conducted which attempt to install malware and ransomware such as the TrickBot banking Trojan.

The TrickBot banking Trojan is a powerful malware variant which, once installed, can give an attacker full control of an infected computer. The malware is primarily an information stealer. A successful installation on one business computer can allow the attackers to move laterally and spread the malware across the whole network.

The primary purpose of the TrickBot trojan is to steal banking credentials which can be used to make fraudulent wire transfers: however, TrickBot is regularly updated with new features. In addition to stealing banking credentials, the malware can steal VNC. RDP, and PuTTY credentials.

The threat actors behind TrickBot are highly organized and well resourced. More than 2,400 command and control servers are used by the cybercriminal gang and that number continues to grow.

The three new TrickBot malware campaigns were detected since late January by IBM X-Force researchers. Spam email messages are carefully crafted to appear legitimate and look innocuous to business users and appear to have been sent by well-known accounting and payroll firms such as ADP and Paychex.

Spoofed email addresses are commonly used, although in these campaigns, the attackers have used domain squatting. They have registered domains that are very similar to those used by the accounting firms. The domains have transposed letters and slight misspellings to make the email appear to have been sent from a legitimate source. The domains can be highly convincing and, in some cases, are extremely difficult to identify as fake.

The emails are well written and claim to include tax billing records, which are included as attached spreadsheets. The spreadsheets contain malicious macros which, if allowed to run, will download the TrickBot Trojan.

To prevent attacks, several steps should be taken. Macros should be disabled by default on all devices. Prompt patching is required to keep all software and operating systems up to date to prevent vulnerabilities from being exploited.

End users should receive security awareness training and should be taught cybersecurity best practices and how to identify phishing emails. An advanced spam and anti-phishing solution should also be implemented to ensure phishing emails are identified and prevented from reaching end users inboxes. Further, all IoCs and IPs known to be associated with the threat actors should be blocked through spam filtering solutions, firewalls, and web gateways.

The latter is made easy with SpamTitan and WebTitan – TitanHQ’s anti-phishing and web filtering solutions for SMBs.

 

Webinar: Discover the Exciting New Features of SpamTitan

Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.

SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.

The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.

The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.

The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.

Advance registration is necessary. You can sign up for the webinar on this link.