Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.
Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.
Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.
Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.
To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.
Other measures that can be taken to protect yourself from email scams include:
- Carefully check the sender’s email. Does it look like it is genuine?
- Never open email attachments from someone you do not know
- If you receive an email offering you a prize or refund, stay safe and delete the email
- Ensure anti-virus software is installed on your computer and is up to date.
Ordinypt malware is currently being used in targeted attacks on companies in Germany. While Ordinypt malware appears to victims to be ransomware, the malware is actually a wiper.
Infection sees files made inaccessible, and as with ransomware, a ransom demand is issued. The attackers ask for 0.12 Bitcoin – around $836 – to restore files.
Ordinypt malware does not encrypt files – it simply deletes the original file name and replaces it with a random string of letters and numbers. The contents of files are also replaced with random letters and numbers.
Even if the ransom demand is paid, the attackers do not have a mechanism to allow victims to recover their original files. The only sure-fire way to recover files is to restore them from a backup. In contrast to many ransomware variants that make it difficult to recover files by deleting Windows Shadow Volume copies, those are left intact, so it may be possible for users to recover some of their files.
Ordinypt malware – or HSDFSDCrypt as it was originally known – was discovered by Michael Gillespie. A sample of the malware was obtained and analyzed by German security researcher Karsten Hahn from G Data Security. G Data Security renamed the malware Ordinypt.
Hahn notes that Ordinypt malware is poorly written with a bad coding style, indicating this is not the work of a skilled hacker. Hahn said, this is “A stupid malware that destroy information of enterprises and innocent people and try steal money.”
The attackers are using a common technique to maximize the number of infections. The malware is disguised as PDF files which are distributed via spam email. The messages claim to be applications in reply to job adverts. Two files are included in a zip file attachment, which appear to be a resume and a CV.
While the files appear to be PDFs, and are displayed as such, they actually have a double extension. If the user’s computer has file extensions hidden, all that will be displayed is filename.pdf, when in actual fact the file is filename.pdf.exe. Clicking on either of the files will run the executable and launch Ordinypt malware.
In recent months there have been several wiper malware variants detected that pretend to be ransomware. The attackers are taking advantage of the publicity surrounding ransomware attacks, and are fooling end users into paying a ransom, when there is no way of recovering files. It is not clear whether the reason for the attacks is to make money. It is possible that these attacks are simply intended to cause disruption to businesses, as was the case with the NotPetya wiper attacks.
Regardless of how poorly written this malware is, it is still effective and can cause significant disruption to businesses. Protecting against this, and other email-based malware threats, requires a combination of end user training and technology.
End users should be informed of the risks of opening attachments from unknown senders and should assume that all such emails could be malicious. In this case, the malware is poorly written but the emails are not. They use perfect German and are highly believable. HR employees could be easily fooled by a ruse such as this.
The best protection against threats such as these is an advanced spam filter such as SpamTitan. Preventing these emails from reaching inboxes is the best defense.
By configuring the spam filter to block executable files, the messages will be rerouted to a quarantine folder rather than being delivered, mitigating the threat.
For further information on how a spam filter can help to block email-based threats and to register for a free trial of SpamTitan for your business, contact the TitanHQ team today.
A new variant of the Ursnif banking Trojan has been detected and the actors behind the latest campaign have adopted a new tactic to spread the malware more rapidly.
Ransomware attacks may make the headlines, but banking Trojans can cause considerably more damage. The $60 million heist from a Taiwanese bank last month shows just how serious infection with banking Trojans can be. The Dridex Trojan raked in more than $40 million in 2015.
The Ursnif banking Trojan is one of the most commonly used Trojans. As with other banking Trojans, the purpose of the Ursnif Trojan is to steal credentials such as logins to banking websites, corporate bank details, and credit card numbers. The stolen credentials are then used for financial transactions. It is not uncommon for accounts to be emptied before the transactions are discovered, by which time the funds have cleared, have been withdrawn, and the criminal’s account has been closed. Recovering the stolen funds can be impossible.
Infection will see the malware record a wide range of sensitive data, capturing credentials as they are entered through the browser. The Ursnif banking Trojan also takes screenshots of the infected device and logs keystrokes. All of that information is silently transmitted to the attacker’s C2 server.
Banking Trojans can be installed in a number of ways. They are often loaded onto websites where they are downloaded in drive-by attacks. Traffic is generated to the malicious websites via malvertising campaigns or spam emails contacting hyperlinks. Legitimate websites are compromised using brute force tactics, and kits loaded to the sites that prey on individuals who have failed to keep their software up to date. Oftentimes, downloads are sent via spam email, hidden in attachments.
Spam email has previously been used to spread the Ursnif banking Trojan, and the latest campaign is no different in that respect. However, the latest campaign uses a new tactic to maximize the chance of infection and spread infections more rapidly and widely. Financial institutions have been the primary target of this banking Trojan, but with this latest attack method they are far more widespread.
Infection will see the user’s contact list abused and spear phishing emails sent to each of the user’s contacts. Since the spear phishing emails arrive from a trusted email account, the likelihood of the emails being opened is significantly increased. Simply opening the email will not result in infection. For that to occur, the recipient must open the email attachment. Again, since it has come from a trusted sender, that is more likely.
The actors behind this latest Ursnif banking Trojan campaign have another trick to increase trust and ensure their payload is delivered. The spear phishing emails contain message threads from past conversations. The email appears to be a response to a previous email, and include details of past conversations.
A short line of text is included as a prompt to get the recipient to open the email attachment – A Word document containing a malicious macro. That macro needs to be authorized to run – if macros have not been set to run automatically, but it will not until the Word document is closed. When the macro runs, it launches PowerShell commands that download the Ursnif Trojan, which then starts logging activity on the infected device and sends further spear phishing emails to the new victim’s contact list.
This is not a brand-new tactic, but it is new to Ursnif – and it is likely to see infections spread much more quickly. Further, the malware incorporates a number of additional tactics to hamper detection, allowing information to be stolen and bank accounts emptied before infection is detected – the Trojan even deletes itself once it has run.
Malware is constantly evolving, and new tactics are constantly developed to increase the likelihood of infection. The latest campaign shows just how important it is to block email threats before they reach end users’ inboxes.
With an advanced spam filter such as SpamTitan in place, malicious emails can be blocked to stop them from reaching end user’s inboxes, greatly reducing the risk of malware infections.
A new wave of cyberattacks on financial institutions using malware called the Silence Trojan has been detected. In contrast to many attacks on banks that target the bank customers, this attack targets the bank itself. The attack method bears a number of similarities to the attacks conducted by the Eastern European hacking group, Carbanak.
The Silence Trojan is being used to target banks and other financial institutions in several countries, although so far, the majority of victims are in Russia. The similarity of the Silence Trojan attacks to Carbanak suggests these attacks could be conducted by Carbanak, or a spinoff of that group, although that has yet to be established.
The attacks start with the malicious actors behind the campaign gaining access to banks’ networks using spear phishing campaigns. Spear phishing emails are sent to bank employees requesting they open an account. The emails are well written, and the premise is believable, especially since in many cases the emails are sent from within using email addresses that have previously been compromised in other attacks. When emails are sent from within, the requests seem perfectly credible.
Some of these emails were intercepted by Kaspersky Lab. Researchers report that the emails contain a Microsoft Compiled HTML Help file with the extension .chm.
The attackers gain persistent access to an infected computer and spend a considerable amount of time gathering data. Screen activity is recorded and transmitted to the C2, with the bitmaps combined to form a stream of activity from the infected device, allowing the attackers to monitor day to day activities on the bank network.
This is not a quick smash and grab raid, but one that takes place over an extended period. The aim of the attack is to gather as much information as possible to maximize the opportunity to steal money from the bank.
Since the attackers are using legitimate administration tools to gather intelligence, detecting the attacks in progress is complicated. Implementing solutions to detect and block phishing attacks can help to keep banks protected.
Since security vulnerabilities are often exploited, organizations should ensure that all vulnerabilities are identified and corrected. Kaspersky Lab recommends conducting penetration tests to identify vulnerabilities before they are exploited by hackers.
Kaspersky Lab notes that when an organization has already been compromised, the use of .chm attachments in combination with spear phishing emails from within the organization has proved to be a highly effective attack method for conducting cyberattacks on financial institutions.
2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.
A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.
The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.
While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.
The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.
Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.
Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.
With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.
SpamTitan blocks more than 99.9% of spam emails, helping to keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.
While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
The U.S. Department of Homeland Security (DHS) has made the use of email authentication technology mandatory for all federal agencies.
There have been numerous email security incidents affecting government agencies in recent years. Federal agencies are a major target for spammers, scammers, and phishers and the email security defenses of federal agencies are constantly tested.
One of the latest incidents involved the spoofing of an email account used by Jared Kushner, causing considerable embarrassment for White House officials. Homeland Security Adviser Tom Bosser was one of the individuals who was fooled into believing the emails were genuine. In his case, the emails were not part of a phishing campaign but were just ‘a bit of fun’ by a UK prankster. However, there are plenty of individuals and groups that have much more sinister motives.
When those cybercriminals succeed, not only is it a major embarrassment for government agencies, it can pose a major threat to national security. When national security is at stake, it pays to have excellent email defenses. However, in the United States (and elsewhere) they are often found to be lacking.
Action clearly needs to be taken to prevent phishing attacks, reduce the potential for government domains to be spoofed, and to make it much harder for phishing emails to be delivered to federal employees’ inboxes. Agari has reported that 90% of 400 government agencies’ protected domains have been targeted with deceptive emails and 25% of all federal agency emails are fraudulent. Even so, email authentication technology is often not used. That is, until now.
DHS Makes DMARC Mandatory for Federal Agencies
Now the DHS has taken action and has made it mandatory for all federal agencies to adopt DMARC. While some federal agencies have already implemented DMARC – the Social Security Administration and the Federal Trade Commission for example – they number in the few. Only 9% of domains have implemented DMARC and use it to block unauthenticated emails, while 82% of federal domains do not use the DMARC email authentication standard at all. Now all federal agencies have been given just 30 days to submit a plan of action and 90 days to implement DMARC. DHS has also made it mandatory for all federal websites to be switched to a secure connection (HTTPS) and for STARTTLS to be implemented for email.
DMARC is an email authentication technology that can be adopted to help authenticate emails, block spam, and reduce the volume of phishing emails that are delivered to inboxes. DMARC is not infallible, but it does offer an additional layer of protection for email, reducing the volume of email threats by around 77%. DMARC also restricts use of domains to legitimate senders. By adopting DMARC, when consumers receive an email from a federal agency such as the IRS, FEMA, or DHHS, they should be able to trust that email, at least once DMARC is implemented.
Many Businesses Struggle with DMARC
While some large enterprises have already adopted DMARC, two thirds of Fortune 500 companies do not use DMARC at all. Implementing the email authentication control is not without its problems. For small to medium sized businesses, implementing DMARC can be problematic. Part of the problem is many businesses need to secure their own internal email systems, but also cloud-based email, and third-party mailing services such as MailChimp or Salesforce. The task of implementing DMARC is often seen as too complex, and even when DMARC is used, it often fails and rarely are the full benefits gained. Consider that even when DMARC is adopted, 23% of phishing emails still make it past defenses, and it is easy to see why it is often not implemented. That said, email authentication technology is required to keep businesses protected from phishing threats.
SpamTitan Protects Businesses from Email Threats
Office 365 uses DMARC to help filter out phishing emails, but on its own it is not sufficient to block all threats. Businesses that use Office 365 can greatly improve their defenses against malicious emails by also adopting a third-party spam filtering solution such as SpamTitan.
SpamTitan incorporates many of the control mechanisms used by Microsoft, but also adds greylisting to greatly improve spam detection rates. Greylisting involves rejecting all emails and requesting they are resent. Since genuine emails are resent quickly, and spam emails are typically not resent as spam servers are busy conducting huge spamming campaigns, this additional control helps to identify far more malicious and unwanted emails. This additional control, along with the hundreds of checks performed by SpamTitan helps to keep spam detection rates well above 99.9%.
If you want to secure your email and block more phishing threats, contact the TitanHQ team today for more information on how SpamTitan can help to keep your inboxes spam free and your networks protected from malware and ransomware.
Microsoft Office documents containing malicious macros are commonly used to spread malware and ransomware. However, security researchers have now identified Microsoft Office attacks without macros, and the technique is harder to block.
Microsoft Office Attacks Without Macros
While it is possible to disable macros so they do not run automatically, and even disable macros entirely, that will not protect you from this new attack method, which leverages a feature of MS Office called Dynamic Data Exchange or DDE, according to researchers at SensePost. This in-built feature of Windows allows two applications to share the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.
Cybercriminals can use this feature of MS Office to get a document to execute an application without the use of macros as part of a multi-stage attack on the victim. In contrast to macros which flash a security warning before being allowed to run, this attack method does not present the user with a security warning as such.
Opening the MS Office file will present the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who regularly use files that use the DDE protocol may automatically click on yes.
A second dialog box is then displayed asking the user to confirm that they wish to execute the file specified in the command, but the researchers explain that it is possible to suppress that warning.
This technique has already been used by at least one group of hackers in spear phishing campaigns, with the emails and documents appearing to have been sent from the Securities and Exchange Commission (SEC). In this case, the hackers were using the technique to infect users with DNSMessenger fileless malware.
Unlike macros, disabling DDE is problematic. While it is possible to monitor for these types of attacks, the best defense is blocking the emails that deliver these malicious messages using a spam filter, and to train staff to be more security aware and to verify the source of the email before opening any attachments.
Locky Ransomware Updated Again (..and again)
If you have rules set to detect ransomware attacks by scanning for specific file extensions, you will need to update your rules with two new extensions to detect two new Locky ransomware variants. The authors of Locky ransomware have updated their code again, marking four new changes now in a little over a month.
In August and September, Locky was using the .lukitus and .diablo extensions. Then the authors switched to the .ykcol extension. In the past week, a further campaign has been detected using the .asasin extension.
The good news regarding the latter file extension, is it is being distributed in a spam email campaign that will not result in infection. An error was made adding the attachment. However, that is likely to be corrected soon.
The authors of Locky are constantly changing tactics. They use highly varied spam campaigns, a variety of social engineering techniques, and various attachments and malicious URLs to deliver their malicious payload.
For this reason, it is essential to implement a spam filtering solution to prevent these emails from being delivered to end users’ inboxes. You should also ensure you have multiple copies of backups stored in different locations, and be sure to test those backups to make sure file recovery is possible.
To find out more about how you can protect your networks from malicious email messages – those containing macros as well as non-macro attacks – contact the TitanHQ team today.
FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.
So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.
FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.
FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.
FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.
The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.
Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.
A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.
The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.
While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.
Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.
The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.
As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name. Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.
A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.
The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.
It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.
A new malware threat named RedBoot has been discovered that bears some similarities to NotPetya. Like NotPetya, RedBoot malware appears to be a form of ransomware, when in actual fact it is a wiper at least in its current form.
RedBoot malware is capable of encrypting files, rendering them inaccessible. Encrypted and given the .locked extension. Once the encryption process is completed, a ‘ransom’ note is shown to the user, providing an email address to use to find out how to unlock the encrypted files. Like NotPetya, RedBoot malware also makes changes to the master boot record.
RedBoot includes a module that overwrites the current master boot record and it also appears that changes are made to the partition table, but there is currently no mechanism for restoring those changes. There is also no command and control server and even though an email address is provided, no ransom demand appears to be issued. RedBoot is therefore a wiper, not ransomware.
According to Lawrence Abrams at BeepingComputer who has obtained a sample of the malware and performed an analysis, RedBoot is most likely a poorly designed ransomware variant in the early stages of development. Abrams said he has been contacted by the developer of the malware who claimed the version that was studied is a development version of the malware. He was told an updated version will be released in October. How that new version will be spread is unknown at this stage.
Even if it is the intention of the developer to use this malware to extort money from victims, at present the malware causes permanent damage. That may change, although this malware variant may remain a wiper and be used simply to sabotage computers.
It is peculiar that an incomplete version of the malware has been released and advance notice has been issued about a new version that is about to be released, but it does give businesses time to prepare.
The attack vector is not yet known, so it is not possible to give specific instructions on how to prevent RedBoot malware attacks. The protections that should be put in place are therefore the same as for blocking any malware variant.
A spam filtering solution should be implemented to block malicious emails, users should be alerted to the threat of phishing emails and should be training how to identify malicious emails and told never to open attachments or click on hyperlinks sent from unknown individuals.
IT teams should ensure all computers and servers are fully patched and that SMBv1 has been disabled or SMBv1 vulnerabilities have been addressed and antivirus software should be installed on all computers.
It is also essential to back up all systems to ensure that in the event of an attack, systems can be restored and data recovered.
Ransomware developers have leveraged the EternalBlue exploit, now the criminals behind the Retefe banking Trojan have added the NSA exploit to their arsenal.
The EternalBlue exploit was released in April by the hacking group Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also used, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been incorporated into the TrickBot banking Trojan.
The Retefe banking Trojan is distributed via malicious Microsoft Office documents sent via spam email. In order for the Trojan to be installed, the emails and the attachments must be opened and code must be run. The attackers typically use Office documents with embedded objects which run malicious PowerShell code if clicked. Macros have also been used in some campaigns to deliver the malicious payload.
Researchers at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module downloads a PowerShell script and an executable. The script runs the executable, which installs the Trojan.
The researchers noted the module used in the WannaCry attacks that allowed rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added at a later date. It would appear that the criminals behind the campaign are just starting to experiment with EternalBlue.
Other banking Trojans such as Zeus have been used in widespread attacks, although so far attacks using the Retefe banking Trojan have largely been confined to a limited number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.
Businesses in these countries will be vulnerable to Retefe, although due to the number of malware variants that are now using EternalBlue, all businesses should ensure they mitigate the threat. Other malware variants will almost certainly be upgraded to include EternalBlue.
Mitigating the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic associated with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be conducted to ensure no devices have been missed.
Since the Retefe Trojan is primarily being spread via spam email, a spam filter should be implemented to prevent malicious messages from reaching end users. By implementing SpamTitan, businesses can protect their networks against this and other malware threats delivered via spam email.
A new spam email ransomware campaign has been launched that has potential to infect users twice, with both Locky and FakeGlobe ransomware.
The campaign, which was launched earlier this month, sees the attackers alternate the payload between Locky and FakeGlobe ransomware. The researchers that discovered the campaign suggest the payload alternates each hour.
This method of distribution cpould result in victims being infected twice, first having their files encrypted by Locky ransomware, and then re-encrypted by FakeGlobe ransomware or vice versa. In such cases, two ransom payments would have to be paid if files could not be recovered from backups.
While the use of two malware variants for spam email campaigns is not new, it is much more typical for different forms of malware to be used, such as pairing a keylogger with ransomware. In such cases, if the ransom is paid to unlock data, the keylogger would likely remain and allow data to be stolen for use in further attacks.
As with previous attacks involving Locky, this double ransomware campaign involves fake invoices – one of the most effective ways of getting business users to open infected email attachments. In this campaign, the attachment claims to be the latest invoice which takes the form of a zip file. Opening that zip file and clicking to open the extracted file launches a script that downloads the malicious payload.
The emails also contain a hyperlink with the text “View Your Bill Online,” which will download a PDF file containing the same script as the attachment, although it connects to different URLs.
This campaign is widespread, being distributed in more than 70 countries with the large-scale spam campaign involving hundreds of thousands of messages.
Infections with Locky and FakeGlobe ransomware see a wide range of file types encrypted and there is no free decryptor to unlock the infections. Victims must either restore their files from backups or pay the ransom to recover their data.
If businesses are targeted, they can easily see multiple users fall for the campaigns, requiring multiple computers to be decrypted. However, since ransomware can spread across networks, all it takes is for one user to be fooled into downloading the ransomware for entire systems to be taken out of action. If data cannot be recovered from backups, multiple ransom payments will need to be made.
Good backup policies will help protect businesses against file loss and prevent them from having to pay ransoms; although, even if backups exist, organizations can experience considerable downtime while the malware is removed, files are restored, and networks are analyzed for other malware infections and backdoors.
Spam email remains the vector of choice for distributing ransomware. Organizations can reduce the risk of ransomware attacks by implementing an advanced spam filter such as SpamTitan. SpamTitan blocks more than 99.9% of spam emails, preventing malicious emails from reaching end users’ inboxes.
While most organizations are now using spam filtering software to prevent attacks, a recent study conducted by PhishMe suggests 15% of businesses are still not using email gateway filtering, leaving them at a high risk of ransomware attacks. Given the volume of phishing and ransomware emails now being sent, email filtering solutions are a necessity.
Consumers should be wary of Equifax phishing scams in the wake of the massive data breach announced earlier this month. The 143 million records potentially stolen in the breach will be monetized, which means many will likely be sold to scammers.
Trend Micro has suggested a batch of data of this scale could easily be sold for $27 million on underground marketplaces and there would be no shortage of individuals happy to pay for the data. The records include the exact types of information that is sought by identity thieves, phishers, and scammers.
However, it is not necessary to have access to the stolen records to pull of scams. Many opportunistic cybercriminals are taking advantage of consumer interest in the breach and are preparing phishing websites to fool the unwary into revealing their sensitive information. Equifax’s response to the breach has also made it easier for phishers to ply their trade.
Equifax has taken the decision not to inform all breach victims by mail. Only the 209,000 individuals whose credit card numbers were exposed will be receiving a breach notification letter in the mail. All the remaining breach victims will have to check the Equifax website to find out if their information was compromised in the breach. With almost half the population affected, and next to no one being directly informed, virtually the entire population of the United States will need to head online to find out if they have been affected by the breach.
Equifax has set up a new domain where information is provided to consumers on the steps they can take to secure their accounts and minimize the risk of financial harm. The official website is equifaxsecurity2017.com. Via this website, U.S consumers can get regular updates and enroll in the free credit monitoring services being offered.
To obtain the free credit monitoring services, consumers will be routed to a website with the domain trustedidpremier.com and will need to enter their name and the last six digits of their social security number to start the process. Cybercriminals have been quick to take advantage and have registered swathes of websites and are using them to phish for sensitive information.
Consumers Should Be Wary of Equifax Phishing Scams
USA Today reports that 194 domains closely resembling the site used by Equifax have already been registered in the past few days. Those domains closely mimic the site used by Equifax, with transposed letters and common typos likely to be made by careless typists. Many of the sites have already been shut down, but more are likely to be registered.
The purpose of these sites is simple. To obtain sensitive information such as names, addresses, Social Security numbers and dates of birth.
The technique is called typosquatting. It is extremely common and very effective. The websites use the same logos and layouts as the genuine sites and they fool many visitors into revealing their sensitive information. Links to the websites are sneaked into malicious adverts displayed via third-party ad networks and are emailed out in large scale phishing campaigns. Consumers should therefore exercise extreme caution and be alert to Equifax phishing scams sent via email and text message.
Consumers should also be careful about revealing sensitive information online and should treat all email attachments and emailed hyperlinks as potentially malicious. Consumers should look for the warning signs of phishing attacks in any email received, especially if it appears to have been sent from Equifax or another credit monitoring bureau, a credit card company, bank or credit union. Email, text messages and telephone scams are likely to be rife following an attack on this scale.
Additionally, all U.S. citizens should closely monitor their credit and bank accounts, Explanation of Benefits Statements, and check their credit reports carefully. Criminals already have access to a large amount of data and will be using that information for identity theft and fraud over the coming days, weeks, months and years.
Cyberattacks on Office 365 users are increasing and Office 365 email security controls are not preventing account compromises at many businesses. If you want to block phishing and malware attacks and prevent costly data breaches, there is no better time than the present to improve Office 365 email security.
Microsoft Office 365 – An Attractive Target for Cybercriminals
Microsoft’s figures suggest there are now more than 70 million active users of Office 365 making it the most widely adopted enterprise cloud service by some distance. 78% of IT decision makers say they have already signed up to Office 365 or plan to do so in 2017 and Microsoft says it is now signing up a further 50,000 small businesses to Office 365 every month. 70% of Fortune 500 companies are already using Office 365 and the number of enterprises transitioning to Office 365 is likely to significantly increase.
Office 365 offers many advantages for businesses but as the number of users grows, the platform becomes and even bigger target for hackers. Hackers are actively seeking flaws in Office 365 and users of the service are increasingly coming under attack. The more users an operating system or service has, the more likely hackers are to concentrate their resources on developing new methods to attack that system.
Cyberattacks on Office 365 are Soaring
Microsoft is well aware of the problem. Its figures show that malware attacks on Office 365 users increased by a staggering 600% last year and a recent survey conducted by Skyhigh Networks showed 71.4% of Office 365 business users have to deal with at least one compromised email account every month. Surveys often overestimate security problems due to having a limited sample size. That is unlikely to be the case here. The survey was conducted on 27 million users of Office 365 and 600 enterprises.
The majority of new malware targets Windows systems simply because there are substantially more users of Windows than Macs. As Apple increases its market share, it becomes more profitable to develop malware to attack MacOS. Consequently, MacOS malware is becoming more common. The same is true for Office 365. More users means successful attacks are much more profitable. If a flaw is found and a new attack method developed, it can be used on millions of users, making searching for flaws and developing exploits well worth the time and effort.
Phishers and hackers are also studying how the security functions of O365 work and are searching for flaws and developing exploits to take advantage. For a few dollars a month, hackers can sign up for accounts to study Office 365. Hackers are also taking advantage of poor password choices to gain access to other users’ accounts to trial their phishing campaigns to ensure they bypass Office 365 email security controls.
Office 365 Email Security Controls are Often Lacking
Given the resources available to Microsoft and its frequent updates you would expect the Office 355 email security to be pretty good. While Office 365 email security is not terrible, for standard users it is not great. Standard subscriptions include scant security features. To get enhanced security, the enterprise subscription must be purchased or extra email security add-ons must be purchased separately at a not insignificant cost.
Pay for the enterprise subscription and you will get a host of extra security features provided through the Advanced Threat Protection (ATP) security package. This includes message sandboxing, phishing protection, URL tracking and reporting, and link reputation checking. Even when Advanced Threat Protection is used, getting the settings right to maximize protection is not always straightforward.
APT will certainly improve email security, but it is worth bearing in mind that hackers can also sign up for those features and have access to the sandbox. That makes it easier for them to develop campaigns that bypass Office 365 security protections.
The Cost of Mitigating an Cybersecurity Incident is Considerable
The cost of mitigating a cyberattack can be considerable, and certainly substantially more than the cost of prevention. The Ponemon Institute/IBM Security 2017 Cost of a Data Breach study shows the average cost of mitigating a cyberattack is $3.62 million.
The recent NotPetya and WannaCry attacks also highlighted the high cost of breach mitigation. The NotPetya attack on Maersk, for example, has been estimated to cost the company up to $300 million, the vast majority of which could have been saved if the patches released by Microsoft in March had been applied promptly.
These large companies can absorb the cost of mitigating cyberattacks to a certain extent, although smaller businesses simply do not have the funds. It is no therefore no surprise that 60% of SMBs end up permanently closing their doors within 6 months of experiencing a cyberattack. Even cash-strapped businesses should be able to afford to improve security to prevent email-based attacks – The most common vector used by cybercriminals to gain access to systems and data.
Increase Office Email 365 Security with a Specialist Email Security Solution
No system can be made totally impervious to hackers and remain usable, but it is possible to improve Office 365 email security and reduce the potential for attacks to an minimal level. To do that, many enterprises are turning to third-party solution providers – specialists in email security – to increase Office 365 email security instead of paying extra for the protection offered by APT.
According to figures from Gartner, an estimated 40% of Microsoft Office 365 deployments will incorporate third-party tools by the end of 2018 with the figure predicted to rise to half of all deployments by 2020.
One of the best ways of improving Office 365 email security is to use an advanced, comprehensive email spam filtering solution developed by a specialist in email security, TitanHQ.
TitanHQ’s SpamTitan offers excellent protection against email-based attacks. The solution has also been developed to perfectly compliment Office 365 to block more attacks and keep inboxes spam and malware free. SpamTitan filters out more than 99.9% of spam and malicious emails giving businesses the extra level of protection they need. Furthermore, it is also one of the most cost-effective enterprise email security solutions for Office 365 on the market.
To find out more about SpamTitan and how it can improve Microsoft Office 365 email security at your business, contact TitanHQ today.
MSPs Can Profit from Providing Additional Office 365 Email Security
The days when MSPs could offer email box services to clients and make big bucks are sadly gone. MSPs can sell Office 365 subscriptions to their clients, but the margins are small and there is little money to be made. However, there are good opportunities for selling support services for MS products and also for providing enhanced email security for Office 365 users.
SpamTitan can be sold as an add-on service to enhance security for clients subscribing to Office 365, and since the solution is easy to implement and has a very low management overhead, it allows MSPs to easily boost monthly revenues.
SpamTitan can also be provided in white label form; ready to accept MSPs branding and the solution can even be hosted within an MSPs infrastructure. On top of that, there are generous margins for MSPs.
With SpamTitan it is easy for MSPs to provide valued added service, enhance Office 365 email services, and improve Microsoft Office 365 email security for all customers.
To find out more about how you can partner with SpamTitan and improve Office 365 email security for your customers, contact the MSP Sales team at TitanHQ today.
Dropbox phishing attacks are relatively common and frequently fool employees into revealing their sensitive information or downloading malware.
Dropbox is a popular platform for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the platform.
There are two main types of Dropbox phishing attacks. One involves sending a link that asks users to verify their email address. Clicking the link directs them to a spoofed Dropbox website that closely resembles the official website. They are then asked to enter in their login credentials as part of the confirmation process.
Dropbox phishing attacks are also used to deliver malware such as banking Trojans and ransomware. A link is sent to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being downloaded.
Over the past few days, there has been a massive campaign using both of these attack methods involving millions of spam email messages. Last week, more than 23 million messages were sent in a single day.
Most of the emails were distributing Locky ransomware, with a smaller percentage used to spread Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be recovered from backups, victioms will have to dig deep.
Due to the rise in value of Bitcoin of late the cost of recovery is considerable. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400. For a business with multiple devices infected, recovery will cost tens if not hundreds of thousands of dollars.
According to F-Secure, the majority of malware-related spam messages detected recently – 90% – are being used to distribute Locky. Other security researchers have issued similar reports of a surge in Locky infections and spam email campaigns.
To prevent Locky ransomware attacks, businesses should install an advanced spam filtering solution to prevent malicious emails from being delivered to end users’ inboxes. Occasional emails are likely to make it past spam filtering defenses so it is important that all users receive security awareness training to help them identify malicious emails.
A web filter can be highly effective at blocking attempts to visit malicious websites where malware is downloaded, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are opened.
Backups should also be made of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants such as Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is probable that backup files will also be encrypted.
Best practices for backing up data involve three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be tested to make sure files can be recovered in the event of disaster.
The increase in ransomware attacks has prompted the National Institute of Standards and Technology (NIST) to develop new guidance (NIST SPECIAL PUBLICATION 1800-11) on recovering from ransomware attacks and other disasters. The draft guidance can be downloaded on this link.
Defray ransomware is being used in targeted attacks on organizations in the healthcare and education sectors. The new ransomware variant is being distributed via email; however, in contrast to many ransomware campaigns, the emails are not being sent out in the millions. Rather than use the spray and pay method of distribution, small campaigns are being conducted consisting of just a few emails.
To increase the likelihood of infection, the criminals behind Defray ransomware are carefully crafting messages to appeal to specific victims in an organization. Researchers at Proofpoint have captured emails from two small campaigns, one of which incorporates hospital logos in the emails and claims to have been sent by the Director of Information Management & Technology at the targeted hospital.
The emails contain an Microsoft Word attachment that appears to be a report for patients, relatives and carers. The patient report includes an embedded OLE packager shell object. If clicked, this executable downloads and installs Defray ransomware, naming it after a legitimate Windows file.
The ransom demand is considerable. Victims are asked to pay $5,000 per infected machine for the keys to unlock the encryption, although the ransom note does suggest the attackers are prepared to negotiate on price. The attackers suggest victims should backup their files to avoid having to pay ransoms in the future.
There is no known decryptor for defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to maintain file integrity. In addition to encrypting files, the ransomware variant can cause other disruption and will delete volume shadow copies to prevent the restoration of files without paying the ransom.
The developers of the ransomware have not given their malicious code a name and in contrast to most ransomware variants, the extensions of encrypted files are not changed. Proofpoint named the variant Defray ransomware from the C2 server used by the attackers.
A second campaign has been identified targeting the manufacturing and technology sector. In this case, the email appears to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments differ, although the same OLE packager shell object is used to infect end users.
The attackers have been sending these malicious emails to individuals, user groups and distribution lists. Attacks have occurred in both the United States and United Kingdom and are likely to continue.
Protecting against these targeted attacks requires a combination of spam filtering technology and end user training. Organizations in the healthcare, education, technology and manufacturing sectors should consider sending an email alert to end users warning of the risk of ransomware attacks, instructing end users to exercise caution and not to open email attachments from unknown senders and never to click to enable content on email attachments.
Scenes of the devastation caused by Hurricane Harvey are all over the newsstands and Internet. Videos of the devastation are being broadcast around the globe. The hurricane hit the Texas coast two days ago, forcing tens of thousands of Texas residents to flee their homes. While the hurricane has now been downgraded to a tropical storm, meteorologists are predicting the heavy rainfall will continue at lease for a couple more days and flood waters are continuing to rise.
Following any natural disaster, email scams are rife and extra care must be taken. Hurricane Harvey is no exception. While homeowners were preparing for the worst, cybercriminals were developing Hurricane Harvey phishing scams to fool the unwary into revealing their sensitive information or downloading malware.
Just as looters take advantage of abandoned homes, scammers take advantage of interest in the disaster and send malicious emails that direct users to phishing websites and exploit kits that silently download malware. Scammers capitalize on interest in disasters to conduct malicious activities.
The expected deluge of malicious emails has prompted US-CERT to issue a warning about Hurricane Harvey phishing scams, urging Americans to be extra vigilant. Similar warnings have also been issued by the Better Business Bureau and Federal Trade Commission (FTC).
Hurricane Harvey phishing scams are likely to have eye-catching subject lines offering updates on Hurricane Harvey and stories relating to the disaster or relief efforts. The scam emails contain malicious hyperlinks that will direct users to phishing websites and sites where malware is downloaded. Malicious email attachments are also used to install malware and ransomware.
Users should be extremely wary about opening any emails relating to Hurricane Harvey, especially emails sent from unknown senders. The best advice is not to click on any hyperlink in an email relating to Hurricane Harvey and not to open email attachments sent in those messages.
While email is favored by many scammers, Hurricane Harvey phishing scams can be found on social media sites. Facebook posts and tweets may direct users to phishing websites where credit card details can be obtained or to fake charity websites where donations can be made.
How to Give to Charity to Support the Victims and Avoid Being Scammed
A natural disaster such as this causes devastation for tens of thousands of families. Homes and businesses are lost and families are forced to take refuge in shelters. Displaced families need support and many charities are accepting donations to help the victims.
However, all may not be as it seems. Scammers spoof legitimate charities and set up bogus websites where donations can be made. Oftentimes, legitimate charities are spoofed and donations never make it to the victims.
The advice offered by the Federal Trade Commission is to be wary of any request for donations to support the victims of Hurricane Harvey. Rather than respond directly to email and social media requests for donations, visit the charity webpage directly and independently verify the charity is legitimate.
The Better Business Bureau is maintaining a list of BBB-accredited charities that are accepting donations to support the victims of Hurricane Harvey, as is Guidestar. By checking the legitimacy of the charity, users can make sure their donations reach the victims of the hurricane and do not end up lining criminals’ pockets.
If you are considering donating to a charity that is not on either list, before making a donation, check that the charity is registered by contacting the National Association of State Charity Officials.
What is biggest cybersecurity threat currently faced by organizations? According to a recent survey of government IT professionals, the biggest cybersecurity threat is employees. 100% of respondents to the survey said employees were the biggest cybersecurity threat faced by their organziation.
The survey, conducted by Netwrix, explored IT security and compliance risks at a wide range of organizations around the globe, including government agencies.
Government agencies are an attractive target for cybercriminals. They store vast quantities of sensitive data on consumers and cybersecurity protections are often inferior to private sector organizations. Consequently, cyberattacks are easier to pull off. In addition to a treasure trove of consumer data, government agencies hold highly sensitive information critical to national security. With access to that information, hackers can take out critical infrastructure.
There are plenty of hackers attempting to gain access to government networks and oftentimes attacks are successful. The Office of Personnel Management breach in 2015 resulted in the Social Security numbers of 21.5 million individuals being compromised. In 2015, there was also a 6.2 million record breach at the Georgia Secretary of State Office and 191 million individuals were affected by a hack of the U.S. voter database.
The survey revealed 72% of government entities around the world had experienced at least one data breach in 2016 and only 14% of respondents felt their department was well protected against cyberattacks.
Employees Are the Biggest Cybersecurity Threat
Last year, 57% of data breaches at government entities were caused by insider error, while 43% of respondents from government agencies said they had investigated instances of insider misuse. Given the high percentage of security incidents caused by insiders – deliberate and accidental – it is no surprise that insiders are perceived to be the biggest cybersecurity threat.
How Can Employees be Turned from Liabilities into Security Titans?
Employees may be widely regarded as liabilities when it comes to information security, but that need not be the case. With training, employees can be turned into security titans. For that to happen, a onetime security awareness training program is not going to cut it. Creating a security culture requires considerable effort, resources and investment.
Security awareness training needs to be a continuous process with training sessions for employees scheduled at least twice a year, with monthly updates and weekly security bulletins distributed to highlight the latest threats. Training must also be backed up with testing – both to determine how effective training has been and to provide employees with the opportunity to test their skills. Phishing simulations are highly effective in this regard. If an employee fails a simulation it can be turned into a training opportunity. Studies by security training companies have shown susceptibility to phishing attacks can be reduced by more than 90% with effective training and phishing simulation exercises.
However, fail to invest in an effective security awareness program and employees will remain the biggest cybersecurity threat and will continue to cause costly data breaches.
How to Reduce Exposure to Phishing and Malware Threats
With the workforce trained to respond correctly to phishing emails, employees can be turned into a formidable last line of defense. The defensive line should be tested with simulated phishing emails, but technological solutions should be introduced to prevent real phishing emails from being delivered to end users’ inboxes.
The majority of malware and ransomware attacks start with a phishing email, so it is essential that these malicious messages are filtered out. An advanced spam filtering solution should therefore be at the heart of an organization’s email defenses.
SpamTitan is a highly effective enterprise-class spam filtering solution that blocks malicious messages and more than 99.9% of spam email, helping organizations to mount an impressive defense against email-based attacks. Dual anti-virus engines are used to identity and block malware and ransomware, with each email subjected to deep analysis using Sender Policy Framework (SPF), SURBL’s, RBL’s and Bayesian analysis to block threats.
If you want to improve your defenses against phishing and email-based malware attacks, SpamTitan should be at the heart of your email defenses. To find out more about SpamTitan and how it can prevent your employees having their phishing email identification skills frequently put to the test, contact the TitanHQ team today.
The busiest day of the week for email spam is Tuesday and spammers concentrate on sending messages during working hours, Monday to Friday, according to a 2017 spam study conducted by IBM X-Force.
The study was conducted over a 6-month period from December 2016 to June 2017. The study analyzed more than 20 million spam messages and 27 billion webpages and images a day. The researchers also incorporated data provided by several anti-spam organizations, making the 2017 spam study one of the largest ever conducted.
The 2017 spam study showed the majority of spam emails – 83% – were sent to arrive in inboxes during office hours with Tuesday, Wednesday, and Thursday the spammiest days. Spam volume was much lower on Mondays and Fridays.
While spam is sent 24/7, the busiest times are between 1am and 4pm ET. If an email arrives at an inbox when a worker is at his/her desk, it is more likely to be opened. Spammers therefore concentrate their messages during office hours.
Malicious spam messages increase around the holidays and during tax season when email scams are rife. The increase in numbers of individuals heading online to shop for goods means rich pickings for spammers. Spam volume also increases during sporting events such as the Olympics, the Super Bowl and the Football World Cup, with sports-themed spam messages capitalizing on interest in the events.
Malicious messages aim to get email recipients to reveal their banking credentials, logins and passwords and install malware. The researchers found 44% of spam emails contained malicious code, and out of those emails, 85% were used to spread ransomware.
While the majority of spam messages are automated, the IBM researchers point out that spammers work at their campaigns. There is also considerable manual work required to control botnets and spam mailers. The process is not entirely automated. Considerable work is put into malicious messages that spread ransomware and malware, with these campaigns requiring the highest level of manual control. These campaigns also involve extensive planning to maximize the number of victims.
Spam is sent from countries all around the world, although the biggest percentage hails from India, which sends 30% of all spam emails. South America and China also send a high percentage of global spam. Only 7% of spam emails are sent from the United States and Canada.
Companies are getting better at filtering out spam emails and preventing the messages from reaching inboxes. Spam filtering technology has improved enormously in recent years, meaning fewer messages are being delivered; however, spam is still the main method of distributing malware and phishing scams are rife. Spammers are also getting much better at masking their malicious messages and they frequently change delivery vehicles develop new methods of hiding malicious code to avoid detection.
The researchers say spam email volume has increased fourfold over the past 12 months and malicious messages are now being increasingly targeted at organizations and individuals, rather than being sent randomly in huge spamming campaigns. Targeting allows the attackers to send carefully crafted campaigns which are more likely to result in the recipients taking the desired action.
Two new Locky ransomware spam campaigns have been detected this month, each being used to spread a new variant of the cryptoransomware. The campaigns have been launched after a relatively quiet period for ransomware attacks, although the latest campaigns show that the threat of ransomware attacks in never far away.
Previously, Locky ransomware spam campaigns have been conducted using the Necurs botnet – one of the largest botnets currently in use. One of the campaigns, spreading the Locky variant Lukitus is being conducted via Necurs. The other campaign, which is spreading the Diablo Locky variant, is being sent via a new botnet consisting of more than 11,000 infected devices. Those devices are located in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been built quickly and is understood to be growing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.
The failure to backup files is likely to prove costly. The ransom demand issued by the attackers ranges between 0.5 and 1 Bitcoin per infected device – approximately $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to restore files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.
The Diablo Locky variant renames encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant adds the .lukitus extension.
The two new Locky ransomware spam campaigns differ in their method of delivery of the ransomware, although both involve spam email. The Diablo campaign, which started on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs via malicious macros.
Opening the infected documents will present the user with indecipherable data and a prompt to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and downloads the Locky payload.
The email subjects in this campaign are varied, although in many of the emails the attackers claim the attachment is a missed invoice or purchase order.
The Lukitus campaign was first detected on August 16 and has been mostly used in attacks in the United States, UK, and Austria, although there have also been successful attacks in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.
As with all ransomware attacks via spam email, the best defense is an advanced spam filter to block the emails and prevent them from being delivered to end users. Employees should already have been trained on the threat from ransomware. Now would be a good time to issue a reminder via email to all employees of the current threat.
Recovery without paying the ransom depends on viable backup copies existing. Since Locky can encrypt backup files, backup devices should be disconnected after a backup has been made. Organizations should also ensure three copies of backups exist, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.
The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.
Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.
Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.
While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.
Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.
Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.
Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.
Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.
Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.
As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.
In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.
This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.
Several domain spoofing spam campaigns have been detected that are targeting customers of popular UK banks. The spam email campaigns include credible messages and realistic spoofed domains and pose a threat to consumers and businesses alike. The domain spoofing email campaigns are targeting customers of HSBC, Lloyds Bank, Nationwide, NatWest and Santander.
Domain spoofing is the use of a domain similar to that used by a legitimate entity with the aim of fooling email recipients into believing the email and domain is genuine. Domain spoofing is commonly used in phishing attacks, with email recipients fooled into divulging their login credentials or downloading malware. In addition to a similarly named domain, the malicious websites often include the targeted brand’s logos, layouts and color schemes.
According to a warning issued by the SANS Institute’s Internet Storm Center, the latest domain spoofing spam campaigns involve the name of the bank and one of the following additional words: docs; documents; secure; communication; securemessage.
Customers of a targeted back who receive an email and a link from the domain ‘securenatwest.co.uk’ or ‘santandersecuremessage.com’ could easily be fooled into thinking the email is genuine. Other domains being used are hsbcdocs.co.uk, hmrccommunication.co.uk, lloydsbacs.co.uk, nationwidesecure.co.uk, natwestdocuments6.ml, and santanderdocs.co.uk. Further, many consumers still believe a website starting with HTTPS is secure. Yet all of these spoofed domains are all encrypted and have SSL certificates.
The domain spoofing spam campaigns involve messages claiming there is a new secure message from the bank along with an attached HTML file. That file downloads a malicious MS Office document containing macros. If those macros are enabled, the malicious payload is delivered. These campaigns are being used to distribute Trickbot malware – a banking Trojan used for man-in-the-middle attacks to steal banking credentials.
HTML documents are used as they download malicious MS documents via an HTTPS connection to reduce the risk of the documents being detected by antivirus software. SANS Institute researcher Brad Duncan pointed out that this method, while not new, can be effective. He also explained that “poorly managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.”
The domain spoofing spam campaigns were detected by My Online Security, which notes that “A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.”
Businesses can reduce risk by employing a spam filtering solution to prevent the malicious messages from being delivered to end users, ensuring Windows hosts are correctly configured, and ensuring employees are alert to the threat. Macros should be disabled on all devices and employees instructed never to enable macros or enable content on emailed documents.
Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.
The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.
The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.
Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.
In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.
Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.
The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.
The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travellers.
The advice for travellers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.
FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.
The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.
Global spam email levels have been rising, with spam volume in July soaring to levels not seen since March 2015.
The figures come from the Symantec monthly threat report, which uses data from the Global Intelligence Network (GIN). Last month, global spam email levels increased by 0.6 percentage points to 54.9% of total email volume. The industry that received the most spam emails was the mining sector, with 59.1% of emails categorized as spam.
Spam emails include unsolicited marketing emails, offers of cut price medications and notices about women who have been trawling the internet for a man like you. While many of these emails are simply junk, the volume of malicious messages has been rising. In particular, spam messages containing malware.
Symantec reports that email malware has increased to levels not seen since December 2016. Last month, one in every 359 spam emails was used to deliver malware. The previous month, one in every 451 emails contained malware. The industry that received the most email malware levels was the agriculture, forestry and fishing sector, with one in every 152 emails containing malware.
Malware and Phishing Emails at The Highest Level Seen This Year
Malicious emails are being sent in campaigns targeting medium sized businesses, which registered the highest percentage of malware emails. Businesses with between 251 and 500 employees had the highest volume of malware in their inboxes, according to Symantec’s analysis. Large businesses – organizations with between 1,001 and 1,500 employees – had the highest rate of spam delivery as a whole.
While malware emails increased, the number of malware variants used in those emails dropped to 58.7 million variants from 66.3 million the previous month. Symantec notes that several malware families have now started being spread via email, which has contributed to the malware email volume.
In the past month, malware variants have been detected that are capable of generating their own spam emails from the infected device and sending malware copies to the victims’ entire address books. The Emotet banking Trojan now has this functionality and Reyptson malware also, with the latter sending itself to Thunderbird contacts.
This month, Microsoft has discovered a new tech support scam that is being distributed via spam email. Spam emails spoofing brands are being sent in large campaigns with links to websites that generate popups warning of suspicious activity and malware infections.
Symantec notes the volume of phishing emails has also increased with levels now at a 12-month high. One in 1,968 emails are used for phishing. Phishing attacks on the mining industry sector were the most common with one in 1,263 emails used for phishing, indicating targeted attacks are occurring.
Increase in Global Spam Email Levels Highlights Need for Effective Spam Filtering
The rise in global spam email levels highlights the need for an advanced email spam filter. Spam is a major drain on productivity and malware and phishing attacks are costly to mitigate. Employee security awareness programs are effective at preventing employees from falling for phishing scams, although a technological solution should be implemented to prevent spam emails from reaching inboxes. SpamTitan blocks more than 99.9% of spam and dual antivirus engines prevent the delivery of known malware.
If you want to protect your business, boost productivity and improve your malware defenses, contact the TitanHQ team today.
A new survey from CSO shows ransomware and phishing attacks in 2017 have increased, although companies have reported a decline in the number of cyber incidents experienced over the past year. While it is certainly good news that organizations are experiencing fewer cyberattacks, the report suggests that the severity of the attacks has increased and more organizations have reported suffering losses as a result of security incidents.
CSO conducted the annual U.S State of Cybercrime survey on 510 respondents, 70% of whom were at the vice president level or higher. Companies had an average IT security budget of $11 million.
This year’s report suggests organizations are struggling to keep up with the number of patches and software upgrades now being issued, although the consequences of the delays have been clearly shown this year with the NotPetya and WannaCry attacks. The failure to patch promptly has seen many organizations attacked, with some companies still struggling to recover. Nuance Communications was badly affected by NotPetya, and a month after the attacks, only 75% of its customers have regained access to its services. TNT also suffered extensive disruption to services in the weeks following the attacks, although these are just two companies out of many to experience extended disruption.
IT security budgets have increased by an average of 7.5% year over year with 10% of companies saying they have increased IT security spending by 20% or more in the past 12 months. While new technologies are taking up the bulk of the new budgets, organizations are also investing in audits and knowledge assessments, information sharing, redeveloping their cybersecurity strategy, policies and processes and are adding new skills. 67% of respondents said they have now expanded their security capabilities in include mobile devices, the cloud and IoT.
Even though the threat of attack is severe, many companies still believe a cyber response plan should not be part of their cybersecurity strategy, although acceptance that cyberattacks will occur has seen 19% of respondents plan to implement a response strategy in the next 12 months.
Even though there was a fall in the number of security incidents, losses experienced as a result of those attacks have remained constant or have increased over the past 12 months for 68% of respondents. Only 30% of companies said they had experienced no losses as a result of security incidents, down 6 percentage points from last year.
More CSOs and CISOs are now reporting directly to the board on a monthly basis, up 17% since last year. However, as was also confirmed by a recent survey conducted by KPMG, many boards still view cybersecurity as an IT issue – The CSO survey suggests 61% of boards believe cybersecurity is a concern of the IT department not a matter for the board, a drop of just two percentage points since last year.
Phishing attacks in 2017 have increased significantly, with 36% of companies reporting attacks – up from 26% last year. 17% of companies experienced ransomware attacks – up from 14% – and financial fraud increased from 7% to 12%. Business email compromise scams are also increasing, up from 5% to 9% in the past 12 months.
The increase in ransomware and phishing attacks in 2017 highlights the need for security awareness training for employees and an improvement to spam filtering controls. Organizations need to ensure they have sufficient staffing levels to ensure patches are applied promptly, while investment in people must improve to ensure they have the skills, resources and training to respond to the latest threats. Boards must also appreciate that cybersecurity is not just a matter for IT departments, and the CSO survey shows that too much faith is being placed in cybersecurity protections. Currently only 53% of companies are testing the effectiveness of their security programs.
Reyptson ransomware is a new threat that has been discovered in the past few days. The new ransomware variant is currently being used in attacks in Spain, with detected activity rising considerably in the days since its discovery.
There is no free decryptor for Reyptson ransomware at this stage. The ransomware variant encrypts a wide range of file types, including MS Office files and images using AES-128 encryption. Encrypted files will have the file extension .Reyptson appended to the file.
Infection will require files to be recovered from backups or the ransom demand must be paid if no backup exists and victims do not want permanent file loss. Users are told they must pay a ransom of €200 to unlock the encryption, although the payment will increase to €500 after 72 hours.
New cryptoransomware variants are being released on an almost daily basis with the majority spread via spam email. What makes this variant unique is its ability to spread itself following infection. Reyptson is capable of conducting its own email campaigns and spreading itself to a victim’s contacts.
The spam email campaigns are conducted via the Thunderbird email client. Reyptson ransomware searches for contacts and creates new spam email messages and sends them to all contacts using the victim’s credentials.
The emails claim to be invoices and include a link for the recipient to download the invoice. Clicking the link will download a compressed .rar file which contains an executable file that appears to be a PDF file. If that executable file is opened; the user will be infected with the ransomware and the process will repeat. According to an analysis by MalwareHunterTeam, the emails have the subject line Folcan S.L. Facturación.
Recently, global ransomware campaigns have been conducted using exploits stolen from the NSA. Those exploits take advantage of vulnerabilities in software that have not been addressed. Even though patches have been released to correct those vulnerabilities, many companies have yet to update their operating systems. A free scanner called Eternal Blues has been developed that has revealed more than 50,000 computers around the world are still vulnerable and have not been patched.
Patching promptly has always been important, but now even more so. Delaying the updating of software can see organizations infected and the damage can be considerable. In the case of NotPetya, computers are rendered useless and even payment of a ransom cannot undo the damage.
However, spam email remains the most common vector for spreading ransomware. Preventing Reyptson ransomware attacks and other cryptoransomware variants requires an advanced spam filter. A spam filter such as SpamTitan can block these messages and prevent them from being delivered to end users. If the spam emails are not delivered, they cannot be opened by end users.
Prompt patching, user awareness training, spam and web filtering can help organizations reduce the risk of attack. However, it is also essential to ensure multiple backups of data are made to ensure recovery in case of infection. Organizations should adopt the 3-2-1 approach to backups. Ensure there are three copies of data, on 2 different media with one copy stored off site.
One backup copy can be stored locally – on a removable device that is unplugged when backups are completed or are not being used. One copy should be stored in the cloud and one on a backup drive/tape that is stored in a secure location off site that can be used in the event of a disaster.
Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.
The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.
The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.
The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme. The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.
Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.
As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.
The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.
The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.
If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.
In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.
A U.S senator is urging the Department of Homeland Security and other federal agencies to adopt DMARC to prevent impersonation attacks via email. Over the past few months, several government agencies have been targeted by phishers who have used government domains to send huge numbers of spam emails.
The emails appear legitimate as they have been sent from government-owned domains, and while the text in the emails often contains clues to suggest the emails are not genuine, the official domain adds sufficient authenticity to see many email recipients fooled.
The use of official domains by phishers is nothing new of course, but government-owned domains should be protected to prevent them being used in phishing campaigns. The problem is that in the vast majority of cases, insufficient controls have been implemented to prevent impersonation attacks.
Sen. Ron Wyden (D-Oregon) wrote to the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.
DMARC is a proven tool that can help to prevent impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to determine whether the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In short, it will prevent impersonation attacks and protect consumers. If DMARC was used, it would make it much harder for government agencies to be impersonated.
The standard is recommended by the National Institute of Standards & Technology (NIST) as well as the Federal Trade Commission (FTC). DMARC has also recently been adopted in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has reduced impersonation attacks to the tune of 300 million messages in a single year.
The UK’s National Cyber Security Center (NCSC) has also created a central system where it processes all of the DMARC reports from all government agencies to monitor impersonation attacks across all government departments
Currently the Department of Homeland Security does not use DMARC and it is not used on the majority of government owned domains. The U.S. government owns approximately 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.
Impersonation attacks are on the rise and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.
Sen. Wyden suggests the Department of Homeland Security should immediately adopt DMARC and mandate its use across all federal agencies. DHS already scans other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be incorporated into that program. As in the UK, Sen. Wyden suggests a central repository should be created for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks across all federal agencies.
Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.
The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.
Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.
The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings. The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”
Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.
The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.
Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.
The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.
Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.
Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.
Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.
IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The IRS recommends several measures to reduce risk:
- Educate all employees on the risk from spear phishing and phishing in general
- Ensure strong passwords are used
- Always question emails – Never take them at face value
- Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
- Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
- Use security software to block phishing emails and malware and ensure the software is updated automatically
- Use the security settings in tax preparation software
- Report suspicious emails to the IRS
NotPetya ransomware attacks have spread globally, with the latest figures from Microsoft suggesting there are now more than 12,500 reported victims spread across 65 countries. The attacks first started to be reported on Tuesday morning with companies in the Ukraine hit particularly hard.
At first it appeared that the attacks involved Petya ransomware, although it has since been confirmed that this is a new ransomware variant. The ransomware has already attracted a variety of names such as GoldenEye, SortaPetya, ExPetr, and NotPetya. We shall use the latter.
Security researchers believe the NotPetya ransomware attacks started in Ukraine. The first attacks occurred the day before a national holiday – a common time to launch an attack. IT staff were unlikely to be working, so the probability of the attacks being halted before the ransomware was allowed to run would be increased.
The NotPetya ransomware attacks have been discovered to have occurred via a variety of vectors. Ukraine was hit particularly hard, which suggested a country-specific attack vector. Some security researchers have suggested the first attacks occurred via a Ukrainian accounting package called M.E. Doc, with the attackers managing to compromise a software update. M.E.Doc hinted that this may be the case initially, but later denied they were the cause of the attack. If it is true that a software update was involved, it would not be the first time M.E.Doc was attacked. A similar ransomware attack occurred via M.E.Doc software updates in May.
However, that is only one potential attack vector used in the NotPetya ransomware attacks. It has been confirmed that the attackers are also using two NSA exploits that were released by Shadow Brokers in April. As was the case with the WannaCry ransomware attacks, the EternalBlue exploit is being used. The latest attacks are also using another exploit released at the same time called EternalRomance.
In contrast to the WannaCry ransomware attacks last month, the exploits used in the NotPetya ransomware attacks only scan for vulnerable devices on local networks, not via the Internet.
Both exploits will not work if computers have already been patched with MS17-010 released by Microsoft in March. Following the WannaCry attacks, Microsoft also issued a patch for older, unsupported Windows versions to prevent further ransomware attacks.
However, patching would not necessarily have prevented infection. In contrast to WannaCry, NotPetya ransomware attacks have been reported by companies that have patched their computers. Security researchers have confirmed that all it takes for infection to occur is for one computer to have been missed when applying the patches. That allows the attackers to attack that machine, and also any other machines connected to the local network, even if the patch has been applied.
The attacks also appear to be occurring via phishing emails containing malicious Microsoft Office documents. As has been the case with many other ransomware attacks, the failure to implement spam defenses can result in infection. The use of an advanced spam filter such as SpamTitan offers excellent protection against email-based ransomware attacks, preventing those emails from reaching end users’ inboxes.
Upon infection, the ransomware waits one hour before executing and forcing a reboot. When the computer restarts, the ransom note appears. The ransom demand is for $300 per infected machine. In contrast to the majority of ransomware variants, NotPetya does not encrypt files. Instead it replaces the Master File Table (MFT). Since the MFT shows the computer where files are located on the hard drive, without it files cannot be found. Files are not encrypted, but they still cannot be accessed.
Preventing ransomware attacks such as this requires regular patching to address vulnerabilities and anti-spam solutions to prevent malicious emails from being delivered.
Fortunately, NotPetya ransomware attacks can be blocked. Cybereason security researcher Amit Serber has found a way to vaccinate computers against this specific ransomware variant. He suggests IT teams “Create a file called perfc in the C:\Windows folder and make it read only.” This method has been confirmed as effective by other security researchers, although it will not work if infection has already occurred.
Unfortunately, recovery following an attack may not be possible if infected computers cannot be restored from backups. Kaspersky Lab reports there is a flaw in the ransomware saying, “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” Further, the email account used by the attacker to verify ransom payments has been shut down by a German email provider.
The WannaCry ransomware attacks may have attracted a lot of press, but Locky ransomware poses a bigger threat to organizations with a new Locky ransomware campaign now a regular event. The ransomware was first seen in February last year and rapidly became the biggest ransomware threat. In recent months, Cerber has been extensively distributed, but Locky is still being used in widespread attacks on organizations.
The actors behind Locky ransomware are constantly changing tactics to fool end users into downloading the malware and encrypting their files.
The Necurs botnet has recently been used to distribute Jaff ransomware, although now that a decryptor has been developed for that ransomware variant, the actors behind Necurs have switched back to Locky. The new Locky ransomware campaign involves millions of spam messages sent via the Necurs botnet, with some reports suggesting approximately 7% of global email volume at the start of the campaign came from the Necurs botnet and was spreading Locky.
The new Locky ransomware campaign uses a new variant of the ransomware which does not encrypt files on Windows operating systems later than XP. This appears to be an error, with new, updated version of the ransomware is expected to be launched soon. As with past campaigns, the latest batch of emails uses fake invoices to fool end users into installing the ransomware.
Fake invoices are commonly used to spread ransomware because they are highly effective. Even though these campaigns often include scant information in the email body, many end users open the attachments and enable macros. Doing so results in Locky being downloaded. There is still no free decryptor available to unlock Locky-encrypted files. Infections can only be resolved by paying a sizeable ransom payment or restoring files from backups.
Training end users to be more security aware will help organizations to reduce susceptibility to ransomware attacks, although the best defense against email-based ransomware attacks is to use an advanced spam filtering solution to prevent the messages from reaching end users’ inboxes. If emails are blocked, there is no chance of end users opening malicious attachments and installing the ransomware.
SpamTitan is an email security solution that can block these ransomware emails. SpamTitan blocks more than 99.9% of spam messages and dual anti-virus engines ensure malicious emails do not reach inboxes. While some anti-spam solutions have a high false positive rate and block genuine emails, SpamTitan’s false positive rate is extremely low at just 0.003%.
SpamTitan requires no additional hardware purchases, no staff training and the solution can be installed in a matter of minutes.
If you are unhappy with your current anti-spam solution or have yet to start protecting your inboxes from malicious messages, contact the TitanHQ team today for further information on how SpamTitan can benefit your business. TitanHQ also offers SpamTitan on a 30-day no-obligation free trial to allow you to see the benefits of the solution for yourself before committing to a purchase.
A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.
As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.
URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.
What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.
The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.
The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.
One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.
Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts. PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.
While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.
A recent Southern Oregon University phishing attack has clearly demonstrated why so many cybercriminals have chosen phishing as their main source of income.
Hacking an organization takes considerable planning and effort, typically requiring many hours of hard work and a considerable amount of skill. Phishing on the other hand is easy by comparison, requiring little work. Furthermore, the potential profits from phishing can be considerable.
The Southern Oregon University Phishing Attack Required a Single Email
The Southern Oregon University phishing attack involved a single phishing email. The attackers impersonated a construction company – Andersen Construction – that was building a pavilion and student recreation center at the University.
The attackers spoofed the email address of the construction firm and requested all future payments be directed to a different bank account. The university then wired the next payment to the new account in April. The payment was for $1.9 million.
The university discovered the construction firm had not received the funds three days later. The FBI was contacted as soon as the fraud was discovered and efforts are continuing to recover the funds. The university reports that the attackers have not withdrawn all of the funds from their account, although a sizeable chunk is missing. Joe Mosley, a spokesperson for SOU said, “It’s certainly not all of the money that was transferred, but it’s not just nickels and dimes, either.”
In order to pull off a scam such as this, the attackers would need to know that the construction project was taking place and the name of the firm. Such information is not hard to find and universities often have construction projects taking place.
These attacks are known as Business Email Compromise (BEC) scams. They typically involve a contractor’s email account being hacked and used to send an email to a vendor. It is not clear whether the vendors email account had been hacked, but that step may not be required to pull off a phishing attack such as this.
Rise in BEC Attacks Prompts FBI Warning to Universities
In this case, the payment was substantial but it is far from an isolated incident. Last month, the FBI released a public service announcement warning universities of attacks such as this.
The FBI warned that access to a construction firm’s email account is not necessary. All that is required is for the scammer to purchase a similar domain to the one used by the firm. Accounts department employees may check the email address and not notice that there is a letter different.
By the time the university discovered a payment has not been received, the funds have already been cleared from the scammer’s account and cannot be recovered. Payments are commonly of the order of several hundred thousand dollars.
The FBI informed SOU that there have been 78 such attacks in the past year, some of which have been conducted on universities. However, all organizations are at risk from these BEC scams.
The Southern Oregon University phishing attack shows just how easy it can be for scammers to pull off a BEC attack. Protecting against this time of scam requires employees to be vigilant and to exercise extreme caution when requests are made to change bank accounts. Such a request should always be verified by a means other than email. A telephone call to the construction firm could easily have stopped this scam before any transfer was made.
Cybercriminals have been conducting fileless malware phishing attacks and restaurants are in the firing line. Restaurants are being singled out as they tend to have relatively poor cybersecurity defenses and criminals can easily gain access to the credit card details of thousands of customers.
The phishing attacks are used to install fileless malware – malware that remains in the memory and does not involve any files being written to the hard drive. Consequently, fileless malware is particularly difficult to detect. By switching to fileless malware, which most static antivirus solutions do not detect, the criminals can operate undetected.
While fileless malware can be short-lived, only existing in the memory until the computer is rebooted, the latest variants are also persistent. The purpose of the malware is to allow the attackers to install a backdoor that provides access to restaurants’ computer systems. They can then steal the financial information of customers undetected.
The latest fileless malware phishing attacks involve RTF files. Researchers at Morphisec detected the campaign, which has been attributed to the hacking group FIN7; a group that has close associations with the Carbanak group.
The attacks start with a well-crafted phishing email, with social engineering methods used to encourage end users to open the attached RTF file. RTF files have been discovered that are restaurant themed, named menu.rtf and relating to orders. Some emails appear to have been written to target specific restaurant chains.
One intercepted phishing email claimed to be a catering order, with the attachment containing a list of the items required. In the email, brief instructions explaining when the order is needed and how to view the list of ordered items. The email was brief, but it was particularly convincing. Many restaurants are likely to be fooled by these fileless malware phishing attacks, with access to systems granted for long periods before detection.
FIN7 has recently been conducting attacks on financial institutions, but Morphisec reports that the methodology has changed for the malware attacks on restaurants. DNS queries are used to deliver the shellcode stage of infection, but in contrast to past attacks, the DNS queries are launched from the memory, rather than using PowerShell commands. Since the attack does not involve files being written to the hard drive, it is difficult to detect.
Further, the researchers checked the RTF file against VirusTotal and discovered none of the 56 AV vendors are currently detecting the file as malicious.
Corporate phishing emails are one of the biggest cybersecurity risks faced by organizations. Cybercriminals are well aware that even companies with robust cybersecurity defenses are vulnerable to phishing attacks.
Phishing email volume is higher than at any other time in history. Employees are being targeted with threat actors now using sophisticated social engineering techniques to maximize the probability of employees clicking on links, opening infected email attachments or disclosing their login credentials. If corporate phishing emails are delivered to end users’ inboxes, there is a high chance that at least one employee will be fooled. All it takes is for one employee to click on a malicious link or open an infected attachment for malware to be installed or access to sensitive data be provided.
The threat from phishing attacks has been steadily increasing in recent years, although this year has seen phishing attacks soar. A recent study conducted by Mimecast has shown that cybercriminals have been stepping up their efforts in recent months. Last quarter, there was a 400% increase in corporate phishing emails according to the study.
A phishing trends & intelligence report for Q1, 2017 from the security awareness training firm PhishLabs showed that in the first quarter of 2017, overall phishing email volume increased by 20% compared to the previous quarter. 88% of phishing attacks were concentrated on five industries: payment services, financial institutions, cloud storage/file hosting firms, webmail/online services and e-commerce companies.
The anti-phishing training and phishing simulation platform provider PhishMe also noted a major increase in phishing emails in Q1, 2017. The firm’s Q1, 2017 malware review also showed there had been a 69.2% increase in botnet malware usage in the first quarter of this year.
Business email compromise attacks are also on the rise. Proofpoint’s annual Human Factor report showed BEC email attacks rose from 1% of message volume to 42% of message volume relative to emails bearing Trojans. Those attacks have cost businesses $5 billion worldwide.
These studies clearly show that corporate phishing emails are on the rise, highlighting the need for organizations to improve their defenses. The best defense against phishing emails and ransomware attacks is to ensure messages are intercepted and blocked. It is therefore essential for organizations to implement a robust spam filtering solution to prevent malicious messages from reaching end users’ inboxes.
SpamTitan conducts more than 100 checks of incoming emails, ensuring more than 99.98% of spam and malicious emails are blocked. Dual anti-virus engines are used to ensure 100% of known malware and ransomware is intercepted and prevented from being delivered to end users’ inboxes.
If you have yet to implement an advanced spam filtering solution or you are unhappy with your current provider, contact TitanHQ today to find out more about SpamTitan and how it can be used to protect your business from email attacks. SpamTitan is also available on a no obligation, 30-day free trial, allowing you to try the solution for yourself before committing to a purchase.
Mac users are better protected from ransomware than Windows users, although they now face a new threat: MacRansom. The new ransomware variant may not be particularly advanced, although it is capable of encrypting files.
MacRansom is being offered under a ransomware-as-a-service (RaaS) model with the RaaS advertised to cybercriminals on a Tor network portal. In contrast to many RaaS offerings that require payment to be made before the RaaS can be used, the threat actors behind MacRansom are offering the RaaS free of charge.
Any would-be cybercriminal looking to conduct ransomware attacks can email the creators of the ransomware via a secure Protonmail email address and a version of MacRansom will be created according to the user’s specifications.
The authors of MacRansom claim they are professional engineers and security researchers with extensive experience in software development and a thorough understanding of the MacOS. They claim they have previously worked at Yahoo and Facebook.
The authors claim that MacRansom can be installed and will remain invisible to the victim until the scheduled execution time, when it will complete its encryption routine in under a minute. The ransomware variant uses a 128-bit industrial standard encryption algorithm that cannot be beaten unless the ransom is paid. The authors claim the ransomware leaves no digital traces and that it can be scheduled to run at a specific time set by the user. It can even be triggered when an individual plugs in an external drive into an infected machine to maximize the number of files that are encrypted. However, the ransomware is only capable of encrypting a maximum of 128 files.
The Ransomware is capable of checking if it is in a virtual environment, whether it is being debugged or if it has been installed in a non-Mac environment, in which case it will exit.
Security researchers at Fortinet – Rommel Joven and Wayne Chin Low – signed up for the RaaS and obtained a sample, but noted that under some circumstances it may not be possible to decrypt encrypted files even if the ransom is paid. They said, “A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated.” However, to find out, victims will be required to pay a ransom payment of 0.25 Bitcoin – around $700.
Fortunately, infection requires the victim to run a file with an unidentified developer. They will therefore need to confirm they wish to do that before the file is run. This warning should be sufficient to prevent many end users from proceeding.
A University of Alaska phishing attack has potentially resulted in attackers gaining access to the sensitive information of 25,000 staff, students and faculty staff.
The University of Alaska phishing attack occurred in December last year, although affected individuals have only just been notified. The phishing emails were sent to university employees. One or more individuals responded and were fooled into following the threat actors’ instructions.
Details of the exact nature of the phishing emails were not disclosed; however, as with other phishing scams, the emails appeared genuine and looked professional. By responding to the emails, the employees accidentally disclosed their usernames and passwords to the attackers. The attack resulted in ‘several’ email accounts being compromised.
The emails in the compromised accounts contained a range of sensitive information including names and Social Security numbers. In total, around 25,000 staff, students and faculty members had their information exposed.
The investigation into the University of Alaska phishing attack could not confirm whether any of the emails in the accounts were accessed or if information was copied by the attackers, although it remains a distinct possibility.
Due to the sensitive nature of data in the accounts, the University of Alaska had to inform all affected individuals by mail and offer credit monitoring and identity theft protection services. Victims will also be protected by a $1 million identity theft insurance policy.
A forensic analysis had to be conducted to determine the exact nature of the attack and which individuals had been affected – A process that took around 5 months. Staff had to be provided with additional training to improve awareness of credential phishing scams and were retrained correct handling of sensitive information. The notifications and mitigations came at a considerable cost.
The University of Alaska phishing attack was just one of many phishing attacks that have taken place in the United States over the past few months. The phishing attacks all have a common denominator. Employees were targeted, phishing emails reached inboxes, and end users followed the instructions in the emails.
Training staff to be aware of the threat of phishing can reduce susceptibility, although training did not prevent the University of Alaska phishing attack.
Even after receiving security awareness training, employees can make mistakes. A technology solution should therefore be implemented to stop phishing emails from being delivered to end users’ inboxes.
SpamTitan from TitanHQ offers excellent protection against phishing attacks, blocking more than 99.9% of spam, phishing emails and other malicious messages. SpamTitan is quick and easy to install, cost effective to implement and easy to maintain.
With SpamTitan installed, organizations can protect themselves against phishing attacks and avoid the considerable cost of data breaches.
For more information on SpamTitan and other TitanHQ security products, contact the sales team today and take the first step toward improving your defences against phishing attacks.
The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.
Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.
Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.
A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.
That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.
Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.
The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.
Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.
To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.
Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.
In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information.
A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails.
Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.
There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal.
Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.
In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers.
A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients.
The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account.
Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.
So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR?
The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.
A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered.
Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.
Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.
An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.
The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.
The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.
Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.
Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.
Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.
The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine. It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.
On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.