Email Scams

Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.

Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.

Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.

Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.

To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.

Other measures that can be taken to protect yourself from email scams include:

  • Carefully check the sender’s email. Does it look like it is genuine?
  • Never open email attachments from someone you do not know
  • If you receive an email offering you a prize or refund, stay safe and delete the email
  • Ensure anti-virus software is installed on your computer and is up to date.

Office 365 Phishing Scam Uses SharePoint Lure

A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint.

The campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.

This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.

A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.

The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.

Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.

Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.

Businesses can take steps to avoid Office 365 phishing scams such as this.

  1. Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
  2. Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
  3. Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
  4. Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
  5. Use an endpoint protection solution that is capable of detecting phishing attacks.
  6. Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.

Allscripts EHR Breach Highlights Need for Improved Ransomware Protections for Healthcare Organizations

The massive Allscripts EHR breach in January 2018 resulted in massive disruption for the company and its clients. Clients were locked out of their electronic health records for several days while the company battled to recover from the attack. Around 1,500 of the company’s clients were affected.

The cost of mitigating the ransomware attack was considerable, and in addition to those costs, the Allscripts EHR breach prompted many clients to take legal action. The costs continue to mount.

The Allscripts EHR breach involved SamSam ransomware, which has plagued the healthcare industry over the past couple of years. The threat actors behind the attacks typically gain access to healthcare networks through RDP vulnerabilities and deploy the ransomware manually after scouting the network. This way, maximum damage can be inflicted, which increases the probability of the ransom being paid.

The Allscripts EHR breach certain stands out as one of the most damaging ransomware attacks of 2018, although it was just one of many healthcare ransomware attacks in 2018 involving many ransomware variants.

According to Beazley Breach Response Services, ransomware attacks more than doubled in September. Many cybercriminals have switched to cryptocurrency mining malware, but the ransomware attacks on healthcare organizations are continuing and show no sign of slowing.

In recent months, there has been a growing trend of combining malware variants to maximize the profitability of attacks. Ransomware is a quick and easy way for cybercriminals to earn money but combining ransomware with other malware variants is much more profitable. Further, if files are recovered from backups and no ransom is paid, cybercriminals can still profit from the attacks.

Several campaigns have been detected recently that combine Trojans such as AZORult, Emotet and Trickbot with ransomware. Attacks with these Trojans have increased by 132% since 2017 according to Malwarebytes. The Trojans steal sensitive information through keylogging, are capable lateral movement within a network, and also serve as downloaders for other malware such as Ryuk and GandCrab ransomware. Once information has been stolen, the ransomware payload is deployed.

The Allscripts EHR breach was somewhat atypical. It is far more common for ransomware to be delivered via email than brute force attacks on RDP. The campaigns combining Emotet, Trickbot, and AZORult with ransomware are primarily delivered by email.

In addition to ransomware attacks, phishing attacks are rife in healthcare. Email was the most common location of exposed protected health information in 2018. Email security is a weak point in healthcare defenses.

The number of successful ransomware and phishing attacks in healthcare make it clear that email security needs to improve. An advanced spam filter to block malicious emails, improved end user training is required to teach employees how to recognize email threats, intrusion detection systems need to be deployed, along with powerful anti-virus solutions. Only by implementing layered defenses to block email attacks and other attack vectors will healthcare organizations be able to reduce the risk of ransomware attacks.

Latest Ursnif Trojan Campaign Highlights Need to Improve Anti-Phishing Defenses

A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.

Increase in Banking Trojan and Ransomware Combination Attacks

Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.

However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.

These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.

There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.

Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.

What Does the Ursnif Trojan Do?

The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.

According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.

When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).

Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.

The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.

How Businesses can Protect Against Attacks

Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.

Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.

How Does Business Email Get Hacked?

Barely a day goes by without an announcement being made about an email account compromise, especially in the healthcare industry, but how does business email get hacked? What are the main ways that email account access is gained by unauthorized individuals?

Four Ways Business Email Gets Hacked

There four main ways that business email gets hacked, although fortunately there are simple steps that can be taken to improve email security and reduce the risk of an email account compromise at your business.

Phishing Attacks

The easiest way for a hacker to gain access to a business email account is to ask the account holder for their password. This method is incredibly simple, costs next to nothing, and is very effective. Phishing, like fishing, uses a lure to achieve its aim. An attacker only needs to craft an email with a plausible reason for divulging a password.

The attack could be as simple as spoofing an email from the IT department that requests the user change his or her password for security reasons. A link is supplied in the email that directs the user to a site where they have to enter their password and a replacement. Office 365 phishing scams are now common. A user is directed to a spoofed website where they are presented with a standard Office 365 login box, which they need to enter to open a shared file for example.

The lures are diverse, although there is usually a valid reason for providing login credentials, urgency, and often a threat – The failure to take action will result in harm or loss.

Brute Force Attacks

An alternative method of hacking a business email account is for the attacker to attempt to guess a user’s password. This is a much more long-winded approach that can require thousands of attempts before the password is guessed. This technique is automated and made easier by poor password choices and the failure to change default passwords. Passwords obtained in previous breaches can be used, which will catch out people who use the same passwords for multiple platforms. Information about a person can also be found on social media – A partner’s name, child’s name, pet name, or dates of birth – Information that is commonly used to create passwords.

Man-In-The-Middle Attacks

A man-in-the-middle attack involves an attacker intercepting information such as a password when it is sent between two parties. Information can be intercepted in unencrypted emails or when a user logs into a web-based platform via their browser. Man-in-the-middle attacks are common on unsecured public Wi-Fi networks and evil twin Wi-Fi hotspots – Hotspots that mimic a genuine hotspot provider, such as a coffee shop or hotel. Any information transmitted via that hotspot can be easily intercepted.

Writing Down Passwords

Many businesses have implemented password polices that require the use of strong and difficult to remember passwords. As a result, some employees write their passwords down on post-it notes, tape a password to their computer, or keep a note under their keyboard where any visitor to an office could discover it.

How to Stop Business Email Getting Hacked

These methods of gaining access to business email accounts are easy and inexpensive to block through low-cost cybersecurity solutions, policies and procedures, and staff training.

For businesses, the most important control to implement to protect against phishing is an advanced spam filter. A spam filter inspects all incoming emails for common spam signatures and malicious links and blocks messages before they are delivered to end users. Some spam filters also inspect outgoing email, which helps to prevent a breached email account from being used for further phishing attacks on contacts.

Even the best spam filters will not block every single phishing email so security awareness training for staff is essential. Regular training sessions should be provided – at least twice annually – and these should be augmented with more regular reminders about security and newsletters about the latest threats. Phishing simulations are useful for testing the effectiveness of training and to condition employees how to respond to email threats.

Brute force attacks are best prevented with good password policies that prevent weak passwords from being set. To prevent employees from writing passwords down, consider paying for a password manager or allowing the use of long passphrases, which are easy to remember but difficult to guess. Ensure two-factor authentication is enabled and rate limiting is applied to block login attempts after a set number of failed password guesses.

Man-in-the-middle attacks can be prevented in a number of ways. Remote workers should be provided with a VPN to access work networks and email. Some web filters, WebTitan for instance, can be used to protect remote workers online and prevent man-in-the-middle attacks and can also to prevent users from visiting malicious websites, such as those used for phishing.

If you want to improve email security, TitanHQ can help. Contact the team today for information on spam filters to block phishing attacks and to find out more about the benefits of web filtering.

Love Letter Email Scam Delivers Cocktail of Malware

A new email campaign is being conducted in the run up to Valentine’s Day which attempts to get users to open email attachments by fooling them into thinking they are love letters. The love letter email scam includes enticing subject lines such as ‘Love Letter’, ‘I Love You’, ‘This is my love letter to you’, ‘Always thinking about you’, and other love and love letter themes.

These types of scams are common in the run up to Valentine’s Day, and as the day draws closer, the likelihood of the scams succeeding grows.

The emails contain a zip file containing a JavaScript file with a variety of names, all of which start with Love_You. Extracting and running the file will result in the download of ransomware and other malware variants.

If the JavaScript file is run, it launches a PowerShell command that downloads and runs a malware variant named krablin.exe. Krablin.exe is also copied to USB thumb drives that are plugged into the computer.

A further four malware variants are subsequently downloaded to the victim’s device: The Phorpiex spambot, a Monero cryptocurrency miner (XMRig), a further malware downloader, and the latest version of GandCrab ransomware: A particularly nasty combination of malware.

The malspam campaign was detected by SANS ISC researcher Brad Duncan who determined the campaign has been running since at least November 2018. Several different subject lines and attachments have been identified and multiple spoofed sending addresses are used in this campaign.

Word documents and Excel spreadsheets containing malicious macros are more commonly used to spread malware, although JavaScript based malspam is nothing new. Most individuals are not familiar with .js files so may choose not to open them, although the theme of this love letter email scam may tempt people into making an exception. JavaScript malware may also be executed by Windows, without the user having to open the file. Simply saving a JavaScript file may be all that is required to trigger the infection process.

To prevent email scams such as this from succeeding, businesses should ensure that their employees receive ongoing security awareness training. Regular email security alerts should be sent to the workforce to keep them abreast of the latest techniques that are being used by scammers to install malware and phish for sensitive information.

It is also essential for an advanced spam filter to be implemented. This will ensure the majority of malicious messages are blocked and not delivered to end users. SpamTitan scans all incoming and outgoing messages and uses a variety of techniques to identify spam and malicious messages. Those controls ensure a block rate in excess of 99.9%, while dual antivirus engines provide total protection against all known malware variants.

SpamTitan is available on a free trial with options to suit all businesses and managed service providers. For further information, to register for the no-obligation free trial, or to book a product demonstration, contact TitanHQ today.

Easy to Implement Anti-Phishing Solutions for MSPs

To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.

Phishing is the Number One Cyber Threat Faced by SMBs

Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.

Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised.  Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.

The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.

Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.

Easy to Implement Anti-Phishing Solutions for MSPs

There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.

MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?

Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.

Advanced Spam Filtering

Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.

SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and release of messages from quarantine. Reports can be generated per domain and those reports can be automatically sent to clients. The solution can be fully rebranded to take MSP logos and color schemes, and the solution can be hosted in a private cloud.

Security Awareness Training and Testing

While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.

DNS-Based Web Filtering

Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.

A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.

WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.

For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanHQ MSP Alliance program.

Novel Phishing Scam Uses Custom Web Fonts to Evade Detection

A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing kit appear normal.

When users visit the phishing website they are presented with the logos and standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. As with similar phishing scams, if the user enters their credentials they will be harvested by the scammer and used to gain access to the users’ bank account.

These types of phishing scams are now commonplace, although the latest campaign has an interesting twist – one that make it much harder to detect the site as malicious.

Many phishing kits obfuscate their source code to make it harder to determine what it does. One method that has been used in the past is the use of substitution functions to make the sites harder to detect. This technique substitutes individual letters such as abcd with alternate letters jehr for example. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.

Substitution ciphers are often implemented in JavaScript, which can be detected fairly easily. The latest campaign achieves this using custom fonts – termed woff files – which are present on the page and hidden through base64 encoding.  These custom fonts are used to implement the cipher and make the source code appear to be plaintext, while the actual source code is encrypted and remains hidden.  The substitution is performed by code in CSS on the landing page, rather than JavaScript. This technique has not been used before.

The result is users see a standard banking login page as does software than scans the site. Further, as an additional measure to avoid detection, the branding that has been stolen from the targeted bank is also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on the genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics files, the logos and their source do not appear in the source code of the page.

These tactics could easily be used to target finance department employees and fool them into disclosing their corporate banking credentials, allowing business accounts to be plundered.

These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails.

Does 2-Factor Authentication Stop Phishing Attacks?

2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?

What is 2-Factor Authentication?

2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.

If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.

Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).

The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.

For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.

A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.

Does 2-Factor Authentication Stop Phishing Attacks?

So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.

There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.

This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.

The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.

The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.

It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.

Additional Controls to Stop Phishing Attacks

To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.

Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.

Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.

A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.

These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.

You can find out more about SpamTitan and WebTitan by contacting TitanHQ.

New Netflix Phishing Scam Prompts FTC to Issue Warning

A new Netflix phishing scam has been detected that attempts to fool Netflix subscribers into disclosing their login credentials and other sensitive information such as Social Security numbers and bank account numbers.

This Netflix phishing scam is similar to others that have been intercepted over the past few months. A major campaign was detected in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now launching large-scale phishing attacks on a monthly basis.

The number of recent Netflix scams and the scale of the campaigns has prompted the U.S. Federal Trade Commission (FTC) to issue a warning to raise awareness of the threat.

The latest campaign was detected by an officer in the Ohio Police Department. As with past campaigns, the attackers use a tried and tested method to get users to click on the link in the email – The threat of account closure due to issues with the user’s billing information.

In order to prevent closure of the user’s Netflix account a link in the email must be clicked. That will direct the user to the Netflix site where login credentials and banking information must be entered. While the web page looks genuine, it is hosted on a domain controlled by the attackers. Any information entered on that web page will be obtained by the threat actors behind the scam.

The emails appear genuine and contain the correct logos and color schemes and are almost identical to the official emails sent to users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.

Netflix Phishing Scam

Image Source: FTC via Ohio Police Department

There are signs that the email is not what it seems. The email is incorrectly addressed “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email directs users is similarly suspect. However, the scam is sure to fool many users who fail to carefully check emails before taking any action.

Consumers need to exercise caution with email and should carefully check messages before responding, no matter how urgent the call for action is. It is a good best practice to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.

If the email is determined to be a scam, it should be reported to the appropriate authorities in the country in which you reside and also to the company the scammers are impersonating. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.

While this Netflix phishing scam targets consumers, businesses are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account information. Businesses can reduce the risk of data and financial losses to phishing scams by ensuring all members of the company, from the CEO down, are given regular security awareness training and are taught cybersecurity best practices and are made aware of the latest threats.

An advanced spam filtering solution is also strongly recommended to ensure the vast majority of these scam emails are blocked and do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing emails and 100% of known malware.

For further information on anti-phishing solutions for businesses, contact the TitanHQ team today.

Major San Diego School District Phishing Attack Discovered

A major San Diego School District phishing attack has been discovered. The phishing attack stands out from the many similar phishing attacks on schools due to the extent of accounts that were compromised, the amount of data that was potentially obtained, and the length of time it took for the data breach to be detected.

According to a recent breach announcement, the login credentials of around 50 district employees were obtained by the attacker. It is not unusual for multiple accounts to be breached in school phishing attacks. Once access is gained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was initially thought, although 50 sets of compromised credentials is particularly high.

Those accounts were compromised over a period of 11 months. The San Diego School District phishing attack was first detected in October 2018 after staff alerted the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was occurring and there may have been a data breach.

The investigation revealed the credentials obtained by the attacker provided access to the district’s network services, which included access to the district’s database of staff and student records. The school district is the second largest in California and serves over 121,000 students each year. The database contained records going back to the 2008/2009 school year. In total, the records of more than 500,000 individuals were potentially obtained by the hacker. Given the length of time that the hacker had access to the network, data theft is highly probable.

The data potentially obtained was considerable. Student information compromised included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact information, and Social Security numbers. Compromised staff information also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.

Data could be accessed from January 2018 to November 2018. While it is typical for unauthorized access to be immediately blocked upon discovery of a breach, in this case the investigation into the breach was conducted prior to shutting down access. This allowed the identity of the suspected hacker to be determined without tipping off the hacker that the breach had been detected. The investigation into the breach is ongoing, although access has now been blocked and affected individuals have been notified. Additional cybersecurity controls have now been implemented to block future attacks.

School district phishing attacks are commonplace. School districts often lack the resources of large businesses to devote to cybersecurity. Consequently, cyberattacks on school districts are much easier to pull off. Schools also store large volumes of sensitive data of staff and students, which can be used for a wide range of malicious purposes. The relative ease of attacks and a potential big payday for hackers and phishers make schools an attractive target.

The San Diego School District phishing attack is just one of many such attacks that have been reported this year. During tax season at the start of 2018, many school districts were targeted by phishers seeking the W-2 forms of employees. It is a similar story every year, although the threat actors behind these W-2 phishing attacks have been more active in the past two years.

In December this year, Cape Cod Community College suffered a different type of phishing attack. The aim of that attack was to convince staff to make fraudulent wire transfers. At least $800,000 was transferred to the attackers’ accounts in that attack.

These attacks clearly demonstrate the seriousness of the threat of phishing attacks on school districts and highlights the importance of implementing robust cybersecurity protections to protect against phishing.

If you want to improve your defenses against phishing, contact the TitanHQ team today for further information on anti-phishing solutions for schools.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

campaign is to obtain users’ Office 365 passwords.

The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.

The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.

While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.

The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.

Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.

Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.

SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.

Irish Phishing Study Shows Millennials’ Confidence in Security Awareness is Misplaced

According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.

Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.

Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.

A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.

Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.

Irish Phishing Study Findings

The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.

In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups.  Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.

Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.

It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.

Phishing Protection for Businesses

The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.

The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.

Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.

To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.

How to Improve Office 365 Security

In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.

Hackers are Targeting Office 365 Accounts

It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.

One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.

Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.

When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.

So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.

Enforce the Use of Strong Passwords

Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.

The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.

Implement Multi-Factor Authentication

Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.

Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.

Enable Mailbox Auditing in Office 365

Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.

Improve Office 365 Security with a Third-Party Spam Filter

As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.

Office 365 Spam Filtering Controls Failed to Prevent Costly Malware Infection

A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.

Multi-Layered Defenses Breached

If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.

The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.

However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.

How Was the Malware Installed?

The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.

The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.

The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.

Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.

Remediation Took 6 Weeks

Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.

The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.

The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.

While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.

Additional Protection is Required for Office 365 Inboxes

The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.

Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.

Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.

One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.

You can find out more about how SpamTitan improves protection for Office 365 in this article – Protecting Office 365 from Attack.

Sextortion Scams Now Combine Threat of Exposure with Multiple Malware Infections

Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.

In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.

Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.

This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.

However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.

The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.

Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.

Warning About Uptick in Holiday Season Gift Card Scams

The search for Christmas gifts can be a difficult process. All too often that search proves to be unfruitful and consumers opt to buy gift cards instead. At least with a gift card you can be sure that your friends and family members will be able to buy a gift that they want; however, beware of holiday season gift card scams. Many threat actors are using gift cards as the lure to fool end users into installing malware or parting with sensitive information.

Holiday Season Sees Marked Increase Gift Card Phishing Scams

Holiday season gift card scams are commonplace, and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

Everyone loves a bargain and the offer of something for nothing may be too hard to resist. Many people fall for these scams which is why threat actors switch to gift card scams around this time of year.

Consumers can be convinced to part with credit card details, but businesses too are at risk. Many of these campaigns are conducted to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will likely pay the price.

This year has seen many businesses targeted with gift card scams. Figures from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had experienced a gif card-themed attack: Up from 11% in Q2, 2018.

This year has also seen an increase in business email compromise (BEC) style tactics, with emails appearing to have been sent from within a company. The emails claim to have been sent from the CEO (or another executive) requesting accounts and administration staff purchase gift cards for clients or ask for gift cards be purchased to be used for charitable donations.

To reduce the risk from gift card scams and other holiday-themed phishing emails, businesses need to ensure they have powerful spam filtering technology in place to block the emails at source and prevent them from being delivered to inboxes.

Advanced Anti-Phishing protection for Office 365

Many businesses use Office 365, but even Microsoft’s anti-phishing protections see many phishing emails slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing controls, emails still make it past Microsoft’s filters.

To block these malicious messages, an advanced third-party spam filter is required. SpamTitan has been developed to work seamlessly with Office 365 to improved protection against malware, phishing emails, and more sophisticated phishing attacks.

SpamTitan blocks more than 99.9% of spam email, while dual anti-virus engines block 100% of known malware. What really sets SpamTitan in a different class is the level of protection it offers against new threats. A combination of Bayesian analysis, greylisting, machine learning, and heuristics help to identify zero-day attacks, which often slip past Office 365 defenses.

If you want to improve protection from email-based attacks and reduce the volume of spam and malicious messages that are being delivered to Office 365 inboxes, give TitanHQ a call today and book a product demonstration to see SpamTitan in action. You can sign up for a free trial of SpamTitan to test the solution in your own environment and see for yourself the difference it makes.

Phishing Attacks on Retailers and Food Industry Install Remote Access Trojans

There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.

Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.

PUB Files Used in Phishing Attacks on Retailers

Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.

Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.

If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.

The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.

The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.

Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000

Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.

The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.

All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.

Defense in Depth the Key to Phishing Protection

Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.

Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.

Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.

End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.

For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.

TrickBot Malware Updated with POS Data Stealing Capabilities

A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.

The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.

The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.

Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.

Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.

Beware of this California Wildfire Scam

A California wildfire scam is circulating that requests donations to help the victims of the recent wildfires. The emails appear to come from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no surprise that cybercriminals are taking advantage of yet another natural disaster and are attempting to con people into giving donations. Scammers often take advantage of natural disasters to pull on the heart strings and defraud businesses. Similar scams were conducted in the wake of the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, identified by Agari, is a form of business email compromise (BEC) attack. The emails appear to have been sent by the CEO of a company, with his/her email address used to send messages to company employees. This is often achieved by spoofing the email address although in some cases the CEO’s email account has been compromised and is used to send the messages.

The California wildfire scam contains one major red flag. Instead of asking for a monetary donation, the scammers request money in the form of Google play gift cards. The messages request the redemption codes be sent back to the CEO by return.

The emails are sent to employees in the accounts and finance departments and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are sent back to the CEO, he/she will then forward them on to company clients that have been affected by the California wildfires.

The reason Google play gift cards are requested is because they can easily be exchanged on darknet forums for other currencies. The gift cards are virtually impossible to trace back to the scammer.

The messages are full of grammatical errors and spelling mistakes. Even so, it is another sign that the messages are not genuine. However, scams such as this are sent because they work. Many people have been fooled by similar scams in the past.

Protecting against scams such as this requires a combination of technical controls, end user training, and company policies. An advanced spam filtering solution should be used – SpamTitan for instance – to prevent messages such as these from reaching inboxes. SpamTitan checks all incoming emails for spam signatures and uses advanced techniques such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing attacks.

End user training is essential for all employees, especially those with access to corporate bank accounts. Those individuals are often targeted by scammers. Policies should be introduced that require all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are authorized.

A combination of these measures will help to protect businesses from BEC attacks and other email scams.

Stealthy Cannon Trojan Being Distributed Through Lion Air Spear Phishing Campaign

A previously unseen malware variant, dubbed the Cannon Trojan, is being used in targeted attacks on government agencies in the United States and Europe. The new malware threat has been strongly linked to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather information on potential targets, collecting system information and taking screenshots that are sent back to APT28. The Cannon Trojan is also a downloader capable of installing further malware variants onto a compromised system.

The new malware threat is stealthy and uses a variety of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates via email over SMTPs and POP3S.

Once installed, an email is sent over SMTPS through port 465 and a further two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 is not unknown, it is relatively rare. One advantage offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being distributed via spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign appears to provide information on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to view the contents of the document. It is claimed that the document was created in an earlier version of Word and content must be enabled for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently download the Cannon Trojan.

Rather than the macro running and downloading the payload straightaway, as an anti-analysis mechanism, the attackers use the Windows AutoClose tool to delay completion of the macro routine until the document is closed. Only then is the Trojan downloaded. Any sandbox that analyzes the document and exits before closing the document would be unlikely to identify it as malicious. Further, the macro will only run if a connection with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques used by the attackers to obfuscate the macro and hide communications make this threat difficult to detect. The key to preventing infection is blocking the threat at source and preventing it from reaching inboxes. The provision of end user training to help employees identify threats such as emails with attachments from unknown senders is also important.

Enhance Protection Against Zero-Day Malware and Spear Phishing

TitanHQ has developed a powerful anti-phishing and anti-spam solution that is effective at blocking advanced persistent threats and zero-day malware, which does not rely on signature-based detection methods. While dual anti-virus engines offer protection against 100% of known malware, unlike many other spam filtering solutions, SpamTitan uses a variant of predictive techniques to identify previously unseen threats and spear phishing attacks.

Greylisting is used to identify domains used for spamming that have yet to be blacklisted. All incoming emails are subjected to Bayesian analysis, and heuristics are used to identify new threats.

To further protect against phishing attacks, URIBL and SURBL protocols are used to scan embedded hyperlinks. SpamTitan also scans outbound mail to prevent abuse and identify attempted data theft.

For further information on SpamTitan, to book a product demonstration, or to sign up for a free trial of the full product, contact the TitanHQ team today.

Thanksgiving Themed Spam Emails Used to Spread Emotet Malware

There has been an increase in malspam campaigns spreading Emotet malware in recent weeks, with several new campaigns launched that spoof financial institutions – the modus operandi of the threat group behind the campaigns.

The Emotet malware campaigns use Word documents containing malicious macros. If macros are enabled, the Emotet malware payload is downloaded. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is downloaded.

Various social engineering tricks have been used in these campaigns. One new tactic that was identified by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email appear benign.

According to Cofense, the campaign delivers Emotet malware, although Emotet in turn downloads a secondary payload. In past campaigns, Emotet has been delivered along with ransomware. First, Emotet steals credentials, then the ransomware is used to extort money from victims. In the latest campaign, the secondary malware is the banking Trojan named IcedID.

A further campaign has been detected that uses Thanksgiving themed spam emails. The messages appear to be Thanksgiving greetings for employees, and similarly contain a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to aid the deception and include the user’s name. In this campaign, while the document downloaded appears to be a Word file, it is actually an XML file.

Emotet malware has been updated recently. In addition to stealing credentials, a new module has been added that harvests emails from an infected user. The previous 6 months’ emails – which include subjects, senders, and message content – are stolen. This new module is believed to have been added to improve the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent increase in Emotet malware campaigns, and the highly varied tactics used by the threat actors behind these campaigns, highlight the importance of adopting a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide protection against email attacks.

Phishing campaigns target a weak link in security defenses: Employees. It is therefore important to ensure that all employees with corporate email accounts are taught how to recognize phishing threats. Training needs to be ongoing and should cover the latest tactics used by cybercriminals to spread malware and steal credentials. Employees are the last line of defense. Through security awareness training, the defensive line can be significantly strengthened.

As a frontline defense, all businesses and organizations should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is required to provide protection against more sophisticated email attacks.

SpamTitan is an advanced email filtering solution that uses predictive techniques to provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

In addition to scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine learning, and Bayesian analysis to identify emerging threats. Greylisting is used to identify and block large scale spam campaigns, such as those typically conducted by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

A web filter – such as WebTitan – adds an additional layer of protection against web-based attacks by preventing end users from visiting malicious websites where malware is downloaded. A web filter assesses all attempts to access web content, checks sites against blacklists, assesses the domain, scans web content, and blocks access to sites that violate its policies.

For further information on how you can improve your defenses against web-based and email-based attacks and block malware, ransomware, botnets, viruses, phishing, and spear phishing attacks, contact TitanHQ today.

New Dharma Ransomware Variant Detected

A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.

The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.

Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.

While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.

Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.

To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.

SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.

For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.

What are the Top Phishing Lures of 2018?

Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.

Phishing is the Biggest Security Threat Faced by Businesses

Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.

Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.

Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.

Top Phishing Lures of 2018

Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.

Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.

In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.

Top Phishing Lures on the Cofense Platform

Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.

Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.

The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.

Rank Phishing Subject/Theme Number of Reported Emails
1 Attached Invoice 4,796
2 Payment Notification 2,267
3 New Message in Mailbox 2,088
4 Online Order (Attachment) 679
5 Fax Message 629
6 Secure Message (MS Office Macro) 408
7 Online Order (Hyperlink) 399
8 Confidential Scanned document (Attachment) 330
9 Conversational Wire transfer (BEC Scam) 278
10 Bill Copy 251

 

Top Phishing Lures on the KnowBe4 Platform

KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.

The most common real-world phishing attacks in Q3 were:

Rank Subject
1 You have a new encrypted message
2 IT: Syncing Error – Returned incoming messages
3 HR: Contact information
4 FedEx: Sorry we missed you.
5 Microsoft: Multiple log in attempts
6 IT: IMPORTANT – NEW SERVER BACKUP
7 Wells Fargo: Irregular Activities Detected on Your Credit Card
8 LinkedIn: Your account is at risk!
9 Microsoft/Office 365: [Reminder]: your secured message
10 Coinbase: Your cryptocurrency wallet: Two-factor settings changed

 

The most commonly clicked phishing lures in Q3 were:

Rank Subject % of Emails Clicked
1 Password Check Required Immediately 34%
2 You Have a New Voicemail 13%
3 Your order is on the way 11%
4 Change of Password Required Immediately 9%
5 De-activation of [[email]] in Process 8%
6 UPS Label Delivery 1ZBE312TNY00015011 6%
7 Revised Vacation & Sick Time Policy 6%
8 You’ve received a Document for Signature 5%
9 Spam Notification: 1 New Messages 4%
10 [ACTION REQUIRED] – Potential Acceptable Use Violation 4%

 

The Importance of Blocking Phishing Attacks at their Source

If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.

Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.

SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.

SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.

Improve Office 365 Email Security with SpamTitan

There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.

Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.

To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.

New Office 365 Threat Uses Windows Components to Install Banking Trojans

A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.

New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity

The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.

The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.

In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.

The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.

These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.

Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.

How to Block this Office 365 Threat with SpamTitan and Improve Email Security

Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.

To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.

SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

Security Solutions for MSPs to Block Office 365 Threats

Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.

TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.

By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.

To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.

Warning Issued After Increase in Phishing Attacks on Publishers and Literary Scouting Agencies

Financial institutions, healthcare organizations and universities have seen an increase in cyberattack in recent months, but there has also been an increase in phishing attacks on publishers and literary scouting agencies.

Any business that stores sensitive information that can be monetized is at risk of cyberattacks, and publishers and literary scouting agencies are no exception. Like any employer, scouting agencies and publishers store sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which carry a high value on the black market. The companies also regularly make wire transfers and are therefore targets for BEC scammers.

However, in a somewhat new development, there have been several reports of phishing attacks on publishers and literary scouting agencies that attempt to gain access to unpublished manuscripts and typescripts. These are naturally extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is published, there will be no shortage of fans willing to pay top dollar for a copy. Theft of manuscripts can result in extortion attempts with ransoms demanded to prevent their publication online.

2018 has seen a significant increase in phishing attacks on publishers and literary scouting agencies. Currently, campaigns are being conducted by scammers that appear to have a good understanding of the industry. Highly realistic and plausible emails are being to publishing houses and agencies which use the correct industry terminology, which suggests they are the work of an industry insider.

One current campaign is spoofing the email account of Catherine Eccles, owner of the international literary scouting agency Eccles Fisher.  Emails are being sent using Catherine Eccles’ name, and include her signature and contact information. The messages come from what appears to be her genuine email account, although the email address has been spoofed and replies are directed to an alternative account controlled by the scammer. The messages attempt to get other literary agencies to send manuscripts via email or disclose their website passwords.

An increase in phishing attacks on publishers on both sides of the Atlantic have been reported, with the threat already having prompted Penguin Random House North America to send out warnings to employees to alert them to the threat.  According to a recent report in The Bookseller, several publishers have been targeted with similar phishing schemes, including Penguin Random House UK and Pan Macmillan.

Protecting against phishing attacks requires a combination of technical solutions, policies and procedures, and employee training.

Publishers and scouting agencies should deploy software solutions that can block phishing attacks and prevent malicious emails from being delivered to their employees’ inboxes.

SpamTitan is a powerful anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is incorporated to detect email spoofing and prevent malicious emails from reaching employees’ inboxes.

End user training is also essential to raise awareness of the risks of phishing. All staff should be trained how to recognize phishing emails and other email threats to ensure they do not fall for these email scams.

If you run a publishing house or literary scouting agency and are interested in improving your cyber defenses, contact the TitanHQ team today for further information on cybersecurity solutions that can improve your security posture against phishing and other email and web-based threats.

Cyberattacks on Universities Rise as Hackers Search for Valuable Research Data

Hackers have been going back to school and entering higher education. Quite literally in fact, although not through conventional channels. Entry is gained through cyberattacks on universities, which have increased over the course of the past 12 months, according to figures recently released by Kaspersky Lab.

Cyberattacks on Universities on the Rise

Credit cards information can be sold for a few bucks, but universities have much more valuable information. As research organizations they have valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as quickly as credit cards and Social Security numbers, but there are certainly buyers willing to pay top dollar for valuable research. Nation state sponsored hacking groups are targeting universities and independent hacking groups are getting in on the act and conducting cyberattacks on universities.

There are many potential attack vectors that can be used to gain access to university systems. Software vulnerabilities that have yet to be patched can be exploited, misconfigured cloud services such as unsecured S3 buckets can be accessed, and brute force attempts can be conducted to guess passwords. However, phishing attacks on universities are commonplace.

Phishing is often associated with scams to obtain credit card information or login credentials to Office 365 accounts, with businesses and healthcare organizations often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so popular is because it is often the easiest way to gain access to networks, or at least gain a foothold for further attacks. Universities are naturally careful about guarding their research and security controls are usually deployed accordingly. Phishing allows those controls to be bypassed relatively easily.

A successful phishing attack on a student may not prove to be particularly profitable, at least initially. However, once access to their email account is gained, it can be used for further phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more direct route. They are likely to have higher privileges and access to valuable research data. Their accounts are also likely to contain other interesting and useful information that can be used in a wide range of secondary attacks.

Email-based attacks can involve malicious attachments that deliver information stealing malware such as keyloggers, although many of the recent attacks have used links to fake university login pages. The login pages are exact copies of the genuine login pages used by universities, the only difference being the URL on which the page is located.

More than 1,000 Phishing Attacks on Universities Detected in a Year

According to Kaspersky Lab, more than 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been targeted. Those universities are spread across 16 countries, although 83/131 universities were in the United States.

Preventing phishing attacks on universities, staff, and students requires a multi layered approach. Technical controls must be implemented to reduce risk, such as an advanced spam filter to block the vast majority of phishing emails and stop them being delivered to end users. A web filtering solution is important for blocking access to phishing websites and web pages hosting malware. Multi-factor authentication is also essential to ensure that if account information is compromised or passwords are guessed, an additional form of authentication is required to access accounts.

As a last line of defense, staff and students should be made aware of the risk from phishing. Training should be made available to all students and cybersecurity awareness training for researchers, lecturers, and other staff should be mandatory.

Spear Phishing Attack Results in $16 Million Anthem Data Breach Settlement

In 2015, Anthem Inc., experienced a colossal data breach. 78.8 million health plan records were stolen. This year, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.

It Started with a Spear Phishing Email…

The Anthem data breach came as a huge shock back in February 2015, due to the sheer scale of the breach. Healthcare data breaches were common, but the Anthem data breach in a different league.

Prior to the announcement, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare organizations, that experienced a 4.9 million record breach in 2011. The Anthem data breach was on an entirely different scale.

The hacking group behind the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack. The hackers managed to gain access to Anthem’s data warehouse and exfiltrated a huge volume of data undetected. The time of the initial attack to discovery was almost a year.

While the attack was sophisticated, a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.

At least one employee responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the attackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.

The Anthem Data Breach Settlement is the Largest Ever Penalty for a Healthcare Data Breach

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates healthcare data breaches that result in the exposure or theft of 500 or more records. An in-depth investigation of the Anthem breach was therefore a certainty given its scale. A penalty for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare organizations to safeguard health data. The scale of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.

Before the Anthem data breach settlement, the largest penalty for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people impacted, and the extent to which HIPAA Rules were alleged to have been violated.

OCR alleged that Anthem Inc., had violated five provisions of HIPAA Rules, and by doing so failed to prevent the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine represents a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document indicated Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on improvements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan members.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the total cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most expensive healthcare phishing attack by some distance and the cost clearly highlights just how important it is to adopt a defense-in-depth strategy to protect against phishing attacks.

Iceland Police Spoofed in Sophisticated Phishing Scam

Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.

The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.

The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.

As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.

The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.

In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.

After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.

In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.

While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is.  A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.

The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been detected that attempts to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the attacker.

The scammers spoof the user’s email address so that it appears that the message has been sent from the user’s email account – The sender and the recipient names are identical.

A quick and easy check that can be performed to determine whether the sender name displayed is the actual account that has been used to send the email is to click forward. When this is done, the display name is shown, but so too is the actual email address that the message has been sent from. In this case, that check fails making it seem that the user’s email account has actually been compromised.

The messages used in this campaign attempt to extort money by suggesting the hacker has gained access to the user’s computer by means of a computer virus. It is claimed that the virus gives the attacker the ability to monitor the user’s internet activities in real time and use the computer’s webcam to record the user.

The attacker claims that the virus was downloaded to the computer as a result of the user visiting an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the scammer in the email.

The scammer claims that they will synch the webcam footage with the content that the user was viewing and send a copy of the video to all the user’s partner, friends, and relatives. It is claimed that all the user’s accounts have been compromised. The message also includes an example of one of the user’s passwords.

While it is extremely unlikely that the password supplied in the email is valid for any of the user’s account, the message itself will still be chilling for some individuals and will be enough to get them to make the requested payment of $800 to have the footage deleted.

However, this is a sextortion scam where the attackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a chance.

According to security researcher SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the scammer had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the campaign.  Now 7 days after the first payment was made, the earnings have risen to 1.1203 Bitcoin – $6,418 – with 15 individuals having paid.

This scam will no doubt be familiar to viewers of Black Mirror, a recent episode of which covered a very similar sextortion scam.

This tactic is nothing new. Many similar scams have been conducted in the past and many more will be in the future. What makes this campaign more chilling is the apparent hijacking of the email account and the highly effective spoofing.

A similar sextortion scam was conducted in the summer which also had an interesting twist. It used an old password for the account that had been obtained from a data dump. In that case, the password was real, at least at some point in the past, which made the scam seem genuine.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.

Office 365 Phishing Attacks Can Be Difficult to Identify

In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.

There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.

Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Scam

One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.

In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Abused

A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.

Office 365 Phishing Protections are Insufficient

Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.

Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.

How to Make Office 365 More Secure

While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.

Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

Python-Based PyLocky Ransomware Distributed in Spam Email Campaigns in Europe

A new Python-based form of ransomware has been detected that masquerades as Locky, one of the most widely used ransomware variants in 2016. The new ransomware variant has been named PyLocky ransomware by security researchers at Trend Micro who have observed it being used in attacks in Europe, particularly France, throughout July and August.

The spam email campaigns were initially sent in relatively small batches, although over time the volume of emails distributing PyLocky ransomware has increased significantly.

Various social engineering tactics are being used by the attackers to get the ransomware installed, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is downloaded. The zip file contains PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be converted to standalone executable files.

If installed, PyLocky ransomware will encrypt approximately 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files stored on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then dropped on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are unrelated. Ransom notes are written in French, English, Korean, and Italian so it is probable that the attacks will become more widespread over the coming weeks.

While Python is not typically used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been created. Pyl33t was used in several attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant stand out is its anti-machine learning capabilities, which help to prevent analysis using standard static analysis methods.

The ransomware abuses Windows Management Instrumentation (WMI) to determine the properties of the system on which it is installed. If the total visible memory of a system is 4GB or greater, the ransomware will execute immediately. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an attempt to determine if it is in a sandbox environment.

Preventing attacks requires a variety of cybersecurity measures. An advanced spam filtering solution such as SpamTitan will help to prevent the spam emails being delivered to end users’ inboxes. A web filter, such as WebTitan, can be employed to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to ensure that end users recognize the threat for what it is. Advanced malware detection tools are required to identify the threat due to its anti-machine learning capabilities.

There is no free decryptor for PyLocky. Recovery without paying the ransom will depend on a viable backup copy existing, which has not also been encrypted in the attack.

ICO and IQY Files Used in Spam Campaigns Delivering Marap and Loki Bot Malware

A spam email campaign is being conducted targeting corporate email accounts to distribute Loki Bot malware. Loki Bot malware is an information stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging apps.

In addition to stealing saved passwords, Loki Bot malware has keylogging capabilities and is potentially capable of downloading and running executable files. All information captured by the malware is transferred to the attacker’s C2 server.

Kaspersky Lab researchers identified an increase in email spam activity targeting corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was delivered hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are copies of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, most modern operating systems have the ability to access the contents of the files without the need for any additional software.

In this case, the ICO file contains Loki Bot malware and double clicking on the file will result in installation of the malware on operating systems that support the files (Vista and later).

It is relatively rare for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users attempt to open the files.

The campaign included a wide range of lures including fake purchase orders, speculative enquiries from companies containing product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known companies such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.

Spam Email Campaign Distributing Marap Malware Targets Financial Institutions

A separate and unrelated spam email campaign has been identified that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a downloader capable of downloading a variety of different payloads and additional modules.

Upon installation, the malware fingerprints the system and gathers information such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is installed. If the system is of particular interest, it is earmarked for a more extensive compromise.

Four separate campaigns involving millions of messages were detected by researchers at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document containing a malicious macro. The campaigns appear to be targeting financial institutions.

IQY files are used by Excel to download web content directly into spreadsheets. They have been used in several spam email campaigns in recent weeks to install a variety of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.

Since the majority of end users would not have any need to open ICO or IQY files, these file types should be added to the list of blocked file types in email spam filters to prevent them from being delivered to end users’ inboxes.

AdvisorsBot: A Versatile New Malware Threat Distributed Through Spam Email

Hotels, restaurants, and telecommunications companies are being targeted with a new spam email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being distributed vis spam emails containing Microsoft Word attachments with malicious macros.

Opening an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary role is to perform fingerprinting on an infected device. Information will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are provided to the malware based on the information gathered on the system. The malware records system information, details of programs installed on the device, Office account details, and other information. It is also able to take screenshots on an infected device.

AdvisorsBot malware is so named because the early samples of the malware that were first identified in May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is primarily being conducted on targets in the United States, although infections have been detected globally. Several thousands of devices have been infected with the malware since May, according to the security researchers at Proofpoint who discovered the new malware threat. The threat actors believed to be behind the attacks are a APT group known as TA555.

Various email lures are being used in this malware campaign to get the recipients to open the infected attachment and enable macros. The emails sent to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that appear to be resumes from job applicants.

AdvisorsBot is written in C, but a second form of the malware has also been detected that is written in .NET and PowerShell. The second variant has been given the name PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that downloads a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

These malware threats are still under development and are typical of many recent malware threats which have a wide range of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions performed are determined based on the system on which the malware has been installed. If that system is ideally suited for mining cryptocurrency, the relevant code will be installed. If the business is of particular interest, it will be earmarked for a more extensive compromise.

The best form of defense against this campaign is the use of an advanced spam filtering solution to prevent the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat arrives in their inbox.

Two Factor Authentication Flaws Discovered in Microsoft ADFS

Two factor authentication flaws have been identified that allow accounts to be accessed even when protected by a password and second authentication factor.

Two-factor authentication is an important safeguard to secure accounts. In the event of login credentials being guessed or otherwise obtained by a third party, an additional method of authentication is required to gain access to the account. Without that second factor, access to the account is blocked. But not always. Multiple two-factor authentication flaws have been identified.

Two Factor Authentication Flaws Exploited in Reddit, LinkedIn and Yahoo Cyberattacks

Two-factor authentication is not infallible. Recently, Reddit disclosed that it had suffered a data breach even though two factor authentication had been implemented. Rather than use a token, Reddit used SMS messages to a mobile phone owned by the account holder as the second authentication factor. As Reddit discovered, SMS messages can be intercepted. The attacker was able to intercept a 2FA SMS message and gain access to an employee’s account, through which it was possible to access to an old database of user credentials.

Two-factor authentication was also in place at Yahoo in 2013, yet the company still experienced a massive data breach that resulted in all three billion of its users having their information obtained by hackers. Go back a year and there was the massive 167 million record data breach at LinkedIn, which had also implemented two-factor authentication.

A phone call or text message to a phone owned by the account holder does not necessarily prevent access to the account from being gained by a third party. In August last year, a Bitcoin investor had $150,000 of cryptocurrency stolen from his wallet after it was accessed by a third party. In that case, the investor’s second factor phone number had been re-routed to a device owned by the attacker after the phone company was duped.

Any second factor that uses the phone system of SMS messages provides an additional layer of protection, but it is not enough to protect against a determined skilled hacker.

Two Factor Authentication Flaws Discovered in Microsoft’s Active Directory Federation Services

A major two-factor authentication vulnerability was recently discovered by a security researcher at Okta. Okta, like many companies, uses Microsoft’s Active Directory Federation Services (ADFS) to provide multi-factor authentication.

Okta security researcher Andrew Lee discovered the system have a serious vulnerability that was not only straightforward to exploit, doing so would render an organization’s multi-factor authentication controls virtually useless.

Lee discovered that someone with a username, password, and a valid 2-factor token for one account could use the same token to gain access to any other account in the organization in AD with only a username and password. Any employee who is given an account and specified their own second factor could use it to access other accounts. Essentially the token was like a hotel room key card that opens all rooms in the hotel.

Obtaining another employee’s login credentials would only require a phishing campaign to be conducted. If an individual responded and disclosed their credentials, their account could be accessed without the need for a second factor.

The vulnerability in question, which was patched by Microsoft on August 14 in its August Patch Tuesday updates, was present in how ADFA communicates. When a user tries to login, an encrypted context log is sent by the server which contains the second factor token but not the username. This flaw could be exploited to fool the system into thinking the correct token had been supplied, as no check was made to determine whether the correct token had been supplied for a specific user’s account. As long as one valid username, password and 2FA token combo was owned, the 2FA system could be bypassed.

Two factor Authentication is Not a Silver Bullet

These two factor authentication flaws show that while 2-factor authentication is an important control to implement, businesses should not rely on the system to prevent unauthorized accessing of accounts. The two-factor authentication flaws discussed here are unlikely to be the last to be uncovered.

2-factor authentication should be just one element of an organization’s defenses against phishing and hacking, along with spam filters web filters, firewalls, intrusion detection systems, antivirus solutions, network segmentation, and employee security awareness training. 2FA should not be viewed as a silver bullet to prevent unauthorized account access.

Sextortion Phishing Emails Proving Lucrative for Scammers

A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.

On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.

For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.

However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.

While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.

For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.

This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.

It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.

So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.

Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.

Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.

Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.

Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.

Why Are Email Account Compromises Soaring and How Can Email Accounts Be Protected?

The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.

Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.

284% Increase in Email Account Compromises in a Year

The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.

Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?

It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.

By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.

If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.

Once One Account is Breached, Others Will Follow

If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.

Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.

Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.

Email Account Compromises Are Costly to Resolve

Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.

Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.

Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.

How to Prevent Email Account Compromises

Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.

To prevent phishing attacks, companies need to:

  • Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
  • Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
  • Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
  • Implement two-factor authentication to prevent attempts to access email accounts remotely
  • Implement a web filter as an additional control to block the accessing of phishing websites
  • Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
  • Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.

1.4 Million Patients Potentially Affected by UnityPoint Health Phishing Attack

In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.

UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.

That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.

The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.

The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.

A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.

The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.

This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.

The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.

As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.

Cosco Ransomware Attack Affects Americas Arm of Shipping Firm

One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.

The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.

The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.

It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.

The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.

Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware.  While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).

Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.

Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.

To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.

Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.

Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.

Phishing Attacks on National Bank of Blacksburg Result in $2.4 Million Loss

The National Bank of Blacksburg in Virginia has discovered just how important it is to have effective controls in place to protect against phishing. The bank suffered two costly phishing attacks in the space of eight months that have resulted in losses exceeding $2.4 million.

Phishing is the leading tactic used by cybercriminals to gain access to login credentials, steal data, and install malware. Emails are sent to employees with malicious attachments, which if opened, result in the installation of malware. Alternatively, links are sent in emails that direct employees to fraudulent websites where they are fooled into disclosing their login credentials.

The first attack on Blacksburg Bank took place on May 28, 2016. Malware was installed on its systems which gave the attackers access to the STAR Network – The system that manages debit card ATM activity. After gaining access to the STAR Network, the hackers were able to change account balances, remove security measures such as anti-theft and anti-fraud protections, conduct keystroke logging, and authorize withdrawals from customers’ accounts via ATMs.

In the two days that the hackers had access to the system, they were able to make withdrawals at hundreds of ATMs across the country and stole $569,648.24 from customers’ accounts. This was possible without stealing customers cards or using skimmers to create fake bank cards.

The malware was detected on May 30, 2016 and the attack was investigated by the computer forensics firm Foregenix which determined that the malware was installed as a result of an employee being duped by a phishing email.

Eight months later, on January 7, 2017, a similar attack occurred which involved cybercriminals gaining access to the STAR Network. Similarly, access was possible for two days, although in this case approximately $1.8 million was withdrawn from customers’ accounts. Verizon investigated the breach and concluded that access was gained as a result of an employee falling for a phishing scam.

The National Bank of Blacksburg holds an insurance policy against cyberattacks although its insurer, Everest National Insurance Company, has refused to cover the losses. Blacksburg is now suing its insurer for breach of contract.

What these incidents show is just how easy it is for major losses to be suffered as a result of employees falling for phishing scams and the importance of having robust anti-phishing measures in place.

There is no single solution that will provide total protection against phishing, although a good place to start is with an advanced spam filtering solution such as SpamTitan.

SpamTitan uses dual antivirus engines (Bitdefender and ClamAV) that provides superior protection against phishing and block emails containing malware and malware downloaders. The solution performs multiple checks on each incoming email to determine whether it is genuine, spam, or malicious, including standard checks of email headers, a Bayesian analysis on message content, and greylisting. Together, these controls ensure 99.97% of spam emails are detected and blocked, with a false positive rate of just 0.03%. Independent tests at Virus Bulletin have confirmed a 100% malware detection rate.

No anti-spam solution will block 100% of all spam and phishing emails so it is essential for employees to be trained how to recognize phishing emails. While it was once a best practice to provide annual training, with the volume of phishing emails now being sent and the increased sophistication of attacks, an annual training session is no longer sufficient.

Training needs to be ongoing, with regular training sessions scheduled throughout the year and employees conditioned through phishing simulation exercises. With effective spam filtering and employee security awareness training, the majority of phishing attempts can be thwarted.

Average Data Breach Mitigation Costs Now $3.86 Million

In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.

The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.

Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.

The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.

The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.

The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.

Average Data Breach Mitigation Costs Have Reached $3.86 Million

A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.

On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.

In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.

Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.

Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.

Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.

The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.

What Factors Affect Data Breach Mitigation Costs the Most?

For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).

The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).

With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.

Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.