Reports of Internet users that have been caught out by email scams continue to increase. Whether it is drivers being told to pay speeding fines via a link on an email, or Facebook users being advised that they have violated the terms of their account, innocent victims continue to be ripped off by cybercriminals using email scams.
Business email compromise scams are also reported to have increased. These email scams involve the cybercriminal gaining access to a corporate email account – such as that of the CEO. An email is then sent apparently from the CEO to a member of the finance department requesting a bank transfer to the cybercriminal´s account. All too often the transfer is made without question.
Many email scams attempt to extract log-in credentials by asking the recipient of the email to log into an account to resolve an issue. The email contains a link to a bogus website, where the recipient keys in their username and password. In the case of the Facebook email scam, this gives the cybercriminal access to the recipient´s genuine account and all their social media contacts.
Many individuals use similar username and password combinations for multiple accounts and a cybercriminal could get the individual´s log-in credentials to all their online accounts (personal and work accounts) from just one scam email. Alternatively they could use the log-in credentials to infect the user´s accounts with malware.
To protect against email scams, security experts advise if you are contacted by email and asked to click a link, pay a fine, or open an attachment, assume it is a scam. Try to contact the individual sender or company supposed to have sent the email to confirm its authenticity. Do not use the contact information supplied in the email. Perform an Internet search to independently obtain the sender´s genuine contact details.
Other measures that can be taken to protect yourself from email scams include:
- Carefully check the sender’s email. Does it look like it is genuine?
- Never open email attachments from someone you do not know
- If you receive an email offering you a prize or refund, stay safe and delete the email
- Ensure anti-virus software is installed on your computer and is up to date.
Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.
Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.
The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.
At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.
Microsoft Teams Phishing Scams
One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.
Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.
This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.
Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.
Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.
How to Avoid Teleconferencing Platform Phishing Scams
As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.
You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.
Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.
For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.
Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.
The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.
One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.
Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.
The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.
A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.
COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.
Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.
Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.
SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.
Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.
Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.
Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.
How to Identify a Phishing Email
Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.
Check the true sender of the email
This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.
Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.
Check for grammatical errors and spelling mistakes
Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google translate to create their emails, which is why the wording may seem a little odd.
Before Google, Netflix, or your bank sends an email, it will be subject to proof checking. Mistakes will be made on occasion by they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.
Phishing emails are often addressed in a way that makes it clear that the sender does not know your name. “Dear customer” for example. Most companies will use your name in genuine email communications.
Phishers use urgency and a “threat” if no action is taken
Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.
For example, someone has tried to login to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.
Check the true destination of any link in the email
Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.
You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.
On a mobile device this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.
Beware of email attachments
Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.
If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.
Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.
Anti-Phishing Solutions for Businesses
TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.
SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.
WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees visiting known malicious websites, suspicious sites. WebTitan also blocks malware downloads.
Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no obligation free trial of both solutions to evaluate them in your own environment.
Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.
Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.
Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.
Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.
Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.
Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.
The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.
In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.
These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.
First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.
Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.
Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.
Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.
Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.
CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.
For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.
A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.
This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training. The emails include the Office 365 logo and are short and to the point.
They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”
The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”
Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.
This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.
Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.
There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.
What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.
Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.
A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.
iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.
Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.
As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.
If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.
The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.
There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.
These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.
As the COVID-19 pandemic has clearly shown, cybercriminals are quick to adapt their phishing and malware campaigns in response to global and local events. New lures are constantly developed to maximize the probability of success.
In the early stages of the pandemic, when very little was known about SARS-CoV-2 and COVID-19, there was huge public concern and cybercriminals took advantage. The threat actors behind TrickBot malware, one of the most dangerous malware threats, regularly change their lures in response to newsworthy events to increase the probability of emails and attachments being opened. The TrickBot gang adopted COVID-19 and coronavirus themed lures when the virus started to spread globally and there was a huge craving for knowledge about the virus and local cases.
It is therefore no surprise to see the TrickBot operators adopt a new lure related to Black Lives Matter. There were huge protests in the United States following the death of George Floyd at the hands of a police officer, and those protests have spread globally. In several countries the headlines have been dominated by stories about Black Lives Matter protests and counter protests, and the public mood has presented another opportunity for the gang.
The latest TrickBot email campaign uses a subject line of “Leave a review confidentially about Black Lives Matter,” which has been crafted to appeal to individuals both for and against the protests. The emails contain a Word document attachment named e-vote_form_3438.doc, although several variations along this theme are likely.
The emails request the user open and complete the form in the document to submit their anonymous feedback. The Word document includes a macro which users are requested to enable to allow their feedback to be provided. Doing so will trigger the macro which will download a malicious DLL, which installs the TrickBot Trojan.
TrickBot is first and foremost a banking Trojan but is modular and frequently updated with new functions. The malware collects a range of sensitive information, can exfiltrate files, can move laterally, and also download other malware variants. TrickBot has been extensively used to download Ryuk ransomware as a secondary payload when the TrickBot gang has achieved their initial objective.
The lures used in phishing and malspam emails frequently change, but malspam emails distribute the same threats. Security awareness training can help to improve resilience to phishing threats by conditioning employees how to respond to unsolicited emails. Making employees aware of the latest tactics, techniques, procedures, and social engineering tactics being used to spread malware will help them to identify threats that land in their inboxes.
Regardless of the ruse used to get users to click, the best defense against these attacks is to ensure that your technical defenses are up to scratch and malware and malicious scripts are identified as such and are blocked and never reach end users’ inboxes. That is an area where TitanHQ can help.
SpamTitan Cloud is a powerful email security solution that provides protection against all email threats. Dual antivirus engines block all known malware threats, while predictive technologies and sandboxing provides protection against zero-day malware and phishing threats. No matter what email system you use, SpamTitan adds an important extra layer of security to block threats before they reach inboxes.
For further information on how you can improve protection and block phishing, spear phishing, email impersonation, and malware and ransomware threats, give the TitanHQ team a call today.
A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.
The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.
The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.
Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.
Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.
By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.
The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.
The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.
With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.
This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.
For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.
Two new phishing campaigns have been identified targeting remote workers. One campaign impersonates LogMeIn and the other exploits the COVID-19 pandemic to deliver a legitimate remote administration tool that allows attackers to take full control of a user’s device.
LogMeIn Spoofed to Steal Credentials
Remote workers are being targeted in a phishing campaign that spoofs LogMeIn, a popular cloud-based connectivity service used for remote IT management and collaboration. The emails claim a new update has been released for LogMeIn, with the messages appearing to have been sent by the legitimate LogMeIn Auto-Mailer. The emails include the LogMeIn logo and claim a new security update has been released to fix a new zero-day vulnerability that affects LogMeIn Central and LogMeIn Pro.
A link is supplied in the email that appears to direct the recipient to the accounts.logme.in website and a warning is provided to add urgency to get the user to take immediate action. The email threatens subscription of the service will be suspended if the update is not applied.
The anchor text used in the email masks the true site where the user will be directed. If clicked, the user will be directed to a convincing spoofed LogMeIn URL where credentials are harvested.
There has been an increase in phishing attacks spoofing remote working tools in recent weeks such as LogMeIn, Microsoft Teams, Zoom, GoToMeeting, and Google Meet. Any request sent by email to update security software or take other urgent actions should be treated as suspicious. Always visit the official website by entering the URL into the address bar or use your standard bookmarks. Never use information provided in the email. If the security update is genuine, you will be advised about it when you login.
NetSupport Remote Administration Tool Used to Take Control of Remote Workers’ Laptops
A large-scale phishing campaign has been detected that uses malicious Excel attachments to deliver a legitimate remote access tool that is used by the attackers to take control of a victim’s computer.
The emails used in this campaign appear to have been sent from the Johns Hopkins Center and claim to provide a daily update on COVID-19 deaths in the United States. The Excel file attached to the email – covid_usa_nyt_8072.xls – displays graph taken from the New York Times detailing COVID-19 cases and when opened the user is encouraged to enable content. The Excel file contains a malicious Excel 4.0 macro that downloads a NetSupport Manager client from a remote website if content is enabled, and the client will be automatically executed.
The NetSupport RAT delivered in this campaign drops additional components, including executable files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Once installed it will connect with its C2 server, allowing the attacker to send further commands.
Block Phishing Attacks and Malware with SpamTitan and WebTitan Cloud
The key to blocking phishing attacks is to implement layered anti-phishing defenses. SpamTitan serves as an additional layer of protection for email that works in tandem with the security anti-spam measures implemented by Google with G-Suite and Microsoft with Office 365 to provide a greater level of protection, especially against sophisticated attacks and zero-day threats. SpamTitan itself includes multiple layers of security to block threats, including dual anti-virus engines, sandboxing, DMARC, and predictive technologies to identify never-before-seen phishing and malware threats.
WebTitan Cloud serves as an additional layer of protection to protect against the web-based component of phishing attacks, with time-of-click protection to block attempts by employees to visit phishing websites linked in emails and redirects to malicious websites during general web browsing. WebTitan works in tandem with email security solutions to increase protection for employees regardless where they access the internet and allows different policies to be set when they are on and off the network.
For further information on these powerful cybersecurity solutions give the TitanHQ a team a call today to book a product demonstration and to receive assistance getting set up for a free trial of the full products.
Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.
Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.
According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.
The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.
In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.
Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.
One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.
Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.
Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.
A new report has been released that sheds light on the most common phishing lures that are currently in use that are providing effective against employees. KnowBe4 has revealed that in the first quarter of 2020, the most common phishing lure was a notification advising the recipient that they need to immediately perform a password check. This lure accounted for 45% of all reported phishing emails in the quarter. The lure is simple yet effective. A hyperlink is included in the email that directs the user to a spoofed webpage where they are required to enter their password for Office 365.
The COVID-19 crisis has provided phishers with new opportunities to steal passwords and distribute malware. At TitanHQ, we have seen a huge variety of COVID-19 themed phishing emails, many of which spoof authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). The emails claim to offer important information on the coronavirus and updates on cases. SpamTitan has been blocking increasing levels of these coronavirus emails over the past few weeks so it is no surprise to see a COVID-19 phishing lure in second place, which had the subject line: CDC Health Alert Network: Coronavirus Outbreak Cases.
Other common COVID-19 themed phishing emails include messages about rescheduled meetings due to the coronavirus, COVID-19 tax refunds, information from the IT department about working from home, and offers of confidential information about COVID-19. The report indicates there was a 600% increase in COVID-19 phishing lures in Q1, 2020.
COVID-19 had been embraced by cybercriminals and used in phishing campaigns because the emails commonly attract a click. People are naturally worried about the pandemic and crave information that they can use to protect themselves and their families. The campaigns prey on fears about the coronavirus and use urgency to get recipients to click without questioning the legitimacy of the email.
SpamTitan and WebTitan users are well protected against these phishing threats. Early in the year, just a handful of malicious COVID-19 phishing websites were being used for phishing and malware distribution. Now, SpamTitan and WebTitan are blocking tens of thousands of COVID-19 themed websites that are being used to spread malware and steal sensitive information.
SpamTitan incorporates dual antivirus engines to block known malware threats and sandboxing provides protection against malware variants that have yet to be identified. Suspicious email attachments that have not been detected as malicious by the antivirus engines are sent to the sandbox for in depth analysis. SpamTitan also incorporates SPF and DMARC to block email impersonation attacks, and a host of measures are used to assess the legitimacy of emails and embedded hyperlinks.
The key to good cybersecurity is to implement several layers of security. In addition to an advanced spam filtering solution such as SpamTitan you should consider implementing a DNS-based web filtering solution such as WebTitan to block the web-based component of phishing attacks. WebTitan provides comprehensive internet filtering to ensure that office-based employees and remote workers cannot navigate to websites used for phishing and malware distribution.
If you want to make sure that your workers, their devices, and your network are protected against malware, ransomware, and phishing attacks, give us a call today. SpamTitan and WebTitan can be implemented and configured in a matter of minutes and providing protection against email and web-based threats.
A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.
Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.
The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.
The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.
Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.
The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.
Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.
It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.
The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.
Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.
The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.
This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.
A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.
In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.
The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.
This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.
SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.
For further information on improving your phishing defenses, give the TitanHQ team a call today.
Higher education institutions in the United States are being targeted in a phishing campaign that distributes a remote access trojan called Hupigon, a RAT that was first identified in 2010.
The Hupigon RAT has previously been used by advanced persistent threat groups (APT) from China, although this campaign is not believed to have been conducted by APT groups, instead the Hupigon RAT has been repurposed by cybercriminals. While several industries have been targeted in the campaign, almost half of attacks have been on colleges and universities.
The Hupigon RAT allows the operators to download other malware variants, steal passwords, and gain access to the microphone and webcam. Infection could see the attackers take full control of an infected device.
The campaign uses online dating lures to get users to install the Trojan. The emails show two dating profiles of supposed users of the platform, and the recipient is asked to select the one they find the most attractive. When the user makes their choice, they are directed to a website where an executable file is downloaded, which installs the Hupigon RAT.
The choice of lure for the campaign is no doubt influenced by the huge rise in popularity of dating apps during the COVID-19 pandemic. While there are not many actual dates taking place due to lockdown and social distancing measures now in place around the globe, the lockdowns have seen many people with a lot of time on their hands. That, coupled with social isolation for many singles, has actually led to an uptick in the use of online dating apps, with many users of the apps turning to Zoom and FaceTime to have virtual dates. Several popular dating apps have reported an increase in use during the COVID-19 pandemic. For example, Tinder reports use has increased, with the platform having its busiest ever day, with more than 3 billion profiles swiped in a single day.
As we have already seen with COVID-19 lures in phishing attacks, which account for the majority of lures during the pandemic, when there is interest in a particular event or news story, cybercriminals will take advantage. With the popularity of dating apps soaring, we can expect to see an increase in the number of online dating -themed lures.
The advice for higher education institutions and businesses is to ensure that an advanced spam filtering solution is in place to block the malicious messages and ensure they do not reach end users’ inboxes. It is also important to ensure that security awareness training continues to be provided to staff, students, and remote employees to teach them how to recognize the signs of phishing and other email threats.
TitanHQ can help with the former. If you want to better protect staff, students, and employees and keep inboxes free of threats, give the TitanHQ team a call today. After signing up, you can be protecting your inboxes in a matter of minutes.
Healthcare providers are being targeted by cybercriminals using COVID-19 themed phishing emails, with the campaigns showing no sign of letting up. The volume of attacks has prompted the U.S. Federal Bureau of Investigation (FBI) to issue a further warning to healthcare providers urging them to take steps to protect their networks and block the attacks.
The first major COVID-19 themed phishing attacks targeting healthcare providers started to be detected by around March 18, 2020. The attacks have grown over the following weeks and the lures have diversified.
Campaigns have been conducted targeting at-home healthcare employees who are providing telehealth services to patients, and there has been an increase in business email compromise scams. The latter see vendors impersonated and requests sent for early or out-of-band payments due to difficulties that are being experienced due to COVID-19.
The phishing attacks are being conducted to obtain login credentials and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the exfiltration of sensitive data.
The malware being distributed in these campaigns is highly varied and includes information stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently reported that Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced documents. In addition to being a dangerous malware variant in its own right, Trickbot also downloads other malicious payloads, including RYUK ransomware.
While the number of COVID-19 themed phishing emails has been increasing, the overall volume of phishing emails has not increased by a major amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be opened.
The campaigns can be highly convincing. The lures and requests are plausible, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been spoofed. Oftentimes the emails are sent from a known individual and trusted contact, which makes it more likely that the email attachment will be opened.
The advice offered from the FBI is to follow cybersecurity best practices such as never opening unsolicited email attachments, regardless of who appears to have sent the email. Ensuring software is kept up to date and patches are applied promptly is also important, as is turning off automatic email attachment downloads. The FBI has also recommended filtering out certain types of attachments through email security software, something that is easy to do with SpamTitan.
The FBI has stressed the importance of not opening email attachments, even if antivirus software says that the file is clean. As the Trickbot campaign shows, new variants of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up. This is another area where SpamTitan can help. In addition to using dual antivirus engines to identify known malware variants faster, SpamTitan includes sandboxing to identify and block zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.
Training is important to teach healthcare employees cybersecurity best practices to help them identify phishing emails, but it is also important to ensure that your technical controls are capable of blocking these threats.
Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.
Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.
Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.
It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.
Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.
Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.
Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.
Nation state sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a significant competitive advantage.
Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.
With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.
The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.
Independent test show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages and controls to detect potential email account compromises.
If you want to improve cybersecurity defenses, start with upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.
The City of Durham and the County of Durham in North Carolina have experienced a ransomware attack that has crippled both. The attack ‘started’ on March 6 in the late evening, which is common for ransomware attacks. Most take place in the evening and over the weekend, when there is less chance of the file encryption being detected.
Two separate attacks occurred simultaneously. Fast action by the IT department helped to contain the attack, but not in time to prevent approximately 80 servers from being infected. Those servers were encrypted and need to be rebuilt and approximately 1,000 computers had to be re-imaged.
There are many ways that cybercriminals gain access to business networks to deploy malware, but email is the most common attack vector. Most cyberattacks start with a phishing email and this attack was no different.
Ryuk ransomware was used to encrypt files on the network in order to extort money from the city and country. A ransom demand is issued which, depending on the extent of encryption, can range from several thousand dollars to several million. This phase of the attack is the most visible and causes the most disruption, but the attack actually started much earlier.
Ruyk ransomware is delivered by the TrickBot Trojan, an information stealer turned malware downloader. One installed on a networked device, the TrickBot Trojan performs reconnaissance, moves laterally, and installs itself on other computers on the network. Once all useful information has been found and exfiltrated, a reverse shell is opened and access to the system is given the ransomware operators. They will then move laterally and download their ransomware payload onto as many devices as possible on the network.
TrickBot downloaded by Emotet malware, a notorious botnet and Emotet is delivered via email. The Emotet campaigns used a combination of Office documents with malicious macros that download the malware payload and hyperlinks to websites where malware is downloaded. TrickBot may also be delivered directly through spam email. This Trio of malware variants can do a considerable amount of damage. Even if the ransom is not paid, losses can be considerable. The Trojans can steal a substantial amount of sensitive information including email credentials, banking credentials, tax information, and intellectual property.
In this case, seven computers appear to have been compromised in the first phase of the attack as a result of employees responding to phishing emails.
The key to blocking attacks such as this is to have layered defenses in place that are capable of blocking the initial attack. That means an advanced spam filtering solution is required to block the initial phishing emails and end users must receive regular security awareness training to help them identify any malicious emails that arrive in their inboxes. Multifactor authentication is needed to prevent stolen credentials from being used to access email accounts and endpoint security solutions are required to detect malware if it is downloaded.
To find out more about protecting your systems from phishing and malware attacks, and how a small per user cost per month can prevent a hugely expensive cyberattack, give the TitanHQ team a call today.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.
Emotet is the biggest malware threat faced by businesses and activity has increased considerably in recent weeks after a lull in December. Several new campaigns are now being identified each week, most of which are target businesses. One of the most recent campaigns uses a tried and tested technique to install the |Emotet Trojan. Malicious Word documents masquerading as invoices, estimates, renewals, and bank details.
The campaign mostly targets organizations in the United States and United Kingdom, although attacks have also been detected in India, Spain, and the Philippines. Approximately 90% of emails in this campaign target the financial services, with around 8% of attacks on companies in the food and drink industry.
The malicious Word documents are either attached to emails or hyperlinks are included in the emails that direct the user to a compromised website where the Word document is downloaded. The websites used are frequently changed and new Emotet variants are frequently released to prevent detection. Email security solutions that rely on AV engines to detect malware are unlikely to detect these zero-day threats as malicious.
Since Emotet is a massive botnet, emails spreading the Emotet Trojan come from many different sources. Email security solutions that rely on real-time blacklists are unlikely to detect these sources as malicious.
Emotet is primarily distributed via email from infected devices, but recently another distribution method has been identified. Emotet also spreads via Wi-Fi networks. This method has been used for almost two years, but it has only just been detected by security researchers at Binary Defense.
When Emotet is installed, a worm.exe binary is dropped that runs automatically. It attempts to connect to nearly Wi-Fi networks and brute forces weak passwords. Once connected to a Wi-Fi network, a search is conducted for non-hidden shares on the network. An attempt is made to enumerate all users connected to the Wi-Fi network, devices are brute forced, and the Emotet binary is dropped.
How to Block Emotet
The constantly changing tactics of the Emotet gang make detection difficult and no single solution will provide protection against all forms of attack. What is needed is a defense in depth approach and layered defenses.
The primary defense against a predominantly email-based threat such as Emotet is an advanced spam filtering solution. Many businesses have use Office 365 and rely on the protection provided by Exchange Online Protection (EOP), which is included as standard with Office 365 licenses. However, EOP alone will not provide enough protection against Emotet. EOP will block all known malware threats, but it struggles to identify zero-day attacks. To block zero-day attacks, more advanced detection methods are required.
SpamTitan has been developed to work seamlessly with EOP to protect Office 365 email from zero-day threats. SpamTitan uses a variety of techniques to identify Emotet, including dual antivirus engines to block known Emotet variants and sandboxing to block zero-day attacks. Suspicious or unknown attachments are sent to the sandbox where they are subjected to in depth analysis to identify command and control server call backs and other malicious actions. SpamTitan also scans outgoing emails to identify attempts to spread Emotet from an already-infected machine. SpamTitan also incorporates DMARC to identify email impersonation and domain spoofing, which are commonly used in emails spreading Emotet.
To provide protection against the web-based element of attacks, including Emotet emails that use malicious hyperlinks rather than email attachments, another layer needs to be added to cybersecurity defenses – a DNS filtering solution such as WebTitan.
WebTitan uses real-time URL threat detection powered by 650 million end users. The real-time database includes more than 3 million malicious URLs and IP addresses and each day around 100,000 new malicious URLs are detected and blocked. WebTitan also includes real-time categorization and detection of malicious domains, full-path URLs, and IPs, with up to the minute updates performed to block new malicious sources. As soon as a URL is identified as being used to distribute Emotet (or other malware) it is blocked by WebTitan. WebTitan also conducts link & content analysis, static, heuristic, & behavior anomaly analysis, and features in-house and 3rd party tools and feeds to keep users protected from web-based threats.
Other essential steps to take to tackle the threat from Emotet include:
- Disable macros across the organization
- Ensure operating systems are kept up to date and vulnerabilities are promptly patched.
- Set strong passwords to thwart brute force attacks
- Ensure endpoint protection solutions are deployed on all devices
- Provide security awareness training to employees
- Conduct phishing simulation exercises to identify employees that require further training
Tax season is now underway and business email compromise scammers have stepped up their efforts to obtain W-2 forms for tax fraud. These attacks often start with spear phishing emails targeting the CEO and the executive board. Once email credentials have been obtained, the accounts are then accessed, and emails are sent internally to payroll and the HR department requesting the W-2 forms of employees who have worked in the previous tax year.
Scammers targets businesses as there is much greater potential for profit than attacks on individual taxpayers, although consumers also need to be wary of IRS-related phishing scams. This time of year sees an increase in IRS phishing scams. Scammers impersonate the IRS and send emails informing taxpayers about a tax refund that is due and demands are sent for outstanding tax, with threats of dire consequences if prompt action is not taken to address issues.
Advances in email security have meant cybercriminals have had to get creative as it is harder to sneak phishing emails past email defenses. Phishing scams are now commonly initiated via text message, post, and over the telephone. There has already been one campaign identified where consumers are being targeted using robocalls warning that Social Security numbers have been suspended after suspicious activity was detected.
While many of these scams seek personal information, others are conducted to spread malware. One threat group that started its tax-related scams early this year is the Emotet gang. A campaign is currently being conducted that uses emails containing fake signed W-9 forms.
Signed W-9 forms are requested by companies from their contractors if they have been paid in excess of $600 during the tax year. Many companies will have requested signed W-9 forms from their contractors to confirm addresses and tax identification numbers, so they will be expecting copies of these forms in their inboxes.
The Emotet emails are short and to the point, saying “Thank you for your help. Pleased see attached file.” The emails include a Word document attachment named W-9.doc. When the document is opened, the Office 365 logo is displayed along with text stating the document was created in OpenOffice and requires the user to enable editing and enable content. Doing so triggers the silent download of the Emotet Trojan.
This is just one of the tax-related messages being used by the Emotet gang. There are likely to be many more variants sent over the next few weeks. Other cybercriminals gangs will similarly be conducting their own tax-themed phishing campaigns to spread different malware variants and ransomware.
Businesses, tax preparers, and consumers need to be on high alert during tax season for phishing scams and emails spreading malware.
Now is a good time for businesses to review their cybersecurity defenses and enhance protection against phishing and malware attacks. If you use Office 365 and rely on the anti-phishing protections built into Office 365 (EOP), you should consider enhancing your anti-phishing and anti-malware protection with a third-party spam filter – One that has superior malspam detection capabilities.
This is an area where TitanHQ can help. SpamTitan uses a variety of advanced techniques to detect and block phishing threats and zero-day malware, including a sandbox where unknown and suspicious email attachments are subject to in-depth analysis. Give the TitanHQ team a call to find out more about SpamTitan, improving office 365 malware and phishing protection, and to arrange a product demonstration and free trial of SpamTitan.
In the meantime, take steps to alert your workforce about tax-season phishing scams and prepare them in case a phishing email arrives in their inbox. An email alert sent to your employees about the threat of tax-season scams could prevent a costly phishing attack or malware infection.
A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.
The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.
A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.
A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.
The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.
If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.
To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.
More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.
Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.
For further information on protecting your email system, contact TitanHQ today.
The Emotet botnet took a Christmas holiday but its now up and running again and the massive phishing and spamming campaigns have resumed. These campaigns, which involve millions of spam emails, use a variety of lures to trick people into opening an attachment and enabling content. The content in question includes a macro which runs a PowerShell command that downloads and executes the Emotet Trojan.
The Emotet Trojan is bad news. Emotet was once just a banking Trojan whose purpose was to steal online banking credentials. It still does that and much more besides. Emotet also steals credentials from installed applications and browsers. It is also self-propagating and will send copies of itself via email to the victim’s contacts. As if that was not bad enough, Emotet has another trick up its sleeve. It is also a downloader of other malware variants such as the TrickBot Trojan and Ryuk ransomware. These additional payloads allow data to be stolen and sold for profit and for files across the network to be encrypted and ransom demands issued. Emotet has also delivered cryptocurrency miners in the past and could deliver any number of other malware payloads.
The scale of the botnet is staggering. In the first quarter of 2019, Emotet was responsible for 6 out of 10 malicious payloads delivered via email. There are often breaks in activity, but even though the threat actors behind the botnet took almost half of 2019 off, Emotet still ranks as the top malware threat of the year.
Emotet sprung back to life on January 13, 2020 with targeted attacks on the pharmaceutical industry in North America, but it didn’t take long for the attacks to spread even further afield. Now more than 80 countries are being attacked and in addition to English, campaigns have been detected in Italian, Polish, German, Spanish, Japanese and Chinese.
The lures used to fool end users into opening email attachments are highly varied and often change. Tried and tested lures such as fake invoices, orders, statements, agreements, payment remittance notices, receipts, and delivery notifications are often used in attacks on businesses, which are the primary targets. Before the botnet shut down for a break in December, Greta Thunberg-themed emails were being used along with Christmas party invitations. A host no new lures can be expected in 2020.
The themes of the emails may change but the messages have one thing in common. They require an end user to take action. That is usually opening a document, spreadsheet or other file, but could be a click on a hyperlink in an email. Once that action is taken, Emotet will be silently downloaded.
There are two main ways of blocking attacks and both are necessary. The first is to ensure that the email system is secure, which means implementing an effective spam filter. Businesses that use Office 365 will have a modicum of protection through Exchange Online Protection (EOP), which is included with Office 365 subscriptions. However, businesses should not rely on EOP alone. Layered defenses are required.
SpamTitan is a powerful spam filter that will improve protection against malware threats such as Emotet. SpamTitan can be layered on top of Office 365 to provide greater protection and prevent the malware from being delivered to inboxes. Dual anti-virus engines are incorporated into the solution to detect known threats and SpamTitan includes a sandbox for identifying threats that signature-based detection mechanisms miss.
Many businesses deploy a variety of security solutions but fail to prepare their employees for an attack. If malicious emails make it past security solutions and are delivered to inboxes, all it takes is for one employee to fail to spot the threat and respond for Emotet to be installed (and potentially ransomware as well). It is therefore important to provide regular security awareness training to everyone in the company from the CEO down. If employees are not told how to identify malicious emails, they cannot be expected to spot threats and report the messages to the security team.
Fortunately, through a combination of email security solutions and security awareness training, the threat from Emotet can be neutralized. For more information on the former, give TitanHQ a call today.
Whenever there is a major event that attracts a lot of media attention cybercriminals will be poised to take advantage, so it is no surprise that warnings are being issued about Travelex phishing scams.
The Travelex ransomware attack that struck on New Year’s Eve involved a ransomware variant called Sodinokibi. The gang responsible is one of the most prolific threat groups using ransomware. The group’s attacks are highly targeted and seek to encrypt entire networks and the ransom demands reflect the scale of encryption. Travelex was initially issued with a demand for a payment of $3 million. That soon doubled to $6 million when payment was not made within the allocated timescale.
The fallout from the attack has been immense, which is unsurprising given that Travelex is the largest provider of currency exchange services worldwide. Many banks and retailers rely on Travelex to provide for their currency exchange services. Without access to those online services, currency exchange services came to a grinding halt. It has taken two weeks for Travelex to start bringing some of its services back online, but its website remains down and the disruption continues.
The attackers claimed to have stolen large quantities of customer data from Travelex. The attackers threatened to publish or sell the data if the ransom was not paid. This tactic is becoming increasingly common with ransomware gangs. In this case, the sodinokibi gang claimed to have gained access to Travelex systems 6 months previously and said they had stolen customer data including names, payment card information, and Social Security numbers and National Insurance numbers. The gang had also recently attacked the American IT company Artech Systems and had posted 337MB of data stolen in that attack, demonstrating to others that it was not an empty threat. Travelex maintained that no customer data had been stolen, but that has yet to be confirmed.
Warning Issued About Travelex Phishing Scams
Travelex customers should naturally err on the side of caution and monitor their accounts for signs of fraudulent use of their information but there are other risks from an attack such as this.
Travelex has issued a warning to its customers recommending they should be alert to the threat of phishing attacks via email and over the phone. Opportunistic scammers often take advantage of major events such as this and Travelex phishing scams are to be expected, as was the case following the TalkTalk data breach. These phishing scams are likely to be most effective on Travelex customers who have lost money as a result of the attack. Any offer of compensation or a refund is likely to attract a response.
For consumers, the advice is never to open email attachments or click on links in unsolicited emails. Businesses should also take steps to protect their networks from malware and phishing attacks.
Businesses should adopt a defense in depth strategy to protect against phishing scams and malware attacks. An advanced email security solution such as SpamTitan should be used to protect Office 365 accounts. SpamTitan improves protection against zero-day malware and phishing threats and blocks threats at the gateway.
A web filtering solution such as WebTitan should be used to block the web-based component of phishing and malspam campaigns and prevent end users from visiting malicious websites. End user training is also a must. It is important to teach employees how to identify phishing emails and malspam, and condition them how to respond when suspicious emails are received.
A new ransomware threat – Ako ransomware – has emerged which is targeting business networks and is being distributed via spam email. The ransomware is being offered to affiliates under the ransomware-as-a-service model and the aim of the attackers is clear. To maximize the probability of payment of the ransom by making recovery harder, and to steal data prior to encryption to ensure the attack is still profitable if the ransom is not paid. Having the data could also help convince the victims to pay up, as we have seen in recent attacks involving Maze and Sodinokibi ransomware, where threats are issued to publish stolen data if the ransom is not paid.
The developers of Ako ransomware appear to be going for large ransom payments, as they are not targeting individual workstations, rather the entire network. The ransomware scans local networks for other devices and will encrypt network shares. The ransomware deletes shadow copies and recent backups and disables Windows recovery to make recovery more difficult without paying the ransom.
Encrypted files are given a randomly generated file extension and retain the original file name. No ransom amount is stated in the ransom note. Victims are required to contact the attackers to find out how much they will need to pay for the keys to decrypt their files.
One of the intercepted emails being used to distribute the ransomware uses a password-protected zip file as an attachment. The email appears to be a business agreement which the recipient is asked to check. The password to open and extract the file is included in the message body. The zip file attachment – named agreement.zip – contains an executable file which will install Ako ransomware if it is run. The malicious file is called agreement.scr.
There is no free decryptor for Ako ransomware. Recovery without paying the ransom will depend on whether viable backups exist that have not also been encrypted. It is therefore important to make sure backups are regularly performed and at least one copy of the backup is stored on a non-networked device to prevent it also being encrypted by the ransomware. Backups should also be tested to make sure file recovery is possible.
Since Ako ransomware is being distributed via spam email, this gives businesses an opportunity to block an attack. An advanced spam filtering solution should be implemented that scans all inbound messages using a variety of detection mechanisms to identify malware and ransomware threats. A sandbox is an important feature as this will allow email attachments to be analyzed for malicious activity. This feature will improve detection rates of zero-day threats.
nd user training is important to ensure that employees do not open potentially malicious files. Training should condition employees never to open email attachments in unsolicited emails from unknown senders. As this campaign shows, any password protected file sent in an unsolicited email is a big red flag. This is a common way that ransomware and malware is delivered to avoid detection by antivirus solutions and spam filters.
Anti-spam solutions and antivirus software will not be able to detect the threat directly if malicious files are sent in password-protected archives, which can only be opened if the password is entered. Rules should therefore be set to quarantine password-protected files, which should only be released after they have been manually checked by an administrator. With SpamTitan, these rules are easy to set.
Ako ransomware is one of many new ransomware threats that have been released in recent months. High profile attacks on companies such as Travelex that see massive ransom demands issued, which in many cases are paid, show a huge payday is possible.
Ransomware developers will keep developing new threats for as long as attacks remain profitable, and there is not likely to be a shortage of affiliates willing to run spamming campaigns to get their slice of the ransom payments.
With the attacks increasing, it is essential for you to have strong defenses that can detect and block malware, ransomware, and phishing threats, and that is an area where TitanHQ can help.
To find out more about how you can improve your defenses against email and web-based threats, give the TitanHQ team a call today.
Customers of Canadian banks have been targeted by cybercriminals in an extensive phishing campaign that has been ongoing for at least the past two years, according to Check Point Research which uncovered the campaign. As with many other financial phishing scams, the attackers spoof the website of a well-known bank and create a virtual carbon copy of the home page of the bank on a lookalike domain, which often only differs from the genuine domain name by a letter or two.
A link to the fraudulent site is then sent in a mass spamming campaign to email addresses on the specific country top level domain where the bank operates. The emails instruct users to visit the banks website and login, usually under the guise of a security alert. When the link in the email is clicked, the user is directed to the spoofed site and may not notice the domain name is not quite right. They then enter their login credentials which are captured by the scammers. The credentials are then used to make fraudulent wire transfers to accounts controlled by the attackers.
In this campaign, the emails include a PDF email attachment. PDF files tend to be trusted to a higher degree than Word documents and spreadsheets, which end users have usually been instructed to treat as suspicious. The PDF file includes a hyperlink, which the user is instructed to click. Since the hyperlink is in the document rather than the email body, it is less likely to be scanned by email security solutions and has a higher chance of being delivered.
The user is told that they are required to update their digital certificate to continue using the online banking service. The PDF file includes the bank logo and a security code, which the user is required to enter when logging in. The code is included in the PDF attachment rather than email body for security reasons. As with most phishing scams, there is urgency. The recipient is told that the code expires in 2 days and that they must register within that time frame to avoid being locked out of their account.
The landing pages on the websites are identical to those used by the banks as the attackers have simply taken a screen shot of the bank’s landing page. Text boxes have been added where the username, password, and token number must be entered. Users are then asked to confirm the details they entered while the attackers attempt to access their account in real-time and make a fraudulent transfer.
These tactics are nothing new. Scams such as this are commonplace. What is surprising is how long the campaign has been running undetected. The scammers have been able to operate undetected by registering many lookalike domains which are used for a short period of time. Hundreds of different domains have been registered and used in the scam. At least 14 leading banks in Canada have had their login pages spoofed including TD Canada Trust, Scotiabank, Royal Bank of Canada, and BMO Bank of Montreal.
All of the websites used in the scam have now been taken down, but it is all but guaranteed that other lookalike domains will be registered and further scams will be conducted.
A spamming campaign has been detected that is piggybacking on the popularity of Greta Thunberg and is using the climate change activist’s name to trick individuals into installing the Emotet Banking Trojan.
Emotet is one of the most active malware threats. Emotet was first detected in 2014 and was initially used to steal online banking credentials from Windows users by intercepting internet traffic. Over the years it has undergone several updates to add new functionality. It has had a malspam module added, which allows it to send copies of itself via email to a user’s contacts. Emotet also includes a malware downloader, allowing it to download a range of other malware variants such as other banking Trojans and ransomware.
The malware is used indiscriminately in attacks on individuals, businesses, and government agencies, with the latter two being the main targets. Emotet is primarily spread via spam email, and while exploits are not used to spread to other devices on the network – EternalBlue for instance – other malware variants downloaded by Emotet can. TrickBot for instance.
The Greta Thunberg spam campaign aims to get users to open a malicious Word attachment and enable content. If that happens, Emotet will be silently downloaded to the user’s device, sensitive banking information will be stolen, and further malware may be downloaded.
The campaign was active over the holiday period and used a variety of Christmas-themed lures to entice users into opening the email attachment. Some of the emails did not include an attachment and instead used a hyperlink to direct the user to a website where the malicious document could be downloaded.
One of the emails wished the recipient a Merry Christmas and urged them to consider the environment this Christmastime and join a demonstration in protest against the lack of action by governments to tackle the climate crisis. The email claimed details about the time and location of the protest were included in the Word document. The email also requested the recipient to send the email on to all their colleagues, friends, and relatives immediately to get their support as well. Several variations along that theme have been detected.
To increase the likelihood of the recipient enabling content, when opened the document displays a warning that appears to have been generated by Microsoft Office. The user is told that the document was created in OpenOffice and it is necessary to first enable editing first and then enable content. Doing the latter will enable macros which will start the infection process.
The emails are well written and have been crafted to get an emotional response, which increases the likelihood of the user taking the requested action. The emails have been sent in multiple languages in many different countries.
Whenever there is a major news event, popular sports tournament, or other event that attracts global interest, there will be cybercriminals taking advantage. Regardless of the theme of any email, if it is unsolicited and asks you to click a link or open an email attachment, it is best to assume that it is malicious.
Businesses can protect their networks against threats such as these by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan will identify threats such as phishing attacks and will prevent the messages from reaching inboxes. SpamTitan also includes dual anti-virus engines to detect known malware and machine learning techniques and sandboxing to identify and block zero-day malware.
For further information on how SpamTitan can protect your business from email threats such as this, contact TitanHQ today.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The sandbox his used to detect and block zero-day malware – New, never-before seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.
Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.
In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.
This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.
Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.
The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).
The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.
The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.
The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.
Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.
Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes. SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.
SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.
With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.
A new Stripe phishing campaign has been detected that uses fake warnings advising users about an invalid account to lure people into divulging their credentials and bank account information.
Stripe is an online payment processor used by many online firms on their e-commerce websites to accept payments from their customers. As such, the company is perfect for spoofing as many people will be aware that the company processes payments and will think it reasonable that they need to provide credentials and bank account information to ensure payments are processed.
The scam starts with a phishing email supposedly from the Stripe Support department. The email advises the customer that the information associated with their account is currently invalid. The message is sent as a courtesy notice warning the user that their account will be placed on hold until the matter is corrected. The user is asked to review their details to correct the issue. A button is included in the email for users to click to do this.
The emails contain spelling mistakes and questionable grammar, so are likely to be identified as suspect by vigilant individuals. Security awareness training often teaches employees to hover their mouse arrow over a hyperlink to find out the true URL, but in this campaign it will not work. The attackers have added a title to the HTML tag of the embedded hyperlink so when the mouse arrow is hovered over the “Review your Details” button, that text will be displayed instead of the URL.
If that button is clicked, the user will be directed to a seemingly legitimate Stripe login page. The login box is a clone of the real login page and a series of boxes will be displayed, each requiring different information to be entered, including bank account and contact information.
When the user is required to enter their password, regardless of what is typed, the user will be advised that they have entered an incorrect password and will be asked to enter the password again. The user is then directed to the legitimate Stripe login page to make it appear they have been on the correct Stripe website all along.
Similar tactics are used in countless other phishing campaigns targeting other well-known companies. The presence of spelling mistakes and grammatical errors in messages should tip off end users that the email is a phishing attempt, but all too often end users fail to notice these errors and click and divulge sensitive information.
One issue is a lack of cybersecurity training in the workplace. If employees are not trained how to identify phishing emails, it is inevitable that some will end up falling for these scams and will divulge their credentials. Those credentials can be used to gain access to bank accounts or email accounts, with the latter often used to conduct further phishing attacks on the organization. One email account breach can easily lead to dozens of breached accounts.
For example, a phishing attack on a U.S. healthcare provider started with a single phishing email and led to 73 email accounts being compromised. As for cybersecurity awareness training, this is often nonexistent. One recent study on 2,000 employees in the United Kingdom revealed three quarters had received no workplace cybersecurity training whatsoever.
Protected by Microsoft Office 365 Anti-Phishing Controls? Are You Sure?
One in every 99 emails is a phishing email, so it is important to ensure your defenses are capable of blocking those messages. Many businesses mistakenly believe they are protected against these emails by Microsoft’s Office 365 anti-phishing controls. While those measures do block spam email and some phishing messages, one recent study by Avanan has shown 25% of phishing attacks sneak past Office 365 defenses and are delivered to inboxes. For an average firm that means several phishing emails will reach end users’ inboxes every day. To ensure your business is protected against phishing attacks, additional anti-phishing controls are required on top of Office 365.
Businesses can protect their Office 365 accounts against phishing by layering SpamTitan on top of Office 365. SpamTitan is an advanced anti-phishing and anti-malware solution that provides superior protection against phishing, malware, spear phishing, and zero-day attacks.
Heuristics rules are used to analyze message headers and these rules are constantly updated to include the latest threats. Bayesian analysis and heuristics are used to check message content, and along with machine learning techniques, new threats are blocked and prevented from reaching inboxes. Sandboxing is also used to assess email attachments for malicious code used to install malware in addition to dual-AV engines that scan for known malware.
These advanced measures ensure that Office 365 inboxes are kept free from malware and phishing emails. These advanced capabilities along with the ease of implementation and use and industry-leading customer support are why SpamTitan is the leading provider of anti-spam and anti-phishing solutions for SMBs and managed service providers that serve the SMB market.
For further information on SpamTitan, to book a product demonstration or set up a free trial, contact the TitanHQ team today.
The collapse of the package holiday operator Thomas Cook left thousands of holidaymakers stranded, hundreds of thousands of holiday bookings have been cancelled, and more than 9,000 staff have lost their jobs. The company and other UK firms in its group have been forced into compulsory liquidation and cybercriminals have been quick to take advantage. Dozens of Thomas Cook-related domains were registered following the collapse of the firm and several Thomas Cook phishing scams have been detected.
Customer that have incurred out-of-pocket expenses as a result of the collapse of the company and anyone who has paid for a package holiday that has been cancelled may be entitled to a refund or compensation. That has given scammers the perfect opportunity to launch phishing attacks seeking bank account an credit card information.
Customers who have booked Thomas Cook holidays are protected under the ATOL scheme and refunds are being processed by the Civil Aviation Authority, which has set up a subdomain on its website – thomascook.caa.co.uk – where customers can submit claims for refunds. More than 360,000 holidays have been booked for more than 800,000 holidaymakers, who are entitled to refunds. More than 60,000 customers submitted refund forms on the first day that the website was set up and claims for out-of-pocket expenses are being processed by travel insurance firms. The CAA has stated that it will take 60 days for the refunds to be issued.
Anyone who has yet to submit their claim should exercise caution as there are multiple phishing scams being conducted offering money back on canceled holidays, reimbursement of out-of-pocket expenses, compensation, and fake updates on the status of refund claims. Any email received in relation to Thomas Cook should be treated as a potential scam.
Scams may be conducted with the aim of spreading malware or ransomware. Malicious code is contained in file attachments that trigger a malware download when the attachment is opened. However, far more common in situations when people are demanding refunds is to send phishing emails containing hyperlinks to malicious websites. Those websites require sensitive information such as credit card information and bank account details to be entered. Scammers are well aware that in order for refunds to be processed, bank account information would be required and phishing forms have been set up on fake Thomas Cook domains to do just that.
While there may be some giveaways that emails are not genuine – spelling mistakes and grammatical errors – some Thomas Cook phishing scams are virtually impossible to distinguish from genuine communications. Banks have also been notifying customers by email, which has presented scammers with even more opportunities to hoodwink Thomas Cook customers. There have also been reports of former employees being targeted by scammers offering compensation.
The golden rule to avoid becoming a victim of Thomas Cook phishing scams is never to respond to a request in an unsolicited email. Attachments should not be opened, hyperlinks in emails should not be followed, and contact information included in the message body should not be used. Only use official channels such as the CAA website, and contact banks and travel insurance firms directly using verified contact information.
The Emotet botnet sprung back to life following a 4-month period of dormancy over the summer. The first campaigns, which involved hundreds of thousands of messages, used lures such as fake invoices, payment remittance advice notices, and statements to lure recipients into opening a malicious Word document, enabling content, and inadvertently launching a string of actions that result in the downloading of Emotet: One of the most dangerous malware variants currently being distributed via email.
It has only been a few days since those campaigns were detected, but now a new campaign has been detected. The latest malspam campaign also delivers Emotet but this time the lure is a free copy of Edward Snowden’s book – Permanent Record. The book is an account of Edward Snowden’s life that led up to his whistleblowing actions in 2013.
The campaign includes English, Italian, Spanish, and German language versions which claim to offer a free scanned copy of the former CIA staffer’s book. The English language version of the book is being distributed via email, so the attackers claim, because it is “Time to organize collective readings of Snowden book everywhere.” The email tells the recipient to “Go buy the book now, read it, share it, discuss it,” but conveniently a scanned copy is attached called Scan.doc.
As with the previous campaign, opening the attachment will display a Microsoft Product Notice – with appropriate logo – informing the user that Word has not been activated. The user is required to enable content to continue using Word and view the content of the document. At this point, all it takes is a single click to silently install Emotet. Once installed, Emotet will download other malware variants, including the TrickBot Trojan. Emotet is also being used to distribute ransomware payloads.
While the lures in the Emotet campaigns are regularly changed, they have all used malicious scripts in Word documents which download Emotet. The emails may be sent from unknown individuals or email addresses may be spoofed to make the emails appear to have come from a contact or work colleague.
The lures are convincing and are likely to fool may end users into opening the attachments and enabling content. For businesses, that can lead to a costly malware infection, theft of credentials, fraudulent bank transfers, and ransomware attacks.
Businesses can reduce risk by ensuring employees are told never to open email attachments in unsolicited emails from unknown senders, but also to verify the authenticity of any email attachment by phone before taking any action. It is also important to condition employees never to enable content in any document sent via email.
While end user security awareness training is essential, advanced anti-malware solutions are also required to prevent those messages from ever reaching inboxes.
SpamTitan includes DMARC authentication to block email impersonation phishing attacks and a Bitdefender-powered sandbox where suspicious email attachments can be safely executed and studied for malicious actions.
Along with a wide range of other content checks, including Bayesian analysis and greylisting, emails such as these can be blocked and prevented from being delivered to end users.
After a quiet summer, the Emotet botnet is back in action. The threat actors behind Emotet are sending hundreds of thousands of malicious spam emails spreading the Emotet Trojan via malicious Word documents.
Emotet first appeared in 2014 and was initially a banking Trojan used to obtain credentials to online bank accounts. The stolen credentials are used to make fraudulent wire transfers and empty business accounts. Over the years the Trojan has evolved considerably, with new modules being added to give the malware a host of new features. Emotet is also polymorphic, which means it can change itself each time it is downloaded to avoid being detected by signature-based anti-malware solutions. Up until the start of 2019, more than 750 variants of Emotet had been detected.
The latest iteration of Emotet is capable of stealing banking credentials and other types of information. It is also capable of downloading other malware variants, which has led to security researchers naming it ‘triple-threat malware,’ as it has been used recently to download the TrickBot Trojan and Ryuk ransomware. These three malware threats along with the scale of the operation make Emotet one of the most dangerous threats faced by businesses. It is arguably the costliest and most destructive botnet ever seen.
Last summer, Emotet activity was so high and the threat so severe that the Department of Homeland Security issued an alert to all businesses in July 2018 warning them of the threat. That warning was mirrored by the UK National Cyber Security Center which published its own warning about the malware in September 2018. Activity remained high well into 2019, but suddenly stopped at the start of June when command and control server activity fell to next to nothing.
The hiatus in activity was only brief. Researchers at Cofense Labs discovered its command and control servers had been activated again in late August and a massive spamming campaign commenced on September 16 using bots in Germany. The campaign was initially focused on businesses in the United States, Germany, and United Kingdom but the campaign has now spread to Austria, Italy, Poland, Spain, and Switzerland.
After being downloaded, Emotet spreads laterally and infects as many devices as possible on the network. Email accounts on infected machines are hijacked and used to send further spam emails to all contacts in the account. Finally the malware downloader module is used to a secondary and often tertiary malware variant.
The latest campaign uses Word documents containing malicious macros, which launch PowerShell scripts that fetch the Emotet Trojan from a variety of different compromised websites, many of which are running the WordPress CMS.
The campaign uses a variety of lures including invoices, payment remittance advice, and statements, the details of which are contained in Word documents that require content to be enabled to view the document content.
Upon opening the document, the user is requested to accept the Office 365 license agreement. Failure to enable content, so the document claims, will result in Microsoft Word features being disabled.
This campaign includes personalized subject lines including the recipients name to increase the likelihood of a user taking the requested action. Genuine email thread are also hijacked to make it appear that the user has already been communicating with the sender of the email. Around a quarter of attacks use hijacked email threads. Data from Cofense indicates emails are being sent from 3,362 hijacked email accounts from 1,875 domains.
It is currently unclear whether Ryuk ransomware is being distributed in this campaign. Several researchers have confirmed that TrickBot is being downloaded as a secondary payload.
The key to blocking attacks with polymorphic malware is to implement layered defenses, including an advanced spam filtering solution, anti-virus software, and web filter. It is also important to ensure that the staff is made aware of the threat of attack and the types of email that are being used to spread the Trojan.
Google has acknowledged a vulnerability in the Google Calendar app is being exploited by cybercriminals to inject fake and malicious items into Google Calendar.
Several Google Calendar phishing campaigns were detected over the summer of 2019 which were exploiting this flaw. The campaigns saw Google Calendar spam sent to large numbers of users, including invites to events and other requests and special offers that popped up on unsuspecting users’ screens.
These notifications contained links to webpages where users could find out more information about the events and special offers. If events were accepted, they would be inserted into users’ calendars and would trigger automatic notifications. The offers and invites would keep on appearing until the users’ clicked the link. Those links directed users to phishing pages where credentials were harvested.
Some of the scams required credit card information to be entered, others required the user to login using their Office 365 credentials. Links could also direct users to webpages where drive-by malware downloads take place.
Most people are aware of the threat of phishing emails, malicious text messages, and social media posts that harvest sensitive information, but attacks on calendar services are relatively unheard of. Consequently, many users will fail to recognize these notifications and calendar items as malicious, especially when they appear in a trusted app such as Google Calendar.
Unfortunately, these attacks are possible because in the default setting, anyone can send a calendar event to a user. That event will be inserted into the user’s calendar and will automatically trigger notifications, as is the case with legitimate events.
In addition to events, messages can include special offers, notifications of cash prizes, alerts about money transfers, and all manner of other messages to entice the user to click a malicious link and disclose sensitive information or download malware.
Google Calendar is not the only calendar service that is prone to these attacks. Apple users have also been targeted, as have users of other calendar apps.
How to Block Google Calendar Phishing Attacks
Recently, a Google employee acknowledged the increase in ‘calendar spam’ and confirmed action was being taken by Google to address the problem.
In the meantime, users can prevent these spam and phishing messages from appearing by making a change to the app settings. Users should navigate to Event Settings > Automatically Add Invitations, and select the option “No, only show invitations to which I’ve responded” and uncheck the “show declined events” option in View Options.
Businesses should also consider including Google Calendar phishing scams in their security awareness training programs to ensure employees are aware that phishing attacks are not limited to email, text message, telephone calls, and social media posts.
Business email compromise scams are now the leading cause of cyberattack-related losses. Billion are being lost each year and there are no signs of the attacks abating. In fact, it has been predicted that the number of attacks and losses will continue to increase.
Around 1% of global GDP is lost to cybercrime each year and that figure is increasing rapidly. Currently, around $600 billion is lost each year to cybercrime. A FinCEN report from July 2018 shows that suspicious activity report (SAR) filings have increased from $110 million per month in 2016 to $301 million per month in 2018 and Cybersecurity Ventures predicts losses will increase to $6 trillion globally by 2021. According to the FBI, more than $1.2 billion was lost to business email compromise scams in the United States alone in 2018.
Business email compromise (BEC) scams involve the impersonation of an executive or other individual, whose compromise email account is used to send fraudulent wire transfer requests. A variation sees a business associate of the company spoofed and requests sent demanding outstanding involves be paid. The latter is now more common than attacks spoofing the CEO.
BEC attacks usually start with a spear phishing attack to obtain email account credentials. Once email credentials are compromised, the account is used to send messages to other individuals in the organization, such as employees in the payroll, HR, or finance department. Since the emails come from a trusted source within the organization and the wire transfer requests are not unusual, payment is often made.
A successful attack can see sizable wire transfers made to accounts controlled by the attackers. Payments are often for tens of thousands of dollars or, in some cases, millions of dollars. A recent attack on a subsidiary of the car manufacturer Toyota Boshoku Corporation saw a fraudulent transfer of $37 million made to the attackers.
While that incident stands out due to the scale of the loss, fraudulent transfers of millions of dollars are far from unusual. In many cases, only a small percentage of the transferred funds are recovered. Since these attacks can be extremely profitable, it is no surprise that the so many cybercriminal gangs are getting in on the act and are conducting campaigns.
A new report from the insurer AIG shows BEC attacks are now the leading reason for cybersecurity-related insurance claims, having overtaken ransomware attacks for the first time. 23% of all cyberattack-related claims are due to BEC scams.
In the most part, these BEC attacks can be prevented with basic cybersecurity measures. AIG attributes the rise in claims to poor security measures at the targeted organizations. Investigations have uncovered numerous basic cybersecurity failures such as not providing security awareness training to employees, the failure to enforce the use of strong passwords, no multi-factor authentication, and poor email security controls.
If businesses fail to implement these basic cybersecurity measures, attacks are inevitable. Cyber-insurance policies may cover some of the losses, but many SMBs will not be in a position to make a claim. For them, BEC attacks can be catastrophic.
If you run a business and are concerned about your defenses against phishing, spear phishing, and BEC attacks, contact TitanHQ to find out more about effective cybersecurity solutions that can block BEC attacks.
An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.
The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.
If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.
The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.
Microsoft Office 365 Users are Under Attack!
Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.
What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.
When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.
How to Protect Your Business and Block Office 365 Phishing Attacks
There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.
SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.
No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.
Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.
2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.
A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.
When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.
A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.
On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.
A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.
This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.
A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.
As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.
Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.
It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.
Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.
SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.
Trial for free today
Equifax phishing scams have been detected which are attempting to take advantage of individuals who were affected by the 143-million record data breach and want to make a claim to recover their out-of-pocket expenses.
Several lawsuits have been filed against Equifax over the breach. One of those lawsuits, filed by the Federal Trade Commission, has recently been settled for $700 million. That figure includes a fund of $425 million to cover claims from victims of the breach.
Anyone who was affected by the breach is entitled to submit a claim, and with so many people affected, scammers have a more than reasonable chance of landing an email in the inbox of an individual who was affected by the breach. More than half the population of the United States had their information exposed.
In order to make a claim, victims of the breach must visit a website set up by Equifax where claims can be processed. The name of the correct domain reflects its purpose – equifaxbreachsettlement.com – which does have a hint of phishiness about it.
Cybercriminals have set up a plethora of fake sites that closely resemble the genuine website, with similarly phishy but realistic names. Those sites similarly allow victims of the breach to submit a claim.
When submitting a claim on the genuine website, the claimant must enter their contact information and make their claim. They can choose to have the payment sent on a pre-paid card or by check in the mail. At no point must a Social Security number, bank account information, or credit card information be entered.
Large-scale spam campaigns are being conducted inviting victims of the breach to submit their claim and receive their share of the settlement amount. Hyperlinks are embedded in the messages which link to fake Equifax claim webpages.
After landing on these phishing webpages, users are guided through making a claim. Contact information is requested along with other sensitive information to confirm identity. Bank account information is also requested to process direct deposit refunds.
After entering in all that information, the claim is submitted, and the user is likely to be unaware that their sensitive information has been stolen.
Any email received in relation to the Equifax data breach settlement should be treated as potentially suspicious. Anyone wanting to make a claim should visit equifaxbreachsettlement.com
Microsoft Office 365 is being adopted by businesses at a staggering rate. Office 365 is now the most widely used cloud service in terms of number of users. One in 5 corporate employees use an Office 365 cloud service and, according to Gartner, 56% of businesses using cloud services use Office 365.
Any platform that attracts such high numbers of business users is a major target for cybercriminals. Hackers are developing innovative ways of attacking businesses and bypassing Office 365 protections to get their phishing emails delivered to inboxes.
Campaigns are tested on genuine Office 365 accounts to ensure Office 365 defenses are bypassed, before targeted campaigns are conducted on business users. Microsoft’s standard Exchange Online Protection (EOP) is not sufficient to block these threats. At a minimum, users need to pay for Advanced Threat Protection (APT) to provide the level of protection required to block the types of sophisticated phishing attacks that are fast becoming the norm.
Four campaigns that have recently been identified use novel tactics to evade detection and fool end users into disclosing their login credentials.
Custom 404 Error Pages Used to Host Office 365 Phishing Forms
Microsoft researchers identified a novel tactic being used in a phishing campaign targeting office 365 users – 404 error pages to host phishing forms. 404 error pages are displayed when a website visitor attempts to visit a page that does not exist. By customizing the 404 page and using it to host a phishing form, the attackers have a virtually unlimited supply of phishing URLs to use. Any random URL would bring up the 404 page and the phishing form. Many email security solutions would not detect the link as malicious.
Voicemail Notifications Used as Lure in Office 365 Phishing Campaign
Avanan researchers recently identified a phishing campaign that uses voicemail notifications as a lure to obtain Office 365 credentials. The emails include Microsoft Office 365 logos and notification of the time of a call, the caller number, and the length of the voicemail message.
The text and logos are combined into three images in the email and an HTML file is attached which the email claims is the voicemail message. If opened, the HTML attachment uses meta refresh to redirect a user from the locally stored HTML page to an Internet-hosted page where they are presented with an Office 365 login box. Credentials are required to listen to the message through the spoofed voicemail management system.
Office 365 Admin Credentials Targeted
Office 365 credentials are valuable, but none more so than administrator credentials. A typical employee may have an email account containing sensitive data and their credentials may allow a limited number of cloud resources to be accessed. A set of administrator credentials would give an attacker the ability to create new accounts, access other users’ accounts, send messages from their email accounts, and access a much greater range of resources.
Office 365 admins are being targeted in a campaign that uses Office admin alerts about time-sensitive issues to lure them into disclosing their credentials. Two common lures are a critical problem with the mail service and the discovery of an unauthorized access incident.
Attacks Use Credentials in Real Time
A phishing campaign has been detected in which the attackers use the data captured from fake Office 365 login forms to access the genuine Office 365 account in real-time. If the login fails, a warning is displayed requesting the user re-enter their credentials. When the correct credentials have been entered, the user is redirected to their real Office 365 inbox, most likely totally unaware that their credentials have been stolen.
These are just four new tactics being used by cybercriminals to gain access to the Office 365 credentials of business users. Without advanced anti-phishing defenses in place, many of these sophisticated phishing emails will be delivered to end users’ inboxes. Security awareness training for employees will go a long way toward strengthening your last line of defense, but unless the majority of email threats are blocked, data breaches will occur.
Businesses using Office 365 need to ensure their email security defenses are up to scratch and can detect and block advanced phishing threats. That means paying for Office 365 ATP or using a third-party anti-spam and anti-phishing solution.
With SpamTitan layered over Office 365, businesses will be protected from the full range of email-based threats. Advanced phishing techniques such as those detailed above are detected and neutralized by SpamTItan.
TitanHQ’s DNS filtering solution, WebTitan, adds another layer of security to protect against phishing attacks. WebTitan blocks all known malicious web pages and scans new websites for malicious content. Threats are detected and webpages are blocked before any content can be downloaded.
For further information on securing Office 365 accounts and improving your anti-phishing defenses, contact the TitanHQ team today.
Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.
The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.
If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots. The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.
The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.
There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.
Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.
The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.
Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source. SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.
For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.