Our Internet security section covers a wide range of topics including the latest online threats such as new phishing scams, changes in exploit kit activity, and up to date information on new malware and ransomware variants and social media scams.
Here you will find articles on data breaches, together with the causes of attacks and potential mitigations to reduce the risk of similar incidents occurring at your organization. Lessons can be learned from attacks on other organizations and threat intelligence can help security teams prepare for impending cyberattacks.
This section also contains news on the latest remote code execution vulnerabilities and zero day exploits that are being used to gain access to business networks, such as the network worm attacks that were used to spread WannaCry ransomware around the globe in May 2017.
In addition to mitigations – such as news of patches and software upgrades – articles are included to help organizations improve Internet security. Employees are a weak link in security defenses and frequently download malware or engage in risky behavior that could result in a network compromise. This section includes information that can be used by organizations to reduce the risk of employees inadvertently downloading malicious software or disclosing their credentials on phishing websites, turning them from liabilities into security assets.
Security awareness for remote workers has never been more important. It is fair to say that there have never been more people working from home as there are now during the COVID-19 pandemic, and home workers are now being actively targeted by cybercriminals who see them as providing an easy way to gain access to their corporate networks to steal sensitive information, and install malware and ransomware.
Businesses may have already given their employees security awareness training to make sure they are made aware of the risks that they are likely to encounter and to teach them how to recognize threats and respond. However, working from home introduces many more risks and those risks may not have been covered in security awareness training sessions geared toward protecting office workers. It is also important to provide training regularly and to reinforce that training. This is especially important for remote workers, as risk increases when employees are working remotely.
In this post we will highlight some of the key areas that must be addressed in work from home (WFH) security awareness training for the workforce.
Increased Security Awareness for Remote Workers Required as COVID-19 Crisis Deepens
Naturally, as an email security solution provider, we strongly advocate the use of a powerful email security solution and layered technical defenses to protect against phishing, but technical controls, while effective, will not stop all threats from reaching inboxes. It is all too easy to place too much reliance on technical security solutions for securing email environments and work computers. The truth is that even with the best possible email security defenses in place, some threats will end up reaching inboxes.
The importance of providing security awareness training to the workforce and the benefits of doing so have been highlighted by several studies. One benchmarking study, conducted by the security awareness training provider KnowBe4, revealed 37.9% of employees fail phishing tests if they are not provided with security awareness and social engineering training. That figure has increased by 8.3% from the previous year. With security awareness training and phishing email simulations, the figure dropped to 14.1% after 90 days.
During the COVID-19 pandemic, the volume of phishing emails being sent has increased significantly and campaigns are being conducted targeting remote workers. The aim of the phishing campaigns is to obtain login credentials to email accounts, VPNs, and SaaS platforms and to spread malware and ransomware.
With so many employees now working from home, and the speed at which companies have had to transition from a largely office based workforce to having virtually everyone working from home may have seen security awareness training for remote workers put on the back burner. However, with the lockdown likely to be extended for several months and attacks on the rise, it is important to make sure that training is provided, and as soon as possible.
Increase in COVID-19 Domain Registrations and Rise in Web-Based Attacks
Security awareness training for remote workers also needs to cover internet security as not all threats will arrive in inboxes. CMost phishing attacks have a web-based component, and malicious websites are being set up for drive-by malware downloads. Currently, the vast majority of threats are using COVID-19 and the Novel Coronavirus as a lure to get remote workers to download malware, ransomware, or part with their login credentials.
Unsurprisingly, cybercriminals have increased web-based attacks, which are being conducted using a plethora of COVID-19 and Novel-Coronavirus themed domains. By the end of March, approximately 42,000 domains related to COVID-19 and coronavirus had been registered. An analysis by Check Point Research revealed those domains were 50% more likely to be malicious than other domains registered over the same period.
It is important to raise awareness of the risks of using corporate laptops for personal use such as browsing the Internet. Steps should also be taken to limit the websites that can be accessed by employees and, at the very least, a solution should be implemented and configured to block access to known malicious websites that are used for phishing, fraud, and malware distribution.
Shadow IT is a Major Security Risk
When employees are office based and connected to the network, identifying shadow IT – unauthorized software and hardware used by employees – is more straightforward. The problem not only becomes harder to identify when employees work from home, the risk of unauthorized software being loaded onto corporate-issued devices increases.
Software downloaded onto work computers carries a risk of a malware infection and potentially offers an easy way to attack the user’s device and the corporate network. IT teams will have little visibility into the unauthorized software on users’ devices and whether it is running the latest version and has been patched against known vulnerabilities. It is important to cover shadow IT in security awareness training for remote workers and to make it clear that no software should be installed on work devices and that personal USB devices should not be connected to corporate devices without the go-ahead being given from the IT department.
The COVID-19 pandemic has seen many workers turn to teleconferencing platforms to communicate with the office, friends, and family. One of the most popular teleconferencing platforms is Zoom. Malicious installers have been identified that install the genuine Zoom client but have been bundled with malware. Installers have been identified that also install adware, Remote Access Trojans, and Coinminers.
How TitanHQ Can Help
Several security awareness training firms have made resources available to businesses free of charge during the COVID-19 crisis to help them train the workforce, such as the SANS Institute. Take advantage of these resources and push them out to your workforce. If you are a small SMB, you may also be able to get access to free phishing simulation emails to test the workforce and reinforce training.
TitanHQ can’t help you with your cybersecurity awareness training but we can help by ensuring employees have to deal with fewer threats by protecting against email and web-based attacks.
SpamTitan is an advanced and powerful cloud-based email security solution that will protect remote workers from phishing, spear phishing, malware, virus, and ransomware attacks by blocking attacks at source and preventing the threats from reaching inboxes. SpamTitan features dual anti-virus engines to protect against known malware threats and sandboxing to block unknown (zero-day) malware threats. SpamTitan incorporate several real-time threat intelligence feeds to block current and emerging phishing attacks and machine learning technology detects and blocks previously unseen phishing threats. SpamTitan has been developed to work seamlessly with Office 365 to allow businesses to create layered defenses, augmenting Microsoft’s protections and adding advanced threat detection and blocking capabilities.
WebTitan is a DNS filtering solution that will protect all workers from web-based attacks, no matter where they access the internet. WebTitan incorporates zero-minute threat intelligence and blocks malicious domains and webpages as soon as they are identified. The solution can also be used to carefully control the types of websites that remote workers can access on their corporate-owned devices, via keyword and category-based controls. WebTitan can also be configured to block the downloading of malicious files and software installers to control shadow IT.
For more information on protecting your business during the COVID-19 crisis, to arrange a product demonstration of SpamTitan and/or WebTitan, and to register for a free trial of either solution to allow you to start instantly protecting against email and web-based threats, contact TitanHQ today!
When it comes to cybersecurity and home working, CIOs and IT teams have a challenge – How to ensure the same level of protection is provided for remote workers as they get when they are in the office. To help we have compiled a set of cybersecurity best practices for home workers to help IT teams prepare for a massive increase in telecommuting
The cybersecurity protections at home will not be nearly as good for home workers as protections in the office, which are much easier to implement and maintain. IT departments will therefore need to teach telecommuting workers cybersecurity best practices for home working and their devices will need to be configured to access applications and work resources securely. With so many workers having to telecommute, this will be a major challenge.
The coronavirus pandemic has forced businesses to rapidly expand the number of telecommuting workers and having to increase capacity in such a short space of time increases the potential for mistakes. Further, testing may not be nearly as stringent as necessary given the time pressure IT workers are under. Their teams too are likely to be depleted due to self-isolating workers.
One area where standards are likely to slip is staff training on IT. Many employees will be working from home for the first time and will have to use new methods and applications they will not be familiar with. The lack of familiarity can easily lead to mistakes being made. It is important that even though resources are limited you still teach cybersecurity best practices for home workers. Do not assume that telecommuting workers will be aware of the steps they must take to work securely away from the office.
Steps for IT Teams to Take to Improve Cybersecurity for Home Workers
Listed below are some of the key steps that IT teams need to take to improve security for employees that must now work from home.
Ensure VPNs are Provided and Updated
Telecommuting workers should not be able to access their work environment unless they use a VPN. A VPN will ensure that all traffic is encrypted, and data cannot be intercepted in transit. Enterprise-grade VPNs should be used as they are more robust and provide greater security. Ensure there are sufficient licenses for all workers, and you have sufficient bandwidth available. You must also make sure that the VPN is running the latest software version and patches are applied, even if this means some downtime to perform the updates. VPN vulnerabilities are under active attack.
Set up Firewalls for Remote Workers
You will have a firewall in place at the office and remote workers must have similar protections in place. Software firewalls should be implemented to protect remote workers’ devices. Home routers may have inbuilt firewalls. Talk employees through activating hardware firewalls if they have them on their home routers and ensure that passwords are set to prevent unauthorized individuals from connecting to their home Wi-Fi network.
Apply the Rule of Least Privilege
Remote workers introduce new risks, and with large sections of the workforce telecommuting, that risk is considerable. Remote workers are being targeted by cybercriminals and through web- and email-based attacks. In the event of a malware infection or credential theft, damage can be limited by ensuring workers only have access to resources absolutely necessary for them to perform their work duties. If possible, restrict access to sensitive systems and data.
Ensure Strong Passwords are Being Set
To protect against brute force attacks, ensure good password practices are being followed. Consider using a password manager to help employees remember their passwords. The use of complex passwords should be enforced.
Implement Multifactor Authentication
Multifactor authentication should be implemented on all applications that are accessed by remote workers. This measure will ensure that if credentials are compromised, system access is not granted unless a second factor is provided.
Ensure Remote Workers’ Devices Have Antivirus Software installed
Antivirus software must be installed on all devices that are allowed to connect to work networks and the solutions must be set to update automatically.
Set Windows Updates to Automatic
Working remotely makes it harder to monitor user devices and perform updates. Ensure that Windows updates are set to occur automatically outside of office hours. Instruct workers to leave their devices on to allow updates to take place.
Use Cloud-Based Backup Solutions
To prevent accidental data loss and to protect against ransomware attacks, all data must be backed up. By using cloud-based backups, in the event of data loss, data can be restored from the cloud-backup service.
Teach Cybersecurity Best Practices for Home Workers
All telecommuting workers must be shown how they need to access their work environment securely when working away from the office. Reinforce IT best practices with home workers, provide training on the use of VPNs, provide training on cybersecurity dos and don’ts when working remotely, and explain procedures for reporting problems.
Define Procedures for Dealing with a Security Incident
Members of the IT team are also likely to be working remotely so it is essential that everyone is aware of their role and responsibilities. In the event of a security incident, workers should have clear procedures to follow to ensure the incident is resolved quickly and efficiently.
Implement a Web Filter
A web filter will help to protect against web-based malware attacks by blocking access to malicious websites and will help to prevent malware downloads and the installation of shadow IT. Also consider applying content controls to limit employee activities on corporate-owned devices. Drive-by malware attacks have increased and the number of malicious domains registered in the past few weeks has skyrocketed.
Use Encrypted Communication Channels
When you need to communicate with telecommuting workers, ensure you have secure communications channels to use where sensitive information cannot be intercepted. Use encryption for email and secure text message communications, such as Telegram or WhatsApp.
Ensure Your Email Security Controls are Sufficient
One of the most important cybersecurity best practices for home workers is to take extra care when opening emails. Phishing and email-based malware attacks have increased significantly during the coronavirus pandemic. Ensure training is provided to help employees identify phishing emails and other email threats.
Consider augmenting email security to ensure more threats are blocked. If you use Office 365, a third-party email security solution layered on top will provide much better protection. Exchange Online Protection (EOP) is unlikely to provide the level of protection you need against phishing and zero-day malware threats. Consider an email security solutions with data loss protection functions to protect against insider threats.
Monitor for Unauthorized Access
More devices connecting to work environments makes it much easier for threat actors to hide malicious activity. Make sure monitoring is stepped up. An intrusion detection system that can identify anomalous user behavior would be a wide investment.
For further information on enhancing email security and web filtering to protect remote workers during the coronavirus pandemic, contact TitanHQ today.
The first California Consumer Privacy Act lawsuit has been filed over an alleged failure to adequately protect consumer data. The lawsuit has been filed against Hanna Andersson, a children’s clothing company, and its ecommerce platform provider, Salesforce.com.
The California Consumer Privacy Act took effect on January 1, 2020. Under Civil Code 1798.100 – 1798.199, consumers could start exercising their new rights under CCPA from the compliance date. One of those rights is being able to take legal action against companies for privacy violations, such as the theft of personal data in a data breach.
The California Consumer Privacy Act lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of a victim of a 2019 data breach. The lawsuit alleges negligence and a failure to implement reasonable safeguards to protect consumer data, and that the data breach occurred as a direct result of the alleged negligence. A claim for damages has not been stated, although the right has been reserved to seek damages and relief at a later date.
The breach in question was announced by Hanna Andersson on January 15, 2020. Hackers had gained access to its systems and downloaded malware, which allowed the attackers to steal information such as names, personal information, and payment card data. That information was subsequently listed for sale on the dark web.
The California Consumer Privacy Act allows Californians to file for damages of up to $750 per data breach, so a class action California Consumer Privacy Act lawsuit arising from a sizeable data breach could prove extremely costly for a company. In this case, the data breach affected approximately 10,000 California residents, so damages up to $7,500,000 could potentially be claimed.
Enforcement of CCPA
Enforcement of compliance by the California Attorney General has been delayed and will start 6 months after the publication of the final regulations or July 1, 2020, whichever comes sooner. Since the final regulations have yet to be published, the enforcement date will be July 1, 2020. California Attorney General Xavier Bercerra has already stated that he will make an example of businesses that fail to comply with CCPA.
It should be noted that there is nothing in CCPA that prevents the state attorney general from issuing notices of noncompliance before that date and consumers can already file lawsuits to claim damages. It is therefore essential for all entities covered by CCPA to ensure that they are honoring the new consumer rights and have implemented safeguards to protect consumer data.
How TitanHQ Can Help with CCPA Compliance
TitanHQ offers two powerful security solutions that can help covered entities ensure the data of consumers is protected and data breaches are prevented. These two cybersecurity solutions protect against the two most common attack vectors – Email and the internet.
SpamTitan is a powerful anti-spam, anti-malware, and anti-phishing solution that protects email systems from phishing and spear phishing attacks, known and zero-day malware threats, and email-based ransomware attacks.
WebTitan is a companion solution that blocks the web-based element of phishing attacks, exploit kits, and drive-by malware downloads over the internet, while also controlling the content that employees can access on wired and wireless networks.
TitanHQ can also help covered entities comply with the right to know and right to delete consumer rights afforded by CCPA through ArcTitan. ArcTitan is an email archiving solution that allows organizations to meet state and federal email data retention requirements and quickly find emails containing consumer data. If a California resident exercises their right to know what data is held on them by a company, or requests all of their personal data is deleted, that information can quickly be found in the archive. ArcTitan will also allow you to quickly find email data for eDiscovery in the event of any legal disputes.
For further information on these solutions, to schedule a product demonstration, or to arrange a free trial of the full solutions (with full customer support), give the TitanHQ team a call today.
TitanHQ has announced a new partnership with Pax8. The partnership means Pax8 partners now have access to TitanHQ’s cloud-based email security solution – SpamTitan – and its DNS filtering solution, WebTitan.
Pax8 is the leader in cloud distribution. The company simplifies the cloud buying process and empowers businesses to achieve more with the cloud. The company has been named Best in Show for two consecutive years at the Next Gen and XChange conferences and is positioned at number 60 in the 2019 Inc. 5000 list of the fastest growing companies.
Pax8 carefully selects the vendors it works with and only offers market-leading channel friendly solutions to its partners. When searching for further cybersecurity solutions for its partners, TitanHQ was determined to be the perfect fit. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers (MSPs) serving the SMB marketplace and its cybersecurity solutions are much loved by users. This was clearly shown in the 2019 G2 Crowd Report on Email Security Gateways where SpamTitan was named leader, having achieved 4- or 5-star ratings by 97% of its users, with 92% saying they would recommend the solution to other businesses.
Phishing, malware, and ransomware attacks have all increased in the past year and the cost of mitigating those attacks continues to rise. By implementing SpamTitan and WebTitan, SMBs and MSPs can secure their email environments and block web-based threats and keep their networks secure.
SpamTitan provides excellent protection for Office 365 environments. The solution detects and blocks phishing and email impersonation attacks and prevents known and zero-day malware and ransomware threats from reaching inboxes. The WebTitan Cloud DNS filtering solution blocks the web-based component of cyberattacks by preventing end users from visiting malicious websites, such as those harboring malware and phishing kits.
Both solutions are quick and easy to implement, can be seamlessly integrated into MSPs service stacks and cloud-management platforms, and Pax8 partners benefit from highly competitive and transparent pricing, centralized billing, and leading customer support.
“I am delighted to partner with the Pax8 team,” said Ronan Kavanagh, CEO, TitanHQ. “Their focus and dedication to the MSP community are completely aligned with ours at TitanHQ, and we look forward to delivering our integrated solutions to their partners and customers.”
IT professionals have long known that employees are a weak link in the security chain. Recent studies have confirmed this to be the case. Employees are poor at identifying phishing emails and other email-based threats and, to be fair on employees, many have received no training and phishing scams are becoming much more targeted and sophisticated.
The number of successful phishing attacks on businesses is difficult to determine, as many attacks go unreported, even when they result in the exposure of consumer data. In regulated industries, such as the healthcare industry in the United States, the picture is much clearer.
The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – requires healthcare organizations to report breaches of patient information. Summaries of data breaches of 500 or more records are also made public and can be seen on the Department of Health and Human Services’ Office for Civil Rights data breach portal.
In 2019 alone, there have been at least 147 incidents of hacking of email accounts. The cost of those breaches is staggering. In those 147 incidents, the hacked email accounts contained the records of 2,762,691 individuals. According to the Ponemon Institute/IBM Security 2019 Cost of a Healthcare Data Breach report, the cost per exposed healthcare record is $423. Those breaches are therefore likely to have cost $1,168,618,293.
A recent study conducted by GetApp confirmed how often employees are fooled by phishing attacks in other industries. For the study, 714 individuals were surveyed from a range of businesses in the United States. Almost a quarter of those businesses have experienced at least one successful phishing attack and 43% of employees said that someone in their organization had clicked on a phishing email.
The aim of the study was to explore whether businesses were providing security awareness training to their employees to help them identify phishing emails. Only 27% of organizations did. It is therefore no surprise that employees often fall for phishing scams.
The provision of security awareness training, with a particular focus on phishing and social engineering, is vital. Even with layered defenses, some phishing emails will arrive in inboxes, so employees need to be taught the skills they need to help them identify email threats. Employees should then be tested by conducting phishing email simulations. That allows businesses to find out if the training has been taken on board. Without training and testing, employees will remain a liability. Over time their phishing identification shills will improve.
It is worth noting that security awareness training for employees is a requirement of HIPAA, yet many employees are still fooled. Training and phishing simulations can help reduce an organization’s susceptibility to phishing attacks, but employees, being human, will still make mistakes.
The solution is layered defenses. No one cybersecurity solution will block all phishing attempts, and certainly not without also blocking many legitimate email communications. Multiple solutions are therefore required.
It is essential for advanced email security defenses to be implemented to block phishing emails and make sure phishing and malspam (spam emails containing malware) never reach inboxes. That means an advanced spam filtering solution is a must.
SpamTitan for has been independently tested and shown to block in excess of 99.9% of spam emails and 100% of emails containing known malware. SpamTitan also blocks zero-day threats using a combination of advanced detection techniques. This is achieved through heuristic analyses, blacklists, trust scores, greylisting, sandboxing, DMARC, and SPF to name just a few.
SpamTitan has also been developed to compliment Office 365 security and provide a greater level of protection against phishing and other malicious email threats. It should be noted that Microsoft’s Exchange Online Protection was recently shown to allow 25% of phishing emails through.
Should phishing emails arrive in inboxes and be opened by end users, other controls are required to prevent clicks from resulting in malware infections or the theft of credentials. Here a web filtering solution such as WebTitan is important. When a link in an email is clicked, before the webpage is displayed, the URL and the content of the webpage is checked and the user is prevented from visiting the webpage if it, or its domain, is associated with phishing or malware distribution. Malware downloads can also be blocked from websites, even those with a high trust score. Together these solutions form the backbone of your phishing defenses. Further, these two solutions are quick and easy to implement, simple to use and maintain, and they are inexpensive.
Add antivirus protection, multi-factor authentication, and end user training, and you will be well protected from phishing and email and web-based malware attacks.
For further information on improving your defenses against phishing, spear phishing, and malware, give the TitanHQ team a call today.
If you are a managed service provider, contact the TitanHQ channel team and discover why TitanHQ is the leading provider of cloud-based email and web security solutions for MSPs serving the SMB market.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019 and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented them from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First the MSP was attacked, then its remote administration tools were used deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SFP and DMARC to block email impersonation attacks, uses dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real time, and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
Cybercriminals are inventive and their attacks are becoming increasingly sophisticated. To help ensure you are prepared and can defend your business against these attacks, we have listed the top 10 cybersecurity threats your business is likely to face, along with some tips to help you prevent a costly data breach.
Cybercriminals are not just trying to attack large enterprises. Sure, a cyberattack on a large healthcare system or blue-chip company can be incredibly rewarding, but the defenses they have in place make attacks very difficult. SMBs on the other hand have far fewer resources to devote to cybersecurity and as a result they are easier to attack. The potential rewards may not be as great, but attacks are more likely to succeed which means a better return on effort. That is why so many SMBs are now being attacked.
There is a myriad of ways that a company can be attacked, and the tactics, techniques and procedures used by cybercriminals are constantly changing. The top 10 cybersecurity threats listed below include the main attack vectors that need to be blocked and will serve as a good starting point on which you can build a robust cybersecurity program.
Top 10 Cybersecurity Threats Faced by SMBs
We have listed the top 10 cybersecurity threats that SMBs need to defend against. All the threats listed below need to be addressed as any one of them could easily result in a costly data breach, data loss, or could cripple your business. Some of the threats listed below will be harder to address than others, and it will take time for your cybersecurity defenses to mature. The important thing is to start the ball rolling and address as many of these areas as soon as possible.
Human Error and Insider Threats
We have listed human error first, as it doesn’t matter what hardware and software solutions you implement, human error can easily undo much of your good work. Mistakes will be made by employees on occasion. What you need to do is reduce the potential for errors and limit the harm that can be caused.
Developing robust policies and procedures and providing training will help to ensure that your employees know how to act and more importantly, how not to.
Mistakes are not the only thing you need to take steps to try to prevent. There may also be individuals on your payroll who will take advantage of poor security for personal gain. You will also need to tackle the problem of insider threats and make it harder for rogue employees to cause harm and steal data. The measures listed below will help address threats from within and reduce risk.
Enforce the use of strong passwords but make it easier for your employees to remember them so they don’t try to circumvent your password policy or, heaven forbid, write their passwords down. Implement a password manager to store their passwords so they only have one password or pass phrase to remember.
Rule of Least Privilege
It is obvious, but often overlooked. Don’t give employees access to resources they do not need for their day-to-day work duties. If their credentials are compromised, this will limit the harm caused. It will also limit the harm that can be caused by rogue employees.
Block the Use of USB Devices
USB devices make it easy for rogue employees to steal data and for malware to be accidentally or deliberately be introduced. Implement technical controls to prevent USB devices from being connected, and if they are required for work purposes only give permission to certain individuals to use them. Ideally, use more secure methods of transferring or storing data.
Monitor Employee Activity
If rogue employees are stealing data, you are only likely to find out if you are monitoring their computer activity. Similarly, if credentials are compromised, system logs will highlight any suspicious activity. Make sure logs are created and monitored. Consider using a security information and event management (SIEM) solution to automate this as much as possible.
Terminate Access at Point of Termination
Terminating an employee? Terminate their access to your systems at the point of termination. It is surprising how often employee access rights are not terminated for days, weeks, or even months after an employee has left the company.
We will cover some more important safeguards to implement to protect against user error in the following 9 SMB cybersecurity threats.
Phishing and Social Engineering Attacks
Phishing is arguably the biggest cybersecurity threat faced by SMBs. Phishing is the use of social engineering techniques to persuade people to divulge sensitive information or take an action such as installing malware or ransomware. This is most commonly achieved via email, but can also occur via text messages, social media websites, or over the telephone.
Do not assume that your employees have common sense and know not to open email attachments from unknown individuals or respond to enticing offers from legal representatives of Nigerian princes. You must train your employees and teach cybersecurity best practices and show them how to identify phishing emails. Refresher training should be provided at regular intervals and you should conduct phishing simulation exercises (which can largely be automated) to find out who has taken the training on board and who is a liability that needs further training.
Employees are the last line of defense. You need a layer of security above your employees to make sure their security awareness training is never required. That means an advanced anti-spam/anti-phishing solution needs to be in place to block threats before they reach inboxes. If you use Office 365, you should still implement an antispam solution. A recent study by Avanan revealed 25% of phishing emails bypass Office 365 antispam defenses.
Another layer of protection should also be implemented to protect against phishing: Multi-factor authentication. This is the use of an additional authentication factor that will kick into action if an attempt is made to use credentials from an untrusted device or location. If credentials are compromised in a phishing attack, multi-factor authentication should stop them from being used to gain access to email accounts, computers, or network resources.
Malware and Ransomware
Malware, viruses, ransomware, spyware, Trojans, worms, botnets, and cryptocurrency miners are all serious threats that you must take steps to block. It goes without saying, but we will say it none the less, you need to have antivirus software installed on all endpoints and your servers.
Malware can be installed in many ways. As previously mentioned, blocking USB devices is important and spam filtering software with sandboxing will protect you from email-based attacks. Most malware infections now occur via the internet, so a web filtering solution is also important. This will also add an extra layer to your phishing defenses. A web filter will block drive-by malware downloads, prevent employees from visiting malicious sites (including phishing websites) and also allows you to enforce your internet usage policies. A DNS filtering solution is the best choice. All filtering takes place in the cloud before any content is downloaded and it will not add to your patching burden.
Shadow IT – The term given for any hardware or software in use that has not been authorized by your IT department. This could be a portable storage device such as a zip drive, a VPN client to bypass your web filter, an application to help with work tasks, or all manner of other software. It is surprising to find exactly how many of these programs are installed on users’ devices when IT support staff are called upon to sort out a problem!
So, what is the problem? Anything installed without authorization is a potential security and compliance risk. Your security team has no control over patching, and vulnerabilities in those applications could easily go addressed for months and give hackers an easy entry point into your network. Fake applications could be downloaded that are really malware, software packages often include a host of potentially unwanted programs and spyware, and any data stored in these applications could be transmitted to unsecure locations. Those applications and data contained therein are also unlikely to be backed up by the IT department. If anything happens, data can easily be lost.
The importance of prompt patching cannot be understated. Vulnerabilities exist in all software solutions. Sooner or later those vulnerabilities will be found, and exploits will be developed to take advantage. Security researchers are constantly looking for flaws that could potentially be exploited by threat actors to gain access to sensitive information, install malware, or remotely execute code. When these flaws are identified and patches are released, they need to be applied promptly. Oftentimes, vulnerabilities are being actively exploited by the time a patch is released. It is essential for these vulnerabilities to be addressed as soon as possible and for all software to be kept up to date.
When software or operating systems are approaching end of life, you must upgrade. When patches stop being issued and software is unsupported, any vulnerabilities will remain unaddressed and can easily be exploited.
Out of Date Hardware
Not all vulnerabilities come from out of date software. The hardware you use can also introduce risks. You must keep an inventory of all your hardware, so nothing slips through the cracks. Firmware updates should be applied as soon as it is made available and you should monitor for any devices that are approaching end of life. If your devices do not support the latest operating systems, then it is time to replace your hardware. This will naturally come at a cost, but so do cyberattacks and data breaches.
Unsecured IoT Devices
The Internet-of-Things offers convenience but IoT devices are a potential liability. IoT devices can send, store or transmit data so they must be be secured.
Unfortunately, in the hurry to connect everything to the internet device manufacturers often overlook security as do users of these devices. Take security cameras for instance. You may be able to access your cameras remotely, but you may not be the only person who can. If your security cameras are hacked, thieves could see what you have, where it is located, and where and when security is lax. There have been cases of security cameras being hacked due to the failure to change default credentials for remote management.
Ensure you change the default credentials on the devices and use strong passwords. Keep the devices up to date, and if the devices need to connect the network, make sure they are isolated from other resources. Cybercriminals can also take advantage of flaws in the applications to which these IoT devices connect. They must also be kept up to date.
Man-in-the-Middle Attacks and Public Wi-Fi
A man-in-the-middle (MITM) attack is an attack scenario where communications between two individuals (or one individual and a website or network) are intercepted and potentially altered. An employee may believe they are communicating securely, when everything they are saying or doing is being seen or recorded. An attacker could even control the conversation between two people and be communicating with each separately while both individuals believe they are communicating with each other. This method of attack most commonly occurs through unsecured Wi-Fi hotspots or evil twin hotspots – Fake Wi-Fi hotspots set up in coffee shops, airports, and any other location where free Wi-Fi is offered.
If you have remote workers, you need to take steps to ensure that all communications are kept private. This can be achieved in two main ways. By making sure employees use a secure VPN that encrypts their communications over public or unsecured Wi-Fi networks and also by implementing a DNS filtering solution. The DNS filtering solution provides the same protection for remote workers as it does for on-premises workers and will prevent malware downloads and employees from accessing malicious websites.
Mobile Security Threats
There is no denying the convenience of mobile devices (laptops, tablets, smartphones). They allow workers to be instantly contacted and lets them work from any location. Mobile devices improve employee mobility, can lead to greater employee satisfaction, and will help you to boost productivity. However, the devices also introduce new risks. Whether you supply these devices or operate a BYOD policy, you need to implement a range of security controls to ensure those risks are managed.
You need to make sure you know of every device that you allow to connect to the network. A mobile device security solution can help you gain visibility into mobile device use and allow you to control your applications and data.
You should ensure the devices have security controls applied, can only access your network via secure channels (VPN), ensure the devices are covered by a DNS filtering solution, and any work data stored on the devices needs to be encrypted.
Remote Desktop Protocol
Remote desktop protocol (RDP) allows employees remotely connect to your computers and servers when they are not in the office and lets your managed service provider quickly sort out your problems and maintain your systems without having to pay a visit. RDP also gives hackers an easy way to gain access your computers, servers, and steal data or install malware. Do you need RDP enabled? If not, disable it. Does it need to be used internally only? Make sure that RDP is not exposed to the internet.
If you do need RDP, then you need to exercise extreme caution. Make sure that users can only connect via a VPN or set firewall rules. Limit the individuals who have permissions to use RDP, ensure strong passwords are set, and that rate limiting is implemented to protect against brute force attacks. Also use multi-factor authentication.
Stolen RDP credentials are often used by hackers to gain access to systems, brute force attempts are often conducted, and vulnerabilities in RDP that have not been patched are frequently exploited. This is one of the main ways that ransomware is installed.
These are just the top 10 cybersecurity threats faced by SMBs. There are many more risks that need to be identified and mitigated to ensure you are protected. However, by addressing the above issues you will have already made it much harder for hackers and cybercriminals to do your business harm.
TitanHQ is Here to Help!
TitanHQ can assist by providing you with advanced cybersecurity solutions to protect against several of the above listed top 10 cybersecurity threats and will the two most commonly used attack vectors – email and the web-based attacks. These solutions – SpamTitan and WebTitan – are 100% cloud based, easy to implement and maintain, and will provide superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
Further, these powerful solutions are affordable for SMBs. You are likely to be surprised to find out how little these enterprise-grade security solutions will cost. If you are a managed service provider that services the SMB market, you should also get in touch. SpamTitan and WebTitan have been developed by MSPs for MSPs. There is a host of reasons why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs that service the SMB market!
Contact our friendly (and non-pushy) sales team today to find out more, book a product demo, and register for a free trial.
Q3, 2019 has seen TitanHQ register record-breaking growth in the MSP market with its busiest ever quarter for MSP sales. TitanHQ now has more than 2,200 MSP partners and its cloud-based email security, web security, and email archiving platforms are now used by more than 8,200 businesses around the world.
Many great success stories start from humble beginnings, and TitanHQ is no exception. The company started life as Copperfasten Technologies in 1999 and sold anti-spam appliances to local businesses from its Galway, Ireland base. The company then developed its own cybersecurity solutions, starting with the anti-spam and anti-phishing solution, SpamTitan.
The product portfolio grew to include WebTitan web filtering, a powerful DNS-based web security solution to protect businesses from the full range of internet threats. That was followed by the launch of ArcTitan, a cloud-based email archiving solution for businesses that eases their email storage and compliance burden.
That trio of core TitanHQ products has proven to be a massive hit with managed service providers, although not by accident. Many companies have developed innovative solutions for SMBs but have only realized the importance of the MSP market later on. Additional features are then added to appeal to MSPs. TitanHQ took a different approach. Its solutions were developed by MSPs for MSPs and MSPs were considered at every stage of product development. The result is a suite of security solutions tailor-made for MSPs.
This approach, along with cutting-edge technology and industry-leading customer support, has seen the company go from strength to strength and become the gold standard in email and web security and the leading global provider of cloud-based security solutions for MSPs servicing the SMB market.
Phishing attacks on businesses are soaring, new malware variants are being released at record levels, and the current ransomware epidemic is threatening to derail businesses. Many SMBs lack the internal resources to block these threats and turn to MSPs to provide the security they need.
To cope with the increased demand, MSPs need solutions with 100% cloud-based architecture that seamlessly integrate into their existing centralized management systems and are easy to implement, use, and maintain. Ideally, those solutions need to be flexible, have a range of hosting options, be available in white-label form to take MSP branding, and also include generous margins. That is a big ask, and many solutions only tick a few of those boxes. However, TitanHQ’s suite of solutions include all those features and more.
TitanHQ also offers extensive sales enablement and marketing support, world-class customer service, and each MSP has a dedicated account manager, engineers, and a support team to help them maximize their sales opportunities and really grow their businesses.
As part of the celebration of the Q3, 2019 MSP growth, TitanHQ has launched a new initiative to ensure Q4 will be an even bigger success.
On October 22, TitanHQ announced a new disruptive price package for a SpamTitan Email Security and WebTitan DNS filtering bundle at an exclusive once-in-a-lifetime price. The initiative has been called Margin Maker for MSPs and is intended to ensure MSPs build profitability instantly in Q4, 2019.
The two solutions are provided in two private clouds, customized to meet MSPs email and web security needs, and secure the most common attack vectors – email and the web. The package includes advanced protection for email, including Office 365 environments, complimented by WebTitan DNS filtering to block web-based threats and implement content control for on-premises and remote workers. These solutions are naturally provided with extensive sales enablement and marketing support.
The aim is to make TitanHQ’s email and web security platforms even more appealing to MSPs and to encourage MSPs to offer both SpamTitan email security and WebTitan web filtering to their clients and maximize revenues.
One MSP that is already boosting its profits and achieving increased, reliable recurring monthly revenues is UK-based OpalIT. The MSP has bases in Newcastle and Edinburgh and a 6,000+ customer base. Prior to joining the TitanShield program, OpalIT was offering its clients firewall filtering and email filtering with Barracuda and Vade. The company has now switched to TitanHQ’s cybersecurity bundle and is pushing SpamTitan Email Security, WebTitan DNS filtering, and ArcTitan email archiving to its clients and is reaping the rewards.
“Opal IT moved to TitanHQ because of our MSP focused solutions, ease of deployments, extensive APIs functionality and the increased margin they’re now making. Our cybersecurity bundle solutions allow MSPs to provide their downstream customers with a layered defense approach” said Rocco Donnino, EVP Strategic Alliances, TitanHQ.
If you are a managed service provider, now is the perfect time to sign up with TitanHQ. Come and meet the TitanHQ channel team at the following MSP events to find out more about the TitanShield program for MSPs, OEMs, and service providers, and take advantage of the amazing new MSP package.
If you are unable to attend any of these events, be sure to give the TitanHQ team a call to find out more and take advantage of this exciting new and exclusive offer.
IT Nation Connect 2019, the ConnectWise conference for the IT professional community, will be taking place on October 30, 31, and November 1 at the Hyatt Regency in Orlando, Florida.
The event is the leading conference for companies that sell, support, and service technology and is focused on helping attendees build a strong business and achieve long-term success. Attendees will gain practical advice from experts in the IT Nation community and will have the opportunity to build meaningful business connections and learn how to work on their businesses.
This year’s topics for the session tracks are mergers & acquisitions, growth & scalability, talent development & leadership, service delivery & customer success, sales & marketing, and security.
Security is a key focus of IT Nation Connect 2019. The event will provide opportunities to discover how security frameworks and IT solutions can help you bulletproof your business and protect your clients’ networks from cyberattacks. Attendees will also gain deep insights into the current state of security in the MSP space.
Leading security experts will be discussing the steps that the government is taking to combat cyber threats, the lessons the government and private firms have learned, and how security experts see the threat landscape evolving over the coming year.
Founders and CEOs of the most successful MSPs and IT firms will explain what it is like to be a trailblazer, how they achieved their successes, the mistakes they made on the way, and what the future holds for the IT Nation community.
More than 80 thought leaders, ConnectWise partners, and ConnectWise colleagues will taking over 130 educational, networking and panel sessions and will be sharing success stories, best practices, and the lessons they have learned to help attendees succeed and grow their businesses.
The conference offers an exceptional opportunity for learning, networking, and discovering technology solutions that can save you time, money, and boost the profitability of your business. Such an important event for the IT community is not to be missed.
TitanHQ will be attending the event to explain why TitanHQ is the global leader in cloud-based email and web security solutions for MSPs servicing the SMB market, the advantages of doing business with TitanHQ, and how TitanHQ solutions can help you better protect your environment and those of your clients from increasingly sophisticated cyber threats.
TitanHQ Marketing Director Dryden Geary, Sales Director Conor Madden, and Inside Sales Executive Peter Cooke will explain the benefits of the TitanShield program for MSPs, OEMs, technology partners, and Wi-Fi providers and show you just how easy it is to incorporate SpamTitan email security, WebTitan DNS filtering, and ArcTitan email archiving into your security stacks.
If you are attending the event, be sure to make time to meet with TitanHQ and feel free to reach out in advance of the event if you have any questions.
The 2019 Canalys Cybersecurity Forum will be taking place in Barcelona on October 16-17, 2019. The event is the only independent conference dedicated to the cybersecurity channel and is one of the most important events of the year for managed service providers (MSPs).
The event provides an incredible opportunity for MSPs looking to enhance their security stacks, provide greater value, and better protect their clients from increasingly sophisticated security threats. Attendees will have the opportunity to have 1:1 meetings with more than 700 established and new partners and discover best practices to adopt to get the most out of their cybersecurity solutions.
The event is also a must for MSPs who have yet to start offering managed security services as it will allow them to form new partnerships with Europe’s best cybersecurity solution partners who will help them grow their businesses significantly over the coming year.
Leading cybersecurity vendors will be taking thought-crunching sessions and sharing their knowledge to help partners succeed. Attendees will be able to engage in intense debates and interact with some of the brightest minds in the field of cybersecurity. Questions can be posed in multi-vendor theatre panels to get the answers from the leading cybersecurity solution providers in the EMEA region.
Highlights of this year’s event include panels, theatre and keynotes exploring the re-imaging of the idea of solutions, generalist vs. specialist in the cybersecurity channel, the next catalyst that will drive security sales, and how the role of the CSO is evolving in the hybrid IT world.
Canalys analysts will also be providing keynote speeches and sharing their insights into the current threat landscape and some of the burning issues of the moment. The event will also see Canalys name the new Threat Fighter and MSSP winners in the Canalys Channel Partner Awards.
TitanHQ Sales Director, Conor Madden
The event provides an amazing opportunity for networking with more than 200 channel partner delegates in attendance. New alliances can be formed and along with the knowledge gained, attendees will be able to make important decisions that will have a major positive impact on growth for the coming year.
TitanHQ is a proud sponsor of the 2019 Canalys Cybersecurity Forum and the team will be on hand to answer questions and explain why TitanHQ is the global leader in cloud-based email and web security solutions for the MSP that services the SMB market.
TitanHQ Strategic Alliance Manager, Marc Ludden
At the event you will be able to discover the considerable benefits of using SpamTItan email security, WebTitan DNS filtering, and ArcTitan email archiving to solve your clients security issues, better protect them from cybersecurity threats, and help them achieve their compliance objectives… and how easy TitanHQ makes this for MSPs.
TitanHQ Sales Director Conor Madden will be a panelist at the event and will be answering questions from attendees on email security, web security, email archiving and how to get the most out of TitanHQ’s cybersecurity solutions for MSPS and SMBs.
Marc Ludden, TitanHQ’s Strategic Alliance Manager, will also be attending and meeting with enterprise-level clients and major MSPs and ISPs to help them push TitanHQ products downstream to their customers, grow their businesses, and improve their bottom lines.
You can find out more about this one in a year opportunity here – Canalys Cybersecurity Forum 2019 – and feel free to reach out to TitanHQ in advance of the event.
If you are unable to attend this year’s Canalys event, TitanHQ will be on the road throughout October and November. Be sure to connect at one of the other fall 2019 events below:
If you are looking for a Cisco Umbrella alternative you are certainly not alone. TitanHQ has helped hundreds of businesses change from Cisco Umbrella to WebTitan Cloud. In most cases, the main reason why businesses seek a Cisco Umbrella alternative is to save money.
The cost of Cisco Umbrella is hard to justify for many SMBs and managed service providers (MSPs). The cost per user is considerably higher than many other solutions on the market. In fact, you may be surprised at just how much money can be saved by changing your web filter provider.
How Much Does Cisco Umbrella Cost?
For a business with 100 users, the cost of Cisco Umbrella in 2019 is $2.20 per user, per month. That is certainly a reasonable price given the level of protection provided by Cisco Umbrella, but there are Cisco Umbrella alternatives that are available for a fraction of the cost that provide an equivalent level of protection against web-based threats and allow careful control of the types of content that can be accessed by end users.
If you have 100 users, you will be spending $220 a month on Cisco Umbrella, which is $2,640 per year. The Cisco Umbrella price is reasonable if you compare it to the cost of a malware infection, ransomware attack, data breach, or phishing attack, but it is possible to have the same level of protection at a third of that price if you change from Cisco Umbrella to WebTitan Cloud.
How much can be saved by switching from Cisco Umbrella to WebTitan Cloud? The cost of WebTitan Cloud is $0.90 per user, per month. That adds up to a monthly cost of $90, which is $1,080 per year. Just making this simple change will save your business $1,560 per year!
An Ideal Cisco Umbrella Alternative
Cost is not the only consideration when looking for a Cisco Umbrella alternative. If you are changing solution provider you will need to make sure that the new product has all the features you need. Since WebTitan Cloud and Cisco Umbrella are built around the same core principles, in many respects the solutions are equivalent, but there are several features of WebTitan Cloud that are not available with Cisco Umbrella and some important benefits for SMBs and MSPs.
TitanHQ has a perfectly transparent pricing policy. You pay one price and you get all the features of the solution. There are no optional extras that bump up the cost and no premium packages to give you extra protection. Every user receives the same high level of protection. TitanHQ is also happy to negotiate with businesses and MSPs and enters into commercial arrangements that suit all parties.
One of the features of WebTitan Cloud that is particularly attractive to MSPs is the ability to host the solution locally within their own environment. Most businesses will choose to host WebTitan Cloud with TitanHQ, but the option is available if this suits you better. You can also be supplied with WebTitan Cloud in white label form. TitanHQ branding can be removed from the solution to allow you to add your own branding if you so wish.
There may be times when you need to bypass filtering controls. To make this as easy as possible, we developed cloud keys. These can be used to bypass some or all of your filtering controls rather than having to change policies for a user and change back again when a particular task has been performed. Cloud keys can be set to expire after a certain number of uses or after a certain period of time.
We have developed WebTitan Cloud to be easy to configure, use, and maintain, but there will naturally be times when things don’t go according to plan. In the event of a problem, all users benefit from world class support. Our skilled engineers and customer service staff are on hand to get you back on track quickly and painlessly. That applies to all users, even those on the free product trial. Support is not an optional extra that will cost you more money.
WebTitan Cloud Benefits for MSPs
How do Users Rate WebTitan vs Cisco Umbrella
Not all web filtering solutions provide the same level of protection and many fail to live up to expectations one they are installed. In the case of WebTitan Cloud, not only can you save a considerable amount of money, our DNS filtering solution is easy to set up, use and maintain. Plus, if you ever experience any problems or need help, you benefit from industry-leading customer service.
Naturally we will sing the praises of WebTitan Cloud as we are trying to sell our product, but most users of WebTitan agree with us and love using the product. This can be seen on review sites such as G2 Crowd.
G2 Crowd is an independent business software review site that is trusted by business leaders to provide information on the best software solutions on the market. The site has more than 650,000 user reviews from verified users and gives you insights into products to let you know if they perform as well as vendors say they do.
Web filtering solutions are rated on whether they meet requirements, ease of use, ease of setup, ease of admin, quality of support, and ease of doing business with the company. WebTitan Cloud consistently ranks higher than Cisco Umbrella in all 6 categories.
If you have any questions about WebTitan Cloud, would like information on how you can switch from Cisco Umbrella, would like a product demonstration or to sign up for the free trial, give us a call today and we will be happy to help. The sooner you get in touch, the sooner you can start saving money on web filtering!
The cost of a ransomware attack can be considerable. Several attacks in the United States have seen payments of hundreds of thousands of dollars made for the keys to unlock the encryption. While those payments are certainly high, they are a fraction of the total cost of a ransomware attack which are usually several times the cost of any ransom payment.
Recovery without paying a ransom can be considerably more. The ransomware attack on the city of Baltimore saw a ransom demand of around $76,000 issued. Baltimore refused to pay. The attack is estimated to have cost the city at least $18.2 million.
The cost of that ransomware attack is high, but nowhere the cost of a suspected September 2019 ransomware attack on the Danish hearing aid manufacturer Demant. The firm experienced the attack on or around September 3, 2019. One month on and the firm still hasn’t recovered. In a recent message to its investors, the firm said the cyberattack would cost an estimated $80 million to $95 million, even though the company held a cyber insurance policy. Without that policy the bill would have been $14.6 million higher.
According to a notice on the firm’s website, it experienced “a critical incident” when its “IT infrastructure was hit by cyber-crime.” Ransomware was not mentioned by the firm although it has been reported as a ransomware attack by the Danish media.
The attack impacted its Polish production and distribution facilities, French cochlear implants production sites, Mexican production and service sites, its amplifier production site in Denmark, its entire Asia-Pacific network, and its enterprise resource planning (ERP) system.
The firm is recovering its IT infrastructure and believes it will take a further two weeks for systems to be restored and business operations to approach normality. However, the effects of the attack are expected to be long-lasting.
The inability to access its systems across all these areas has caused major disruption to the company. The firm has been unable to supply its products, receive and process orders, and clinics in its network have had difficulty servicing end users.
Due to the limited information released it is unclear whether the company refused to pay a ransom, if the attackers could not supply valid keys to unlock the encryption, of if this was a sabotage attack akin to the NotPetya wiper malware attacks of 2017.
If this was a ransomware attack, the losses far exceed those of the Norwegian aluminum and energy company Norsk Hydro, whose ransomware attack cost the firm around $70 million, although it is a fraction of the cost of the NotPetya attacks on the shipping firm Maersk and FedEx, both of which caused losses of around $300 million.
These incidents all demonstrate just how damaging cyberattacks can be and the massive costs of recovery. As is typical, the cost of recovering its IT systems accounted for a small proportion of the total cost – around $7.3 million. The bulk of the losses were due to lost sales and the inability to process orders, which the company says make up around half of the estimated losses.
In a press release, the firm said in addition to the lost sales, “the incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market.”
Malware, ransomware and wiper malware are most commonly delivered via a small number of attack vectors. All too often they start with a phishing email, exploitation of RDP, drive-by malware download, or the exploitation of unpatched vulnerabilities. The cost of preventative measures to block these attack vectors is pocket change by comparison to the cost of recovery from an attack.
TitanHQ cannot help businesses with securing RDP and patching promptly, but we can help businesses secure the email system and protect against drive-by malware downloads and other web-based attacks.
To find out more about how you can improve security against email- and web-based attacks, from a cost of as little as 90 cents per user per month, give our sales team a call.
The sales team will be happy to explain the ins and outs of our web and email security solutions, schedule product demonstrations, and help set you up for a free trial of our SpamTitan email security and WebTitan web security solutions and greatly improve your defenses against phishing, ransomware, malware, and wiper attacks.
The dangers of ransomware attacks have been made abundantly clear to more than 5,000 patients in California whose medical records have been permanently lost as a result of a ransomware attack on their healthcare provider.
Simi Valley, CA-based Wood Ranch Medical experienced the attack on August 10, 2019 which saw ransomware deployed and executed on its servers which contained the medical records of 5,835 patients. The attack caused permanent damage to computer systems, and since backup copies of patient records were also encrypted, those records have been permanently lost. It is unclear how much the attackers demanded as payment for the keys and whether those keys would have worked had the ransom been paid.
Without patient records and faced with the prospect of having to totally rebuild the medical practice from scratch, the decision was taken to permanently close the business. Patients have been forced to find alternative healthcare providers and no longer have access to their medical records.
This is the second healthcare provider in the United States that has been forced out of business due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek, Michigan also closed its practice this year as a result of a ransomware attack. In that case, the practice owners refused to pay the ransom demand and patient records were permanently encrypted. The practice owners decided it was not possible to rebuild the practice from scratch and announced their early retirement.
It is unclear exactly how the ransomware was installed in each of these incidents, so it is not possible to determine what defenses could have been improved to prevent the attacks. However, in both cases, recovery of files from backups was not possible.
The purpose of a backup is to ensure that in the event of disaster, data will be recoverable. File recovery may be time consuming and downtime due to the attack likely to be expensive, but data will not be permanently lost.
In order to ensure file recovery is possible, backups must be tested. Files may be corrupted during the backup process and data restoration may not be possible. If backups are not tested to make sure files can be recovered, it will not be possible to guarantee file recovery in the event of disaster.
These incidents also highlight another fundamental rule of backing up. NEVER store the only copy of a backup on a networked or internet-connected computer.
In the event of ransomware attack, it is highly likely that backup copies on networked devices will be encrypted along with shadow volume copies. Ransomware encrypts these files to make sure the only way of recovering data is paying the ransom.
Even paying a ransom comes with no guarantee that data will be recoverable. Files may be corrupted through the encryption/decryption process – some data loss is inevitable – and the attackers may not be able to supply valid keys to decrypt files.
A good backup approach to adopt to prevent disasters such as these is a 3-2-1 strategy. 3 backups should be created, which should be stored on 2 different media, with 1 copy stored securely off site on a device that is not networked or connected to the internet.
This fall, TitanHQ will be attending several Managed Service Provider (MSP) events and trade shows throughout Europe and the United States.
TitanHQ has been developing innovative cybersecurity solutions for MSPs for more than two decades and all solutions have been created with MSPs firmly in mind. By involving MSPs in the design process, TitanHQ has been able to ensure that its products incorporate features to make life easier for MSPs, such as easy integration into MSPs management systems through the use of APIs to features rarely found in cybersecurity products – such as full white label versions ready for MSP branding and the ability to host the solutions within MSPs own environments.
Trade shows give the TitanHQ team the opportunity to meet face to face with prospective clients to discuss their email and web security needs and get face to face feedback from current customers that have already integrated TitanHQ products into their technology stacks.
The TitanHQ team kicked off the fall schedule of trade shows on September 12 at the Taylor Business Group BIG 2019 Conference at the Westin Hotel in Chicago, where members got to meet the TitanHQ team to discuss the new TitanShield program and discover how TitanHQ products can improve security for their clients while saving MSPs time and money.
At the same time, TitanHQ was at the CloudSec Europe 2019 Conference in London demonstrating WebTitan Cloud, SpamTitan Cloud, and ArcTitan to MSPs and cloud service providers.
If you were unable to attend either of these two events or did not get the chance to meet with the team, all is not lost. The fall schedule has only just commenced and there are still plenty of opportunities to meet the team to discuss your requirements and find out how TitanHQ products can meet and exceed your expectations.
Trade Events Attended by TitanHQ – Autumn, 2019
September 17, 2019
September 18, 2019
October 6-10, 2019
October 7-8, 2019
CompTIA EMEA Show
October 16-17, 2019
Canalys Cybersecurity Forum
October 21-23, 2019
October 30, 2019
MSH Summit North
October 30, 2019
IT Nation Evolve (HTG 4)
October 30, 2019
IT Nation Connect
November 5-7, 2019
If you plan on attending any of the above events this fall, be sure to come and visit the TitanHQ team and feel free to reach out ahead of the events for further information.
Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
Eddie Monaghan, MSP Alliance Manager, LinkedIn
Marc Ludden, MSP Alliance Manager, LinkedIn
Dryden Geary, Marketing Director
TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.
For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.
Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.
UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.
TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.
Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.
All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.
“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.
Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.
A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.
Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.
This is a professional campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.
Office 365 Admins Targeted
A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.
Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.
The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.
Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.
Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.
There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.
However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.
WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.
Contact TitanHQ today to find out more about SpamTitan and WebTitan for SMBs and MSPs, the different deployment options, pricing information, and to book a product demonstration.
You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.
Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.
There is still entry barrier to cross before it is possible to conduct phishing attacks. Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.
Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.
One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.
Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.
With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.
If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.
It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.
An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.
If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.
TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
The global user review website, G2, is the go-to place to find reviews of business software and services. Unlike many other review websites, G2 gives users of the software and services the opportunity to provide their feedback on how the products perform. Millions of businesses use the website to make smarter buying decisions and select the best products and services to meet their needs.
This year, for the first time, G2 has launched a new Best Software Companies in EMEA list. To produce the list, G2 used the reviews of more than 66,000 users of the products of more than 900 companies. To be selected as one of the best companies is only possible if users of products and services have given their endorsement.
“G2’s ever-expanding breadth and depth of product, review, and traffic coverage provide over 5 million data points to help buyers navigate the complex world of digital transformation”, said G2 CEO Godard Abel. “In our Best Software Companies in EMEA list, we leverage this data to identify the companies our users tell us are best helping them reach their potential”.
TitanHQ has developed a suite of advanced cybersecurity solutions to keep businesses protected from email and web-based threats and help MSPs serving that market effortlessly provide managed cybersecurity services to their clients.
“TitanHQ earned its place on the list thanks to the value our customers place on the uncompromised security and real-time threat detection we provide,” said Ronan Kavanagh, CEO, TitanHQ. “The overwhelmingly positive feedback from on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.
However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.
The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.
Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.
The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.
Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.
Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.
There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.
A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.
Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.
The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.
As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.
Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.
Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.
To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.
One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.
While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.
Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions to SMBs and managed service providers (MSPs) has announced a new partner program has been launched: TitanShield.
The aim of the TitanShield Partner Program is to provide MSPs, cloud distributors, OEM partners, Wi-Fi providers, and Technology Alliance partners with all the tools and support they need to start offering TitanHQ solutions to their clients and to provide continued support.
The launch of the new program coincides with TitanHQ’s 20-year anniversary. For the past two decades, TitanHQ has been developing innovative cybersecurity solutions for SMBs and MSPs that serve the SMB market. The company started by developing anti-spam technologies for businesses in Ireland and has since grown into an award-winning global provider of cybersecurity solutions.
Over the course of the past year, TitanHQ has been working closely with partners to make it as easy as possible for them to sell, onboard, deliver, and managed advanced network security solutions directly to their client base. In fact, in the past 9 months, as a result of those efforts, TitanHQ has increased its partner base by 40%.
In addition to providing cutting edge cybersecurity solutions to protect against email and web-based attacks and meet compliance requirements, TitanHQ offers partners flexible pricing models, competitive margins, and a wealth of sales and technical resources to drive revenue growth.
Under the new partner program, all qualified partners will be assigned a dedicated account manager, a support team, and engineers. Partners also benefit from a full range of APIs that will enable them to incorporate TitanHQ products into their backend provisioning and management systems and will be provided with extensive sales enablement and marketing support, including lead generation resources.
“Our new TitanShield partner program allows us to separate partners into their specific areas so that we can make sure they are receiving best practices, simple pricing models and focused information for the markets and customers they serve,” explained TitanHQ Executive VP of Strategic Alliances, Rocco Donnino “Our program takes a unique and strategic approach for our partners and can be customized to fit all business models.”
MSPs and cloud providers who have not yet started offering TitanHQ solutions to their clients can find out more about the TitanShield program by emailing the team at email@example.com
Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.
SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.
The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.
The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.
The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.
The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.
HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.
This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.
Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.
The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.
When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.
Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.
The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.
It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.
At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.
SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.
WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.
For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.
The French engineering firm Altran Technologies has been grappling with a malware infection that hit the firm on January 24, 2019.
Immediately following the malware attack, Altran shut down its network and applications to prevent the spread of the infection and to protect its clients. Technical and computer forensics experts are now assisting with the investigation. The Altran cyberattack has affected operations in some European countries and the firm is currently working through its recovery plan.
A public announcement has been made about the attack although the malware involved has not been officially confirmed. Some cybersecurity experts believe the attack involved a new ransomware variant named LockerGoga which emerged in the past few days.
LockerGoga ransomware was first identified on January 24 in Romania and subsequently in the Netherlands. It was named by MalwareHunterTeam, based on the path used for compiling the source code into an executable.
LockerGoga ransomware does not appear to be a particularly sophisticated malware variant. Security researcher Valthek, who analyzed the malware, claimed the code was ‘sloppy’, the encryption process was slow, and little effort appears to have been made to evade detection. The ransomware appends encrypted files with the .locked file extension.
The ransomware note suggests that companies are being targeted although it is currently unclear how the ransomware is being distributed.
LockerGoga ransomware encrypts a wide range of file types and, depending on the command line argument, may target all files. Since the encryption process is slow, fast detection and remediation will limit the damage caused. Failure to detect the ransomware and take prompt action to mitigate the attack could prove costly. The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption.
The ransomware had a valid certificate that was issued to a UK firm by Comodo Certificate Authority. The certificate has since been revoked.
LockerGoga ransomware is currently being detected as malicious by 46/69 AV engines on VirusTotal, including Bitdefender, the primary AV engine used by SpamTitan.
The massive Allscripts EHR breach in January 2018 resulted in massive disruption for the company and its clients. Clients were locked out of their electronic health records for several days while the company battled to recover from the attack. Around 1,500 of the company’s clients were affected.
The cost of mitigating the ransomware attack was considerable, and in addition to those costs, the Allscripts EHR breach prompted many clients to take legal action. The costs continue to mount.
The Allscripts EHR breach involved SamSam ransomware, which has plagued the healthcare industry over the past couple of years. The threat actors behind the attacks typically gain access to healthcare networks through RDP vulnerabilities and deploy the ransomware manually after scouting the network. This way, maximum damage can be inflicted, which increases the probability of the ransom being paid.
The Allscripts EHR breach certain stands out as one of the most damaging ransomware attacks of 2018, although it was just one of many healthcare ransomware attacks in 2018 involving many ransomware variants.
According to Beazley Breach Response Services, ransomware attacks more than doubled in September. Many cybercriminals have switched to cryptocurrency mining malware, but the ransomware attacks on healthcare organizations are continuing and show no sign of slowing.
In recent months, there has been a growing trend of combining malware variants to maximize the profitability of attacks. Ransomware is a quick and easy way for cybercriminals to earn money but combining ransomware with other malware variants is much more profitable. Further, if files are recovered from backups and no ransom is paid, cybercriminals can still profit from the attacks.
Several campaigns have been detected recently that combine Trojans such as AZORult, Emotet and Trickbot with ransomware. Attacks with these Trojans have increased by 132% since 2017 according to Malwarebytes. The Trojans steal sensitive information through keylogging, are capable lateral movement within a network, and also serve as downloaders for other malware such as Ryuk and GandCrab ransomware. Once information has been stolen, the ransomware payload is deployed.
The Allscripts EHR breach was somewhat atypical. It is far more common for ransomware to be delivered via email than brute force attacks on RDP. The campaigns combining Emotet, Trickbot, and AZORult with ransomware are primarily delivered by email.
In addition to ransomware attacks, phishing attacks are rife in healthcare. Email was the most common location of exposed protected health information in 2018. Email security is a weak point in healthcare defenses.
The number of successful ransomware and phishing attacks in healthcare make it clear that email security needs to improve. An advanced spam filter to block malicious emails, improved end user training is required to teach employees how to recognize email threats, intrusion detection systems need to be deployed, along with powerful anti-virus solutions. Only by implementing layered defenses to block email attacks and other attack vectors will healthcare organizations be able to reduce the risk of ransomware attacks.
SMB cybersecurity protections do not need to be advanced as those of large enterprises, but improvements need to be made to ensure smaller businesses are protected. The risk of a cyberattack is not theoretical. While large businesses are having their defenses regularly tested, small to medium sized businesses are also being attacked. And alarmingly often.
Large businesses may store much higher volumes of valuable data, but they also tend to invest heavily in the latest cybersecurity technologies and have dedicated teams to oversee security. Cyberattacks are therefore much harder to pull off. SMBs are much easier targets. Cyberattacks may be less profitable, but they are easier and require less effort.
SMB Cyberattacks are Increasing
A 2017 SCORE study confirmed the extent to which hackers are attacking SMBs. Its study of macro-based malware showed there had been at least 113,000 attacks on SMBs in 2017 and 43% of those attacks were on SMBs. SMBs suffered at least 54,000 ransomware attacks in 2017 and online banking attacks were highly prevalent in the SMB sector.
The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute, painted an even bleaker picture for SMBs. The study suggests SMBs face the same cybersecurity risks as larger businesses and are being attacked almost as often. In its study, 67% of SMB respondents reported having experienced a cyberattack in the past 12 months and 58 had suffered a data breach. Alarmingly, almost half of respondents (47%) said they had little or no understanding about how SMB cyberattacks could be prevented.
The study revealed 60% of successful cyberattacks were the result of employee negligence, hackers were behind 37% of breaches, and for 32% of cyberattacks the cause could not be established.
The high number of successful cyberattacks makes it clear that SMB cybersecurity needs to be improved. Unfortunately, many SMBs simply don’t have the budget to pay for expensive cybersecurity solutions and a lack of skilled staff is also an issue. So, given these restraints, where should SMBs start?
Where to Start with SMB Cybersecurity
Improving SMB cybersecurity does not necessarily mean hiring skilled cybersecurity staff and spending heavily on state-of-the-art cybersecurity solutions. The best place to start is by ensuring basic cybersecurity best practices are adopted. Highly sophisticated cyberattacks are becoming more common, but many successful attacks are the result of basic cybersecurity failures.
These include the failure to implement password policies that enforce the use of strong passwords, not changing all default passwords, or not using a unique password for each account. Implementing 2-factor authentication is a quick way to improve security, as is the setting of rate limiting to lock accounts after a set number of failed login attempts.
Many successful cyberattacks start with a phishing email. An advanced spam filtering solution is therefore essential. This will ensure virtually all malicious messages are blocked and are not delivered to end users. A web filter also offers protection against phishing by preventing employees from visiting phishing websites. It will also block web-based attacks and malware downloads. Both of these SMB cybersecurity solutions can be implemented at a low cost. It costs just a few dollars per year, per employee, to implement SpamTitan and WebTitan.
A little training goes a long way. Employees should be provided with cybersecurity training and should be taught how to identify email and web-based threats. There are plenty of free and low-cost resources for SMBs to help them train their employees. US-CERT is a good place to start.
Good backup policies are an essential part of SMB cybersecurity. In the event of a cyberattack or ransomware attack, this will prevent catastrophic data loss. A good strategy to adopt is the 3-2-1 approach. Three copies of backups, on two different types of media, with one copy stored securely off-site. Also make sure backups are tested to ensure file recovery is possible.
Once the basics have been covered, it is important to conduct a security audit to discover just how secure your network and systems are. Many managed service providers can assist with security audits and assessments if you do not have sufficiently skilled staff to perform an audit inhouse.
Improvements to SMB cybersecurity will carry a cost but bear in mind that an ounce of security is worth a pound of protection and investment in cybersecurity will prove to be much less expensive than having to deal with a successful cyberattack.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and release of messages from quarantine. Reports can be generated per domain and those reports can be automatically sent to clients. The solution can be fully rebranded to take MSP logos and color schemes, and the solution can be hosted in a private cloud.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanHQ Alliance program.
2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?
What is 2-Factor Authentication?
2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.
If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.
Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).
The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.
For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.
A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.
Does 2-Factor Authentication Stop Phishing Attacks?
So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.
There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.
This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.
The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.
The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.
It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.
Additional Controls to Stop Phishing Attacks
To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.
Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.
Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.
A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.
These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.
You can find out more about SpamTitan and WebTitan by contacting TitanHQ.
There are many costs associated with cyberattacks and data breaches, but one of the hardest to quantify is damage to a brand. Brand damage following a data breach is one of the most serious issues, and one that money cannot easily resolve.
Businesses can invest in cybersecurity solutions to prevent further security breaches, but when customers lose trust in a brand, they will simply take their business elsewhere. Winning customers back can be a long process. In many cases, once trust in a brand is lost, customers will leave and never return.
Consumers Expect Businesses to Protect Their Personal Data
If a company asks consumers to provide them with personal data, it is essential that steps are taken to ensure that information remains private and confidential. Consumers believe that any company that collects personal data has an obligation to protect it. A Ponemon Institute study in 2017 confirmed that to be the case. 71% of consumers believed companies that collect personal data have a responsibility to protect it. When a cyberattack occurs that results in the exposure or theft of personal data, consumers are naturally angry at a company for failing to take sufficient precautions to keep their data private.
The same survey revealed that following a data breach, two thirds of consumers lost trust in the breached company and almost a third of consumers said they had terminated their relationship with a brand following a data breach. Companies that were surveyed reported customer churn rates increased up to 7% following a breach. Another study suggests customer loss is more severe and up to 20% of customers have switched brands after their personal information was stolen from a company they did business with. A 2017 study by Gemalto suggests those figures are very conservative. The Gemalto study suggested 70% of customers would switch brands following a data breach.
Loss of Trust in a Brand can have Catastrophic Consequences
Large businesses may be able to weather the storm and regain customer trust over time, but smaller businesses can really struggle. On top of the considerable costs of mitigating a data breach, a loss of anywhere between 20% and 70% of customers would likely be the final nail in the coffin. Loss of customer trust is part of the reason why 60% of SMBs fold within 6 months of a data breach (National Cyber Security Alliance).
Blocking cyberattacks and preventing data breaches requires investment in cybersecurity solutions. Naturally, an advanced firewall is required, and solutions should be introduced to block the most common attack vectors – email for instance – but one area of cybersecurity that is often overlooked is WiFi filtering. WiFi filtering and protecting your brand go hand in hand.
WiFi Filtering and Protecting your Brand
The importance of WiFi Filtering for protecting your brand should not be underestimated. Implementing a web filtering solution shows your customers that you care about security and want to ensure they are protected when they access the Internet through your WiFi network. By implementing a WiFi filter you can prevent customers from downloading malware and ransomware and stop them from connecting to phishing websites.
A WiFi filter can also prevent users from accessing illegal content on your WiFi network. There have been cases of businesses having Internet access terminated by their ISPs over illegal online activity by users – the accessing of banned web content or copyright infringing downloads for instance.
One of the most important uses of a WiFi filter is to prevent users from accessing unacceptable content such as pornography. There is growing pressure on businesses to prevent adult content from being accessed on WiFi networks that are used by customers. McDonalds decided to implement a WiFi filter in 2016 following campaigns by consumers to make its access points family-friendly and in 2018 Starbucks was pressured into doing the same. The coffee shop chain will finally start filtering the internet on its WiFi networks in 2019.
A WiFi filter will also prevent employees from visiting malicious websites and downloading malware that gives criminals access to your internal networks and customer data, thus preventing costly, reputation damaging data breaches.
Businesses that fail to block web-based attacks are taking a major risk, and an unnecessary one considering the low cost of WiFi filtering.
For further information on WiFi Filtering and protecting your brand, contact the TitanHQ team today. Our cybersecurity experts will explain how WebTitan can protect your business and will be happy to schedule a product demonstration and help you set up a free trial of WebTitan to evaluate the solution in your own environment.
There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.
Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.
PUB Files Used in Phishing Attacks on Retailers
Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.
Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.
If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.
The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.
The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.
Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000
Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.
The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.
All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.
Defense in Depth the Key to Phishing Protection
Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.
Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.
Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.
End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.
For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.
A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.
TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.
The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.
The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’
The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.
The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.
Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.
Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.
There is a more cost-effective alternative to Cisco OpenDNS that provides total protection against web-based threats at a fraction of the price of OpenDNS. If you are currently running OpenDNS or have yet to implement a web filtering solution, you can find out about this powerful web filtering solution in a December 5, 2018 webinar.
Cybersecurity defenses can be implemented to secure the network perimeter, but employees often take risks online that can lead to costly data breaches. The online activities of employees can easily result in malware, ransomware, and viruses being downloaded. Employees may also respond to malicious adverts (malvertising) or visit phishing websites where they are relieved of their login credentials.
Mitigating malware infections, dealing with ransomware attacks, and resolving phishing-related breaches have a negative impact on the business and the resultant data breaches can be incredibly costly. Consequently, the threat from web-based attacks cannot be ignored.
Fortunately, there is an easy solution that offers protection against web-based threats by carefully controlling the web content that their employees can access: A DNS-based web filter.
DNS-based web filtering requires no hardware purchases and no software downloads. Within around 5 minutes, a business will be able to control employee internet access and block web-based threats. Some DNS-based web filters such as OpenDNS can be costly, but there is a more cost-effective alternative to Cisco OpenDNS.
TitanHQ and Celestix Networks will be running a joint webinar to introduce an alternative to Cisco OpenDNS – The WebTitan-powered solution, Celestix WebFilter Cloud.
Celestix will be joined by Rocco Donnino, TitanHQ EVP of Strategic Alliances, and Senior Sales Engineer, Derek Higgins who will explain how the DNS-based filtering technology offers total protection from web-based threats at a fraction of the cost of OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
There has been a steady increase in HTTPS phishing websites over the past couple of years, mirroring the transition from HTTP to HTTPS on commercial websites. HTTPS sites are those that have SSL/TLS certificates and display a green padlock next to the URL. The green padlock is an indicator of site security. It confirms to website visitors that the connection between their browser and the website is encrypted. This provides protection against man-in-the-middle attacks by ensuring data sent from the browser to the website cannot be intercepted and viewed by third parties.
HTTPS websites are now used by a large number of businesses, especially e-commerce website owners. This has become increasingly important since search engines such as Google Chrome provide clear indications to Internet users that sites may not be secure if the connection is not encrypted.
This is all good of course, but there is one caveat. Users have been told to look for the green padlock to make sure a site is secure, but the green padlock is viewed by many Internet users as a sign that the site is secure and legitimate. While the former is true, the latter is not. The green padlock does not mean that the site is genuine and just because it is displayed next to the URL it does not mean the site is safe.
If the website is controlled by a cybercriminal, all the green padlock means is that other cybercriminals will not be able to intercept data. Any information entered on the website will be divulged to the criminal operating that site.
It stands to reason for HTTPS phishing websites to be used. If Internet users are aware that HTTPS means insecure, they will be less likely to enter sensitive information if the green padlock is not present. Unfortunately, free SSL certificates can easily be obtained to turn HTTP sites into HTTPS phishing websites.
According to PhishLabs, back in Q1, 2016, fewer than 5% of phishing websites used HTTPS. By Q3, 2016, the percentage started to rise sharply. By Q1, 2017, the percentage had almost reached 10%, and by Q3, 2017, a quarter of phishing websites were using HTTPS. The 30% milestone was passed around Q1, 2018, and at the end of Q3, 2018, 49% of all phishing sites were using HTTPS.
A PhishLabs survey conducted late last year clearly highlighted the lack of understanding of the meaning of the green padlock. 63% of consumers surveyed viewed the green padlock as meaning the website was legitimate, and 72% saw the website as being safe. Only 18% of respondents correctly identified the green padlock as only meaning communications with the website were encrypted.
It is important for all Internet users to understand that HTTPS phishing websites not only exist, but before long the majority of phishing websites will be on HTTPS and displaying the green padlock. A conversation about the true meaning of HTTPS is long overdue and it is certainly something that should be covered in security awareness training sessions.
It is also now important for businesses to deploy a web filtering solution that is capable of SSL inspection – The decryption, scanning, and re-encryption of HTTPS traffic to ensure that access to these malicious websites is blocked. In addition to reading content and assessing websites to determine whether they are malicious, SSL inspection ensures site content can be categorized correctly. This ensures that sites that violate a company’s acceptable usage policies are blocked.
There is a downside to using SSL inspection, and that is the strain placed on CPUs and a reduction in Internet speeds. SSL inspection is therefore optional with many advanced web filters. To ensure that the strain is reduced, IT teams should use whitelisting to prevent commonly used websites from being subjected to SSL filtering.
WebTitan Includes SSL Filtering to Block HTTPS Phishing Websites
WebTitan is a powerful web filtering solution for SMBs and managed service providers (MSPs) that provides protection against web-based threats. There are three products in the WebTitan family – WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for Wi-Fi; all of which include SSL filtering as standard. If SSL filtering is activated, users will be protected against HTTPS phishing websites and other malicious sites that have SSL certificates.
All WebTitan products can be installed in minutes, require no technical knowledge, and have been designed to be easy to use. An intuitive user interface places all information, settings, and reports at users’ fingertips which makes for easy enforcement of acceptable Internet usage polices and fast reporting to identify potential issues – employees browsing habits and users that are attempting to bypass filtering controls for instance.
Whether you are an MSP that wants to start offering web filtering to your clients or a SMB owner that wants greater protection against web-based threats, the WebTitan suite of products will provide all the features you need and will allow you to improve security and employee productivity, reduce legal liability, and create a safe browsing environment for all users of your wired and wireless networks.
For further information on WebTitan, details of pricing, web filtering advice, to book a product demonstration, or to register for a free trial of the product, contact TitanHQ today.
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself. Consequently, Office 365 security should be an easy sell.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable.
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.
A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.
Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.
The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.
While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete. Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.
The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.
Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.
The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.
While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.
To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.
Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.
To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.
SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.
For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.
Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.
Phishing is the Biggest Security Threat Faced by Businesses
Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.
Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.
Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.
Top Phishing Lures of 2018
Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.
Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.
In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.
Top Phishing Lures on the Cofense Platform
Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.
Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.
The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.
Number of Reported Emails
New Message in Mailbox
Online Order (Attachment)
Secure Message (MS Office Macro)
Online Order (Hyperlink)
Confidential Scanned document (Attachment)
Conversational Wire transfer (BEC Scam)
Top Phishing Lures on the KnowBe4 Platform
KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.
The most common real-world phishing attacks in Q3 were:
You have a new encrypted message
IT: Syncing Error – Returned incoming messages
HR: Contact information
FedEx: Sorry we missed you.
Microsoft: Multiple log in attempts
IT: IMPORTANT – NEW SERVER BACKUP
Wells Fargo: Irregular Activities Detected on Your Credit Card
LinkedIn: Your account is at risk!
Microsoft/Office 365: [Reminder]: your secured message
Coinbase: Your cryptocurrency wallet: Two-factor settings changed
The most commonly clicked phishing lures in Q3 were:
% of Emails Clicked
Password Check Required Immediately
You Have a New Voicemail
Your order is on the way
Change of Password Required Immediately
De-activation of [[email]] in Process
UPS Label Delivery 1ZBE312TNY00015011
Revised Vacation & Sick Time Policy
You’ve received a Document for Signature
Spam Notification: 1 New Messages
[ACTION REQUIRED] – Potential Acceptable Use Violation
The Importance of Blocking Phishing Attacks at their Source
If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.
Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.
SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.
SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.
Improve Office 365 Email Security with SpamTitan
There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.
Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.
To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.
A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.
New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity
The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.
The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.
In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.
The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.
These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.
Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.
How to Block this Office 365 Threat with SpamTitan and Improve Email Security
Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.
To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.
SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.
How SpamTitan Protects Businesses from Email Threats
Security Solutions for MSPs to Block Office 365 Threats
Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.
TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.
By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.
To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.
TitanHQ, the leading provider of web filtering, spam filtering, and email archiving solutions for managed service providers (MSPs) recently formed a strategic partnership with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to ensure all users benefit from reliable and secure internet access.
TitanHQ’s web filtering technology provides enhanced protection from web-based threats while allowing acceptable internet usage policies to be easily enforced for all users at the organization, department, user group, or user level.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar to explain the enhanced functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
Webinar: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering
Date: Thursday, October 18th
Time: 11AM ET | 8AM PT | 4PM GMT/BST
Speakers: John Tippett, VP, Datto Networking; Andy Katz, Network Solutions Engineer; Rocco Donnino, EVP of Strategic Alliances, TitanHQ
Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.
The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.
The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.
As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.
The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.
In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.
After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.
In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.
While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is. A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.
The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.