Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.
Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.
Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:
If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.
Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).
Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.
The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.
Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.
Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against. The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems. A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.
Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.
The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.
As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.
Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.
It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.
While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.
New phishing campaigns are constantly being launched that impersonate trusted companies, organizations, and individuals, and use social engineering techniques to trick end users into divulging sensitive information such as their email credentials. Two such phishing campaigns have recently been discovered that use sneaky tactics to fool the unwary.
Sneaky Tactics Used to Obtain Office 365 Credentials
Organizations using Office 365 are being targeted in a sneaky phishing campaign that has been ongoing for several months. The phishing campaign incorporates a range of measures to fool end users and email security solutions. The goal of the campaign is to steal Office 365 credentials.
The phishing emails are sent from believable email addresses with spoofed display names to make the sender appear legitimate. The campaign targets specific organizations and uses believable usernames and domains for sender display names related to the target and the messages also include genuine logos for the targeted company and Microsoft branding.
The messages use believable Microsoft SharePoint lures to trick end users into clicking an embedded hyperlink and visiting the phishing URL. Recipients of the messages are informed that a colleague has sent a file-share request that they may have missed, along with a link directing the recipient to a webpage hosting a fake Microsoft Office 365 login box.
To encourage users to click, the emails suggest the shared file contains information about bonuses, staff reports, or price books. The phishing emails include two URLs with malformed HTTP headers. The primary phishing URL is for a Google storage resource which points to an AppSpot domain. If the user signs in, they are served a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and links to a compromise SharePoint site, which again requires the user to sign in to get to the final page.
This campaign is particularly sneaky, with the threat actor having gone to great lengths to fool both end users and security solutions.
FINRA Impersonated in Phishing Campaign
A new phishing campaign has recently been detected that impersonates the U.S. Financial Industry Regulatory Authority (FINRA). In this campaign, cyber threat actors have used domains that mimic FINRA, which are close enough to the genuine finra.org domain to fool unsuspecting individuals into disclosing sensitive information.
The phishing emails have been sent from three fraudulent domains: finrar-reporting.org, finpro-finrar.org, and gateway2-finra.org. The use of hyphens in phishing domains is very common, and it is often enough to trick people into thinking the site is a subdomain of the official website that the campaign mimics.
The emails ask the recipients to click a link in the email to “view request.” If the link is clicked, the users are prompted to then provide information to complete the request. As is typical in phishing campaigns, there is a threat should no action be taken, which in this case is “late submission may attract financial penalties.”
The financial services regulator has taken steps to take down these fraudulent domains, but it is likely that the threat actor will continue using other lookalike domains. Similar domains were used in the campaign spoofing FINRA earlier this year, including finra-online.com and gateway-finra.org.
These campaign highlights the need for security awareness training, an advanced email security solution, and other anti-phishing measures such as a web filter.
If you are concerned about your cybersecurity defenses and want to block threats such as these, give the TitanHQ team a call for advice on security solutions that can be easily implemented to block phishing and other email threats to improve your security posture and prevent costly data breaches.
Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.
The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.
Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.
Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.
During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.
Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.
So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.
Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.
A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help to block more malware threats, while sandboxing can be used identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.
Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.
With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.
One of the most common ways for malware to be distributed is in phishing emails. These emails usually require some user interaction, such as clicking on a link and opening an attached Microsoft Office file. Word and Excel files are often used in malware distribution, with macros used to deliver the malicious payload.
Macros are potentially dangerous as they can contain malicious code, so they are usually disabled by default and will only be allowed to run if they are manually enabled by the end user. When an Office file is opened which contains a macro, a warning message will appear instructing the user that there is a macro and that it is potentially malicious. If the macro is not manually enabled by the end user, malware cannot be downloaded.
A phishing campaign has recently been detected that is typical of most phishing campaigns distributing malware. The initial attack vector is a phishing email, and Office files are used which contain macros that download the malware payload – in this case ZLoader. However, a novel method is used to deliver the malicious Office files that disables to usual macro warnings and protection mechanism.
In this campaign, malicious DLLs – Zloader malware – are delivered as the payload, but the initial phishing email does not contain the malicious code. The phishing email has a Microsoft Word attachment which will trigger the download of a password-protected Excel spreadsheet from the attacker’s remote server when the file is opened and macros are enabled.
The attack relies on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.
Once the encrypted Excel file is downloaded, Word VBA-based instructions in the document read the cell contents from the specially crafted XLS file. Word VBS then writes the cell contents into XLS VBA to create a new macro for the XLS file. When the macros are ready, Excel macro defenses are disabled by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are executed using rundll32.exe.
While the malicious files will be silently downloaded and executed, this attack still requires the victim to enable macros in the initial Word document. Victims are tricked into doing this by telling them “This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will start the entire infection chain.
ZLoader is a variant of the infamous Zeus banking Trojan, which first appeared in 2006. The malware is also known by the name ZBot and Silent Night and is used by multiple threat groups. The malware was used in large scale campaigns in 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.
Once installed, the malware uses webinjects to steal passwords, login credentials and browser cookies. When an infected computer is used to access online banking and financial accounts, banking information and other sensitive data are stolen and exfiltrated to the attacker’s C2 server.
If you want to improve your defenses against malware and phishing, give the TitanHQ team a call and enquire about SpamTitan Email Security and WebTitan Web Security. These solutions can both be downloaded, configured, and protecting you from the full range of web and email threats in under an hour, and both are available on a no obligation 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking threats before making a purchase decision.
Apple Mac users are comparatively safe when it comes to malware as most malware variants target Windows users; however, the number of malware variants targeting Mac users has been increasing. When there is a very low risk of a malware infection, it is easy to become complacent, but threats do come along so it is important to remain on one’s guard.
That is especially true now as a new malware threat has been discovered and Mac users are in the attackers’ crosshairs. Further, this is not some half-baked malware. This is a very serious threat. This new malware variant is very malicious, very dangerous, and it has been getting past Apple Mac security defenses.
The threat is more likely to be familiar to Windows users, as it is them who have previously been targeted; however, the malware has now jumped platforms and is being used to target Mac users. The malware is a new variant of FormBook malware. FormBook malware is a well-known commercially available malware that has been around since 2016. The malware, which was rebranded as XLoader last year, is sold as-a-service on hacking forums and is usually delivered via malicious attachments in emails – often PowerPoint documents. The malware has been developed to log keystrokes and, as the name suggests, grab data from online forms when input by users. It can also steal data from instant messenger apps, email clients, and FTP clients. In the latter half of 2020, attacks involving the malware increased substantially, and during the first 6 months of 2021 it has been prolific.
The Apple version of the malware similarly has a wide range of malicious capabilities. It will harvest credentials from web browsers, steal form data, take screenshots, monitor and log keystrokes, and can also download and execute files from the attackers’ C2 servers. The malware also incorporates several features to resist attempts at reverse engineering.
The Mac version of XLoader is under active development and it is likely that throughout the remainder of 2021 it will grow into an even bigger threat. Already, this version is able to move much deeper into systems and move much faster.
Mac users may be complacent as they are not often targeted, but this is not due to Macs being harder to attack. Malware developers simply choose to target Windows devices as there are many more users that can be targeted. Fewer Mac users mean the potential profits from attacks will be lower, but attacks are growing and the complacency of Mac users works to the advantage of attackers. It makes it easier to get their malware installed as users are not anticipating threats. A much broader range of threat actors will be able to use the latest XLoader version and target Mac users, as they can simply pay a licensing fee and use it under the malware-as-a-serve model. That fee can be as low as $69.
As with the Windows campaigns, XLoader is primarily delivered via phishing emails, mostly using malicious Microsoft Office documents. Check Point says it has tracked infections in 69 countries, although the majority of infected devices are in the United States.
Since the malware can bypass Mac security defenses, it is important to check whether it has already been installed by looking for suspicious filenames in the LaunchAgents directory in the library, which is normally hidden from view. While various different file names have been used, an example of XLoader is com.wznlVRt83Jsd.HPyT0b4Hwxh.plist.
Blocking attacks is actually straightforward. Antivirus software should be installed and kept up to date, and businesses should implement a spam filtering solution such as SpamTitan to block the malicious emails that deliver the malware. End users should also exercise caution opening emails and should never open attachments or click links in emails from unknown sources or click unsolicited links in messaging apps.
The threat actors behind LemonDuck malware have escalated their operation and have added new capabilities to the malware making it far more dangerous. LemonDuck malware is best known for its botnet and cryptocurrency mining objectives; however, the malware is being actively developed. While its bot and cryptocurrency mining activities continue, the malware is also capable of removing security controls on infected devices, rapidly moving laterally within networks, dropping a range of tools onto infected devices, and stealing and exfiltrating credentials. The malware is also capable of spreading via email.
The threat group behind the malware is known to take advantage of the latest news and events to create topical and convincing phishing emails to spread the malware, often through malicious Microsoft Office attachments; however, the threat actor also takes advantage of new exploits to infect devices, as well as several older vulnerabilities. Last year, the threat group was distributing the malware using phishing emails with OVID-19 themed lures, and while phishing emails are still being used to distribute the malware, the threat actor has also been exploiting the recently disclosed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security alert from Microsoft.
LemonDuck malware is a somewhat atypical bot malware, as it is relatively rare for these types of malware variants to be used to attack both Windows and Linux systems. The malware operators like to have sole control of infected devices and remove competing malware if they are encountered. To make sure no other malware variants are installed, after gaining access to a device, the vulnerability LemonDuck exploited to gain access to a system is patched.
If the malware is installed on a device with Microsoft Outlook installed, a script is run that uses saved credentials to gain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and the a malware downloader as an attachment.
The malware was first detected in May 2019, with the earlier forms of LemonDuck malware used in attacks within China, but the malware is now being distributed much more widely. It has now been detected in United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.
Microsoft has identified two distinct operating structures that both use LemonDuck malware which could indicate the malware is being used by different groups with different objectives. The ‘LemonCat’ infrastructure was used in a campaign exploiting Microsoft Exchange Server vulnerabilities to install backdoors, steal credentials and data, and deliver other malware variants, including Ramnit.
Blocking attacks involving this malware requires a combination of approaches. An advanced spam filter such as SpamTitan should be used to block the phishing emails used to deliver the malware. SpamTitan also scans outbound messages to prevent malware variants with emailing capabilities from being sent to contacts. Since vulnerabilities are exploited to gain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are released. Antivirus software should be implemented and set to automatically update, and a web filter is recommended to block malware downloads over the Internet.
For further information on improving your defenses against LemonDucck malware and other malware threats, give the TitanHQ team a call. Both the SpamTitan email security and WebTitan web security solutions are available on a free trial, and can be implemented, configured, and protecting your devices in less than an hour.
On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.
On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program. That said, many people have been trying to get an upgrade from unofficial sources.
Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.
Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.
As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.
Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.
On July 2, 2021, IT management software provider Kaseya suffered a ransomware attack that impacted its managed service provider (MSP) customers. Ransomware was pushed out to users of the Kaseya Virtual System Administrator (VSA) platform through the software update mechanism and, through them, to MSP clients. Kaspersky Lab said it found evidence of around 5,000 attempts to infect systems with ransomware across 22 countries in the first 3 days since the attack was identified. Kaseya recently said it believes around 1,500 of its direct customers and downstream businesses were affected.
The attackers exploited vulnerabilities in the KSA platform that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya had issued updates to fix four of the seven reported vulnerabilities in April and May and was working on patches to fix the remaining three flaws. One of those flaws, CVE-2021-30116, was a credential leaking flaw which was exploited by the REvil ransomware gang before the patch was released.
Kaseya detected the attack quickly and was able to implement mitigations that limited the extent of the attacks. the steps taken by Kaseya have been effective at blocking any further attacks, customers are now at risk from Kaseya phishing campaigns.
Cybercriminals have started conducting phishing campaigns targeting Kaseya customers pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing and threat emulation tool, but it is also extensively used by hackers and ransomware gangs to gain remote access to business networks.
The campaign was first detected by the Threat intelligence team at Malwarebytes. The emails contain an attachment named SecurityUpdates.exe and a hyperlink that claims to provide a Microsoft update to fix the Kaseya vulnerability exploited by the ransomware gang.
Users are told to open the attached file or click the link in the email to update the Kaseya VSA to protect against ransomware attacks but doing so delivers Cobalt Strike beacons and will give attackers persistent access to victims’ networks.
Since Kaseya is working on a patch to fix the flaw exploited in the attack, customers will be expecting a security update and may be fooled into installing the fake update.
Kaseya has issued a warning to all customers telling them not to open any attachments or click links in emails that claim to provide updates for the Kaseya VSA. Kaseya said any future email updates it sends to customers will not include any hyperlinks or attachments.
A similar campaign was conducted following the Colonial Pipeline ransomware attack. The emails claimed to provide system updates to detect and block ransomware attacks.
Any email received that claims to offer a security update should be treated as suspicious. Do not click links in those emails or open attachments, instead visit the software vendor’s official website to check for security updates that have been released.
Phishing is the most common way that cybercriminals gain access to business networks, and the primary defense against these attacks is a spam filter. Spam filters inspect all inbound emails for the signatures of spam, phishing, and malware and keep inboxes free of these threats.
There are many spam filtering solutions on the market that can protect against advanced email threats, but why have so many managed service providers (MSP) chosen TitanHQ has their email security solution provider? What does SpamTitan provide that is proving to be such a bit hit with MSPs?
Why Managed Service Providers Choose SpamTitan Email Security for Their Clients
SpamTitan in a multi-award-winning anti-spam solution that incorporates powerful features to protect against phishing and other email-based attacks. The solution is currently used by more than 1,500 MSPs worldwide with that number growing steadily each month.
We have listed 10 of the main reasons why SpamTitan is proving to be such a popular choice with MSPs.
Excellent malware protection
SpamTitan includes dual anti-virus engines from two leading AV providers and sandboxing that incorporates machine learning and behavioral analysis to safely detonate suspicious files.
Defense in depth protection for Office 365 environments
SpamTitan includes multiple protection measures that provide defense in depth against email threats, with easy integration into Office 365 environments to significantly improve defenses against phishing and email-based malware attacks.
Advanced email blocking
SpamTitan supports upload block and allow lists per policy, advanced reporting, recipient verification and outbound email scanning, with the ability to whitelist/blacklist at both a global level as well as a domain level.
Protection against zero-day attacks
SpamTitan uses machine learning predictive technology to block zero-day threats, with AI-driven threat intelligence to block zero-minute attacks.
Data leak prevention
Easily set powerful data leak prevention rules and tag data to identify and prevent internal data loss.
SpamTitan is easy to integrate into your existing Service Stack through TitanHQ API’s and MSPs benefit from streamlined management with RMM integrations.
Competitive pricing with monthly billing
MSPs benefit from a fully transparent pricing policy, competitive pricing, generous margins, and monthly billing. There is also a short sales cycle – only 14 days of a free trial is required to fully test the solution.
White label option to reinforce your brand
SpamTitan can be provided to managed service providers as a white label version that can be fully rebranded to reinforce an MSPs brand.
Intuitive multi-tenant dashboard
MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. SpamTitan is also a set and forget solution, requiring minimal IT service intervention.
Industry-leading customer support
TitanHQ provides the best customer service in the industry. MSPs benefit from world class pre-sales and technical support and sales & technical training. MSPs get a dedicated account manager, assigned sales engineer support, access to the Global Partner Program Hotline, and 24/7 priority technical support.
If you have not yet started offering SpamTitan to your clients, give the TitanHQ channel team a call today for more information, to get started on a free trial, or for a product demonstration.
Cybercriminals often impersonate trusted entities in phishing campaigns. While Microsoft tops the list of the most impersonated brand, phishing scams impersonating tax authorities are also common. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) – the UK government department responsible for tax collection – it is often impersonated, and phishing attacks are on the rise. In the past 12 months, the number of phishing attacks impersonating HMRC increased by 87%.
The number of HMRC phishing attacks jumped from 572,029 in 2019/2020 to 1,069,522 in 2020/2021, according to official figures obtained by Lanop Outsourcing under a Freedom of information request.
Phishing can take many forms, but email scams are the most common. The number of HMRC phishing attacks conducted via email increased by 109% to 630,193 scams in 2020/2021. The most common lures used in these phishing campaigns were fake notifications about tax rebates and refunds, which were up 90% year-over-year. There were also major increases in text-based phishing (smishing) scams, which rose 52% year-over-year, and voice phishing (vishing) scams which increased by 66%.
There was an even bigger increase in phishing scams impersonating the Driver and Vehicle Licensing Agency (DVLA). In 2019/2020, HMRC received 5,549 reports of phishing scams impersonating the DVLA, but in 2020/2021 there was a whopping 661% increase with 42,233 reports.
Phishing scams impersonating HMRC and the DVLA target individuals, but they are dangerous for businesses too. The aim of these scams is to obtain sensitive data such as passwords, which could then be used in attacks on businesses. Phishing scams are also conducted to distribute malware. If malware is downloaded onto the business network, the attackers can use the access provided by the malware to move laterally and compromise an entire network.
Protecting against phishing scams requires a defense in depth approach. End user training is important as it is employees who are targeted. Employees need to be taught how to identify phishing scams and told what to do if a suspicious email is received. This is even more important at a time when employees are working from home as IT departments often lack visibility into the devices of remote workers.
Even with training, employees make mistakes. One study conducted on home workers revealed many have taken security shortcuts when working from home which has put their organization at risk. It is therefore important to implement technical defenses to ensure phishing emails do not reach inboxes.
An advanced spam filtering solution is a must. A spam filter is the most important technical measure to implement to block phishing attacks. While spam filters are good at blocking phishing emails from known malicious IP addresses, advanced spam filters such as SpamTitan have superior detection rates and can identify never-before-seen phishing scams. SpamTitan uses predictive technologies and AI to identify zero-day attacks involving IP addresses that have yet to be identified as malicious. Sandboxing provides protection from malware that has yet to have its signature added to antivirus engines, while DMARC is used to block email impersonation attacks such as those impersonating HMRC.
In phishing attacks, a lure is sent via email but the harvesting of credentials takes place on an attacker-controlled website. Links in emails to known malicious sites will be blocked, but protection can be significantly improved by using a web filter. A web filter will also block attempts to visit malicious sites via smishing messages and through web browsing as well and will block downloads of files associated with malware.
If you want to protect your business from phishing attacks, malware and ransomware and avoid costly data breaches, give the TitanHQ a team a call and find out more about improving your security posture by blocking more email- and web-based threats.
The recent TitanHQ/Osterman Research survey of IT security professionals showed the most common security incidents experienced by businesses were business email compromise (BEC) attacks. A BEC attack is where a cybercriminal spoofs a trusted contact or company, usually to trick an employee into making a fraudulent wire transfer, send sensitive data via email, or obtain money by other means.
In a BEC attack, the attacker usually spoofs an email account or website or uses a genuine, trusted email account that has previously been compromised in a phishing attack. If a compromised email account is not used, an individual is usually spoofed by changing the display name to make it appear that the email has been sent by a genuine contact, often the CEO, CFO, or a vendor.
It is also common for lookalike domains to be used in BEC attacks. The attacker discovers the spoofed company’s format for email accounts, and copies that format using a domain that very closely resembles the genuine domain used by that company. At first glance, the spoofed domain appears perfectly legitimate.
BEC attacks are usually highly targeted. An email is carefully crafted to target an individual within an organization or a person in a particular role. Since many attacks attempt to get employees to make fraudulent wire transfers, it is most common for individuals in the finance department to be targeted, although BEC attackers also commonly target the HR department, marketing department, IT department, and executives.
Since the requests in the emails are plausible and the message format, signatures, and branding are often copied from genuine emails, the BEC emails can be very convincing. It is also not uncommon for the attacks to involve conversations that span multiple messages before the attacker makes a request.
While phishing attacks are more common, losses to BEC attacks are far greater. According to FBI figures, BEC attacks are the leading cause of losses to cybercrime.
Defending against BEC attacks requires a combination of measures. Naturally, since these attacks target employees, it is important to raise awareness of the threat and teach employees how to identify a BEC attack. Policies and procedures should also be implemented that require any email request to change bank account details, payment methods, or make changes to direct deposit information for payroll to be verified using trusted contact information. A quick telephone call could easily thwart an attack.
While these measures are important, the best defense is to prevent BEC emails from reaching end users’ inboxes as that eliminates the potential for human error. For that you need to have solid email security. A good email security solution will block attempts to steal email credentials – the precursor to many BEC attacks. An advanced spam filtering solution that incorporates machine learning techniques can detect and block zero-day attacks – the tailored, often unique messages that are used by the attackers to target individuals. Solutions that incorporate DMARC and sender policy framework (SPF) will help to detect emails from individuals not authorized to send messages from a particular domain – A vital protection against BEC attacks.
SpamTitan incorporates all of those measures – and more – to keep businesses protected. When combined with end user training and administrative measures, businesses can greatly improve their defenses against BEC attacks. For more information on how SpamTitan can protect your business from the full range of email attacks, give the TitanHQ team a call today.
You can also find out about other measures you can implement to block phishing and ransomware attacks at the upcoming TitanHQ webinar on June 30, 2021 – How to Reduce the Risk of Phishing and Ransomware. During the webinar – hosted by TitanHQ and Osterman Research – you will discover the results of the latest TitanHQ survey of security professionals and gain valuable insights into how you can improve your cybersecurity posture.
The two main cybersecurity threats that businesses now have to deal with are phishing and ransomware attacks and those threats have become even more common over the past 12 months. Cybercriminals stepped up their attacks during the pandemic with many phishing campaigns launched using the novel coronavirus as a lure. These campaigns sought to distribute malware and steal credentials.
Ransomware attacks also increased in 2020. Several new ransomware-as-a-service (RaaS) operations were launched in 2020 and the number of attacks on businesses soared. In addition to encrypting files, data theft was also highly prevalent n 2020, with most ransomware operators stealing data prior to encrypting files. This double extortion tactic proved to be very effective. Many businesses were forced to pay the ransom even though they had backups and could have recovered their files. Payments were made to ensure data stolen in the attack was deleted and not misused, published, or sold.
Phishing and ransomware attacks often go hand in hand and are often used together in the same attack. Phishing emails are used to install malware, which in turn is used to provide access for ransomware gangs. The Emotet and TrickBot Trojans are notable examples. Operators of both of those Trojans teamed up with ransomware gangs and sold access once they had achieved their own objectives. The credentials stolen in phishing attacks are also sold onto RaaS affiliates and provide the foothold they need to conduct their devastating attacks.
Phishing campaigns are easy to conduct, low cost, and they can be very effective. Largescale campaigns involve millions of messages, and while most of those emails will be blocked by email security solutions or will be identified by employees as a threat, all it takes is for one employee to respond to a phishing email for an attacker to gain the access they need.
TitanHQ recently partnered with Osterman Research to explore how these and other cyber threats have affected businesses over the past 12 months. This new and original study involved an in-depth survey of security professionals to find out how those threats have affected their organization and how effective their defenses are at repelling attackers.
The survey showed the most common security incidents suffered by businesses were business email compromise (BEC) attacks, where employees are tricked into taking an action suggested in a scam email from the CEO, CFO or another high-level executive. These attacks often involve the genuine email account of an executive being compromised in a phishing scam and the attacker using that account to target employees in the same organization.
The next biggest threat was phishing emails that resulted in a malware infection, followed by phishing messages that stole credentials and resulted in an account compromise. The survey showed that these attacks are extremely common. 85% of interviewed security professionals said they had experienced one or more of 17 different types of security breaches in the past 12 months. While attacks were common, only 37% of respondents said their defenses against phishing and ransomware attacks were highly effective.
There are several steps that can be taken to improve defenses against phishing and ransomware attacks. End user training is important to teach employees what to look for and how to identify these types of threats. However, there is always potential for human error, so training alone is not the answer. Email security is the best defense. By blocking these threats at source, they will not land in inboxes and employees will not be tested. Email security should be combined with a web security solution to block the web-based component of phishing attacks and stop malware and ransomware downloads from the Internet.
The findings of the Osterman and TitanHQ survey will be explained in detail at an upcoming webinar on June 30, 2021. Attendees will also learn how they can significantly reduce the risk of ransomware and phishing attacks.
The webinar will be conducted by Michael Sampson, Senior Analyst at Osterman Research and Sean Morris, Chief Technology Officer at TitanHQ. You can Register Your Place Here
Threat actors seized the opportunities provided by the pandemic and conducted many phishing campaigns using COVID-19 themed lures. These campaigns took advantage of global interest in the novel coronavirus and preyed on fears of contracting COVID-19 to get people to open the emails, click on malicious hyperlinks, or open attachments that downloaded malware and ransomware payloads. Now that a large percentage of the population has been vaccinated, employers are opening up their offices again and employees are returning to the workplace.
The return to offices has presented another opportunity for scammers, who have launched a new phishing campaign targeting workers returning to offices. The emails appear to be a message from the CIO welcoming employees back to the workplace and claims to provide information about post-pandemic protocols and the procedures that have been put in place to accommodate returning workers to reduce the risk of infection.
The emails have been crafted to make them appear as if they have been sent internally, and include the logo of the targeted company and are signed by the CIO. The emails include a hyperlink that directs employees to a fake Microsoft SharePoint page that hosts two documents, both of which have the company’s branding. The documents are a COVID-19 factsheet and an implementation letter that includes steps that the company has taken based on updates provided by the Centers for Disease Control and Prevention (CDC), World Health Organization (WHO), and local health officials.
Most phishing campaigns would simply direct people to a landing page that hosts a phishing form where they are asked to enter their Office 365 credentials. This campaign is more sophisticated and includes an additional step. Nothing happens when an employee lands on the page. They are first required to click to open a document before the phish is activated. When the document is clicked, a fake Microsoft login prompt appears and credentials must then be entered in order to view the documents.
If credentials are entered, a message is then generated advising the employee that their account or password is not correct, and they are made to reenter their credentials several times before they are finally redirected to a genuine Microsoft page and are given access to the documents on OneDrive, most likely unaware that their credentials have been phished.
This COVID-19 phishing scam, like many others conducted throughout the pandemic, has a plausible lure. In this case, the emails have been well written and have been targeted for specific companies, making them very believable and likely to fool a great many employees. It is unclear what aims the attackers have once credentials have been harvested. They could be used to plunder sensitive information in Office 365 email accounts, would give the attackers a foothold in the corporate network for a more extensive compromise, or they could be sold to other threat groups such as ransomware gangs.
The best way to counter the threat is to prevent the malicious emails from arriving in inboxes, which requires an advanced spam filtering solution such as SpamTitan. With SpamTitan in place, phishing threats such as this will be identified and blocked at the gateway to ensure that employees’ phishing email identification skills are not put to the test.
If you want to improve your security posture and block more phishing threats, give the TitanHQ team a call today to discover how SpamTitan Email Security and the WebTitan DNS Filter can improve cybersecurity in your organization.
Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.
Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.
Benefits for MSPs from Offering Office 365 to Clients
SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.
MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.
MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.
By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.
How MSPs Can Make Office 365 More Profitable
The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.
The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.
One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.
Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support. Offering spam filtering can help to generate additional recurring revenue, with SpamTitan provided as a high margin, subscription based SaaS solution.
There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location. Email archiving is available with office 365, but the solution has some severe drawbacks, and may not meet compliance requirements. Offering a feature-rich email archiving solution that is fully compliant, easy to use, with lightning fast search and retrieval should be an easy sell to Office 365 users.
Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself and should not be too difficult to sell to Office 365 users.
Office 365 MSP Add-ons from TitanHQ
For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ Alliance Program.
All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable. All TitanHQ solutions are quick and easy to deploy, and can be implemented into your existing Service Stack through API’s and RMM integrations. The MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis. MSPs benefit from competitive pricing strategies, including monthly billing as we understand your clients are billed monthly.
There are multiple hosting options, including hosting the solution within your own data center, and all TitanHQ products can be supplied as a white label, ready to take your own branding. We have made our solutions as easy as possible to use, with intuitive controls and everything placed at your fingertips. However, should you ever have a problem, you will benefit from the best customer service in the industry, as well as scalable pre-sales and technical support and sales & technical training.
Why SpamTitan is Perfect for MSP’s?
The best spam and virus protection for MSPs with dual AV engines and Bitdefender-powered sandboxing
Low management overhead – A set and forget solution
Use our private cloud or your own data center
Extensive suite of APIs for integration into your central management system
Multi-tenant solution with multiple management roles
Scalable to thousands of users
In and outbound email scanning with IP domain protection
Extensive drill down reporting
Flexible pricing models to suit your needs, including monthly billing
Generous margins for MSPs
Fully customizable branding
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Access to Partner Knowledge Base
Joint White Papers
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
5 a.m. to 5 p.m. (PST) Technical Support
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ Alliance Program team today and take the first step toward making Office 365 more profitable.
Following on from a supply chain attack that saw the software update feature of the Passwordstate password manager hijacked the threat group developed a convincing phishing campaign targeting enterprise users of the password manager solution.
The supply chain attack was used to infect users of the password manager with malware dubbed Moserpass. Between April 20 and April 22, users of the password manager who downloaded an update through the In-Pass Upgrade mechanism may have had a malicious file downloaded – a malformed Passwordstate_upgrade.zip file.
Downloading the file started a chain of events that resulted in Moserpass being installed, which collected and exfiltrated information about the computer, users, domains, running services and processes, along with password data from the Passwordstate app. The malware also had a loader module, so could potentially download other malware variants onto victims’ devices. Since passwords were potentially compromised, affected users have been advised to reset all of their passwords.
The attack only lasted 28 hours before it was identified and blocked, but in order to remove the malware from customers’ devices, Click Studios, the developer of the password app, emailed customers and encouraged them to apply a hotfix to remove the malware.
Some customers who received the email from Click Studios shared a copy of the message on social media networks. The threat group behind the attack were monitoring social media channels, obtained a copy of the genuine Click Studios email about the hotfix, and used the exact same email for a phishing campaign. Instead of directing users to the hotfix to remove Moserpass malware, the phishing email directed users to a website not under the control of Click Studios which installed an updated version of Moserpass malware.
Since the Passswordstate breach notification emails were virtual carbon copies of genuine communications from Click Studios they were very convincing. Users who followed the instructions in the email would likely think they were removing malware, when they were actually installing it. The fake versions of the emails do not have a domain suffix used by Click Studios, request the hotfix is downloaded from a subdomain, and claim an ‘urgent’ update is required to fix a bug, but it is easy to see how these messages could fool end users.
Click Studios supplies its password manager to around 29,000 enterprises and the solution has hundreds of thousands of users, many of whom will have heard of the breach and be concerned about a malware infection. Click Studios said only a very small number of its customers were affected and had the malware installed – those who downloaded the update in the 28-hour period between April 20 and April 22 – but anyone receiving the fake email could well have been convinced that the email was genuine and taken the requested action.
Phishers often use fake security warnings as a lure, and data breach notifications are ideal for use in phishing attacks. This Passswordstate breach notification phishing campaign highlights the importance of carefully checking any message for signs of phishing, even if the email content seems genuine and the message includes the right branding, and the risks of posting copies of genuine breach notification letters on social media networks.
Many phishing attacks are sophisticated, and it can be difficult for employees to differential between genuine and malicious messages, which is why advanced spam and phishing defenses are required. If you want to improve your defenses against phishing, get in touch with TitanHQ and discover how SpamTitan Email Security can improve your security posture and better protect your organization from phishing and other email-based threats.
Virtually everyone uses email which makes it an attractive attack vector for cybercriminals who use phishing emails to steal credentials, deliver malware, and gain a foothold in corporate networks, but what is a common indicator of a phishing attempt? How can these malicious emails be identified and avoided?
In this post we will list some of the main signs of phishing emails that that all email users should be looking out for in their inboxes.
Phishing is the Number 1 Attack Vector!
In 2021, and for several years previously, phishing has been the main way that cybercriminals obtain login credentials to allow them to access sensitive business data and gain the foothold they need in business networks for more extensive compromises. Phishing emails are also used to deliver malware that provides persistent access to computers and the networks to which they connect. Malware downloaders are commonly delivered via email that download other malicious payloads such as ransomware. Most data breaches start with a phishing email!
Phishing emails were once easy to detect, but that is not always the case now. Many phishing attempts are extremely sophisticated. Emails may only be sent to a handful of people, and even individuals are targeted. The emails are convincing and can be almost impossible to distinguish from the genuine email messages that they spoof.
With an advanced email security solution in place, the majority of these messages will be blocked; however, no email security solution will block every malicious message without blocking an unacceptable number of genuine messages. That means all employees must have the necessary skills to identify a phishing email when it arrives in their inbox.
What is a Common Indicator of a Phishing Attempt?
In order to identify a phishing email, you need to know what to look for, so what is a common indicator of a phishing attempt? Listed below are some of the most common signs of phishing emails for you to look out for.
Unfortunately, there is no single common indicator of a phishing attempt. Tactics, techniques, and procedures are constantly changing, but if you identify any of these signs in an email in your inbox or spam folder, there is a reasonable chance that the message is not genuine and should be reported to your security team. Chances are, there will be other copies of the message in the email system that will need to be removed.
The message is in your spam folder
There is a reason why messages are classified as spam by email security solutions. Analysis of the message has highlighted telltale signs of spam or phishing, but not enough for the message to be blocked at the email gateway. If a message is sent to your spam folder you should exercise caution when opening the message.
It is an unsolicited message
Phishing emails are unsolicited – You certainly didn’t ask to be phished! There may be a seemingly valid reason why you have been sent the message, but if you didn’t request the email and are not on a marketing list for the company or individual sending the message it should be treated as suspect.
Important information is in an attachment
One of the ways that phishers attempt to conceal their malicious intent is to use email attachments. This could be a link in an attached file that you need to click (why not just add it to the message body?) or commonly, you must enable content in an Office file to view the content of the attachment. Doing so will allow macros to run that will download a malicious file. Zip files are also commonly used as they are hard for spam filters to access, or files may be password protected. The files must always be scanned with AV software prior to opening and, even then, treat them with extreme caution.
Urgent action is required and there is a threat in the email
Phishing emails often convey a sense of urgency to get people to respond quickly without thinking too much about the request. There may be a threat of bad consequences if no action is taken – your account will be closed – or some other sense of urgency, such as missing out on an amazing opportunity. Always take time to carefully consider what is being asked and check the email for other signs of phishing.
You are asked to click a link in an email
Spam filters scan messages for malware, so it is common for the malware to be hosted on a website. A link is included that users must click to obtain information or to download a file. The link may take you to a website where you are required to enter your login credentials, and that site may have an exact copy of your usual login prompt – for Google or Office 365 for example. You should carefully check the link to find out the true destination (hover your mouse arrow over it) and then double check the full URL on the destination site. You may have been redirected to a different site after clicking. Is the page on the genuine website used by that company?
The sender of the email is not known to you or the email address is suspect
Phishers spoof email addresses and change the display name to make it appear that the email has been sent from a contact or official source. Check that the actual email address is legitimate – it is the correct domain for the company or individual. Check against past messages received from that individual or company to make sure the email address is the same. Remember, the sender’s email account may have been compromised, so even if the email address is correct that doesn’t necessarily mean the account holder sent the message!
The message has grammatical and spelling errors
Grammatical and spelling errors are common in phishing emails. This could be because English is not the first language of the sender or be deliberate to only get people to respond who are likely to fall for the next stage of the scam. Business emails, especially official communications and marketing emails, do not contain spelling errors or have grammatical mistakes.
The request is unusual, or the tone seems odd
Often the language used in phishing emails is a little odd. Emails impersonating known contacts may be overly familiar or may seem rather formal and different to typical emails you receive from the sender. If the tone is off or you are addressed in a strange way, it could well be a phishing attempt. Phishing emails will also try to get you to take unusual actions, such as send data via email that you have not been asked to send before. A quick phone call using trusted contact information is always wise to verify the legitimacy of an unusual request.
How Businesses can Improve their Phishing Defenses
If you want to block more phishing emails and malware you will need an advanced email security solution. The email security gateway is the first line of defense against malicious emails, but it is not necessary to spend a fortune to have good protection. If you have a limited budget or simply want to save money on email security, TitanHQ is here to help.
SpamTitan is an award-winning advanced email security solution that blocks in excess of 99.97% of malicious messages and spam. The solution is easy to implement, configure, maintain and use, the pricing policy is transparent and extremely competitive, and with TitanHQ you will benefit from industry-leading customer support. You can even try SpamTitan for free to see for yourself how effective it is. Get in touch with us today to find out more via email or just pick up the phone and speak to our friendly and knowledgeable sales team.
Ransomware attacks on the education sector in the United Kingdom have increased sharply since February, and the sector was already extensively targeted by threat groups long before then. The education sector is an attractive target for cybercriminals as sizeable amounts of sensitive data are stored within computer systems that can be easily monetized if stolen.
Students’ personally identifiable information is of more value than that of adults, and it can often be used for years before any fraud is detected. Higher education institutions often have intellectual property and research data that is incredibly valuable and can easily be sold on for a huge profit. Ransomware attacks prevent access to essential data, and with the pandemic forcing the education sector to largely switch to online learning, when communication channels and websites are taken out of action learning can grind to a halt.
In the United Kingdom, the reopening of schools and universities has only been possible with COVID-19 testing and contact tracing, which is also disrupted by ransomware attacks. Files are encrypted which prevents access to essential testing and monitoring data, further hampering the ability of schools, colleges, and universities to operate.
As is the case with healthcare, which has also seen a major increase in cyberattacks during the pandemic, services are majorly disrupted without access to computer systems, and there is considerable pressure on both industries to pay the ransom demands to recover from the attacks more quickly. Ransoms are more likely to be paid than in other industry sectors.
What makes the education sector an even more attractive prospect for cybercriminals is poorer security defenses than other industries. The lack of security controls makes attacks much more likely to succeed. On top of that, students often use their own devices to connect to networks so security can be very difficult to police, and many departments make their own IT decisions, which can easily result in vulnerabilities being introduced and remaining unaddressed.
The ease and profitability of attacks has made education a top target for ransomware gangs. Emsisoft reports education was the sector most targeted by ransomware gangs in 2020.
The increase in ransomware attacks on educational institutions in the United Kingdom prompted the UK’s National Cyber Security Center to issue a warning in March to all entities in the education sector about the risk of cyberattacks. NCSC noted in its alert that there was a significant increase in attacks in August and September 2020, and a further rise in attacks since February 2021.
University of Hertfordshire Suffers Major Cyberattack
One of the most damaging university cyberattacks in recent months occurred at the University of Hertfordshire. Late on April 14, cybercriminals struck, with the attack impacting all of the university’s systems. No cloud systems were available, nor MS Teams, Canvas, or Zoom. The attack forced the university to cancel all of its online classes for the following day, although in person teaching was able to continue provided computer access was not necessary.
It has been more than a week since the attack, and while some systems are now back online, disruption is still being experienced with student records, university business services, learning resource centre services, data storage, student services, staff services, and the postgraduate application portal, with the email system also considered to be at risk.
The university has not confirmed the nature of the attack, but it has the hallmarks of a ransomware attack, although the university has issued a statement stating that the attack did not involve data theft.
The University of Hertfordshire is certainly not alone. In March, South and City College of Birmingham was hit with a ransomware attack that took all of its computer systems out of action, with the college forced to switch to online learning for its 13,000 students.
UK Schools also Under Attack
The cyberattacks in the United Kingdom have not been limited to universities. School systems have also suffered more than their fair share of attacks. In March, the Harris Federation, which runs 50 schools in the UK, suffered a ransomware attack that took out communications systems and majorly affecting online learning for 37,000 students.
Also in March, the Nova Education Trust suffered a ransomware attack that took its systems out of action and affected 15 schools, all of which lost access to their communication channels including the phone system, email, and websites. The Castle School Education Trust also suffered a ransomware attack in March that disrupted the online functions of 23 schools.
What Can Be Done to Stop Cyberattacks in Education?
Cybersecurity must become a major focus for schools, colleges, and universities. The attacks are being conducted because they are easy and profitable and, until that changes, the attacks are not likely to slow and, in all likelihood, will continue to increase.
To protect against attacks, the education sector needs to implement multi-layered security defenses and find and address vulnerabilities before they are discovered by ransomware gangs and other cybercriminal operations.
The best place to start is by improving security for the two main attack vectors: email and the Internet. That is an area where TitanHQ can help. To find out more, get in touch with the TitanHQ team today and take the first step towards improving your security posture and better protecting your networks and endpoints from extremely damaging cyberattacks.
A previously unknown malware variant dubbed Saint Bot malware is being distributed in phishing emails using a Bitcoin-themed lure. With the value of Bitcoin setting new records, many individuals may be tempted into opening the attachment to get access to a bitcoin wallet. Doing so will trigger a sequence of events that will result in the delivery of Saint Bot malware.
Saint Bot malware is a malware dropper that is currently being used to deliver secondary payloads such as information stealers, although it can be used to drop any malware variant. The malware was first detected and analyzed by researchers at Malwarebytes who report that while the malware does not use any novel techniques, there is a degree of sophistication to the malware and it appears that the malware is being actively developed. At present, detections have been at a relatively low level but Saint Bot malware could develop into a significant threat.
The phishing emails used to distribute the malware claim to include a Bitcoin wallet in the attached Zip file. The contents of the Zip file include a text file with instructions and a LNK file that has an embedded PowerShell script. A PowerShell downloader delivers an obfuscated .Net dropper and downloader, which in turn deliver a BAT script that disables Windows Defender and the Saint Bot malware binary.
The malware is capable of detecting if it is in a controlled environment and terminates and deletes itself should that be the case. Otherwise, the malware will communicate with its hardcoded command and control servers, send information gathered from the infected system, and download secondary payloads to the infected device via Discord.
The malware has not been linked with any specific threat group and could well be distributed to multiple actors via darknet hacking forums, but it could well become a major threat and be used in widespread campaigns to take advantage of the gap in the malware-as-a-service (MaaS) market left by the takedown of the Emotet Trojan.
Protecting against malware downloaders such as Saint Bot malware requires a defense in depth approach. The easiest way of blocking infections is to implement an advanced spam filtering solution such as SpamTitan to block the phishing emails that deliver the malware. Antivirus software should also be installed on all endpoints and set to update automatically, and communication with the C2 servers should be blocked via firewall rules.
In addition to technical defenses, it is important to provide security awareness training to the workforce to help employees identify malicious emails and condition them how to respond when a potential threat is detected.
How SpamTitan Can Protect Against Phishing and Malware Attacks
SpamTitan is an award-winning anti-spam and anti-phishing solution that provides protection against the full range of email threats from productivity-draining spam to dangerous phishing and spear phishing emails, malware and ransomware.
SpamTitan has a catch rate in excess of 99.99% with a low false positive rate and uses a variety of methods to detect malicious emails, including dual antivirus engines, sandboxing for detecting new malware variants, and machine learning techniques to identify zero-day threats.
SpamTitan’s advanced threat protection defenses include inbuilt Bayesian auto learning and heuristics to defend against sophisticated threats and evolving cyberattack techniques, with 6 specialized Real Time Blacklists to block malicious domains and URLs, DMARC to block email impersonation attacks, and outbound email policies for data loss prevention.
SpamTitan is quick and easy to set up and configure and is frequently praised for the level of protection provided and ease of use. SpamTitan is a 5-star rated solution on Spiceworks, Capterra, G2 Crowd and has won no less than 37 consecutive Virus Bulletin Spam awards.
If you want to improve your email defenses at a very reasonable price and benefit from industry-leading customer support, give the TitanHQ team a call today. Product demonstrations can be arranged, and you can trial the solution free of charge, with full support provided during the trial to help you get the most out of SpamTitan.
During tax season, tax professionals and tax filers are targeted with a variety of IRS phishing scams that attempt to obtain sensitive information that can be used by the scammers to steal identities and file fraudulent tax returns in the names of their victims. The potential rewards for the attackers are significant, with the fake tax returns often resulting in refunds of thousands of dollars being issued by the U.S. Internal Revenue Service (IRS).
This year is certainly no exception. Several tax season phishing scams have been identified in 2021 with one of the latest scams using phishing lures related to tax refund payments. The phishing emails have subject lines such as “Tax Refund Payment” and “Recalculation of your tax refund payment” which are likely to attract the recipient’s attention and get them to open the emails.
The emails use the genuine IRS logo and inform recipients that they are eligible to receive an additional tax refund, but in order to receive the payment they must click a link and complete a form. The form appears to be an official IRS.gov form, with the page an exact match of the IRS website, although the website on which the form is hosted is not an official IRS domain.
The form asks for a range of highly sensitive personal information to be provided in order for the refund to be processed. The form asks for the individual’s name, date of birth, Social Security number, driver’s license number, current address, and electronic filing PIN. For added realism, the phishing page also displays a popup notification stating, “This US Government System is for Authorized Use Only”, which is the same warning message that is displayed on the genuine IRS website.
The attackers appear to be targeting universities and other educational institutions, both public and private, profit and nonprofit with many of the reported phishing emails from staff and students with .edu email addresses.
Educational institutions should take steps to reduce the risk off their staff and students being duped by these scams. Alerting all .edu account holders to warn them about the campaign is important, especially as these messages are bypassing Office 365 anti-phishing measures and are arriving in inboxes.
Any educational institution that is relying on Microsoft Exchange Online Protection (EOP) for blocking spam and phishing emails – EOP is the default protection provided free with Office 365 licenses – should strongly consider improving their anti-phishing defenses with a third-party spam filter.
SpamTitan has been developed to provide superior protection for Office 365 environments. The solution is layered on top of Office 365 and seamlessly integrates with Office 365 email. In addition to significantly improving spam and phishing email protection, dual antivirus engines and sandboxing provide excellent protection from malware.
For further information on SpamTitan anti-phishing protection for higher education, give the SpamTitan team a call today. You can start protecting your institution immediately, with installation and configuration of SpamTitan taking just a few minutes. The solution is also available on a free trial to allow you to assess SpamTitan in your own environment to see the difference it makes before deciding on a purchase.
A phishing attack on an employee of the California State Controller’s Office Unclaimed Property Division highlights how a single response from an employee to a phishing email could easily result in a massive breach. In this case, the phishing attack was detected promptly, with the attacker only having access to an employee’s email account for less than 24 hours from March 18.
In the 24 hours that the attacker had access to the email account, the contents of the account could have been exfiltrated. Emails in the account included unclaimed property holder reports. Those reports included names, dates of birth, addresses, and Social Security numbers – the type of information that could be used to steal identities.
The email that fooled the employee into clicking a link and disclosing login credentials appeared to have been sent from a trusted outside entity, which is why the email was assumed to be legitimate. After stealing the employee’s credentials undetected, the attacker immediately went to work and tried to compromise the email accounts of other state workers.
In the short time that the individual had access to the account, around 9,000 other state workers were sent phishing emails from the compromised account. Fortunately, the attack was detected promptly and all contacts were alerted about the phishing emails and told to delete the messages. That single compromised account could easily have led to a massive email account breach.
Phishing is now the biggest data security threat faced by businesses. The attacks are easy to conduct, require little skill, and can be extremely lucrative. Email accounts often contain a treasure trove of data that can be easily monetized, the accounts can be used to send further phishing emails internally and to external contacts and customers, and a breach of Microsoft 365 credentials could allow a much more extensive attack on a company. Many ransomware attacks start with a single response to a phishing email.
To improve protection against phishing attacks it is important to train the workforce how to identify phishing emails, teach cybersecurity best practices, and condition employees to stop and think before taking any action requested in emails. However, phishing attacks are often highly sophisticated and the emails can be difficult to distinguish from genuine email communications. As this phishing attack demonstrates, emails often come from trusted sources whose accounts have been compromised in previous phishing attacks.
What is needed is an advanced anti-phishing solution that can detect these malicious emails and prevent them from being delivered to employee inboxes. The solution should also include outbound email scanning to identify messages sent from compromised email accounts.
SpamTitan offers protection against these phishing attacks. All incoming emails are subjected to deep analysis using a plethora of detection mechanisms. Machine learning technology is used to identify phishing emails that deviate from typical emails received by employees, and outbound scanning can identify compromised email accounts and block outbound phishing attacks on company employees and contacts.
If you want to improve your defenses against phishing, give the SpamTitan team a call today to find out more. The full product is available on a free trial, and during the trial you will have full access to the product support team who, will help you get the most out of your trial.
Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. In 2020, ransomware attacks ran amok. Security experts estimate the final cost to global businesses from ransomware in 2020 will be $20 billion. They also predict that the ransomware trend will continue to be the number one threat in the coming years. Why? Because ransomware makes money for cybercriminals.
Ransomware criminals know no boundaries in their rush to make money. Every social engineering trick in the book has played out over the years, from sextortion to phishing. Feeding the loop of social manipulation to generate a ransom demand is the proliferation of stolen data, including login credentials: credential stuffing attacks, for example, are often related to ransomware attacks, login to privileged accounts allowing malware installation. Cybersecurity defenses are being tested like never before.
Personal Data is Targeted
Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.
Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.
One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.
The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.
Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.
One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.
DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.
Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.
DMARC seems complex, but with the right setup, it’s an invaluable security tool that defends against phishing and malicious email content. With phishing one of the most common ways attackers steal data, it’s important for organizations to implement the right solutions and rules that stop these messages before they can reach a user’s inbox.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan email security incorporates DMARC authentication to provide even greater protection against email spoofing attacks. DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.
Phishing, Impersonation attacks, ransomware – all must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat.
Endpoint protection is clearly not enough. A powerful anti-spam solution like SpamTitan can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.
TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to stop email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.
For further information securing email accounts and blocking email impersonation attacks, contact TitanHQ today.
A new PayPal phishing scam has been identified that attempts to obtain an extensive amount of personal information from victims under the guise of a PayPal security alert.
Fake PayPal Email Notifications
The emails appear to have been sent from PayPal’s Notifications Center and warn users that their account has been temporarily blocked due to an attempt to log into their account from a previously unknown browser or device.
The emails include a hyperlink that users are asked to click to log in to PayPal to verify their identity. A button is included in the email which users are requested to click to “Secure and update my account now !”. The hyperlink is a shortened bit.ly address, that directs the victim to a spoofed PayPal page on an attacker-controlled domain via a redirect mechanism.
If the link is clicked, the user is presented with a spoofed PayPal login. After entering PayPal account credentials, the victim is told to enter a range of sensitive information to verify their identity as part of a PayPal Security check. The information must be entered to unlock the account, with the list of steps detailed on the page along with the progress that has been made toward unlocking the account.
First of all, the attackers request the user’s full name, billing address, and phone number. Then they are required to confirm their credit/debit card details in full. The next page requests the user’s date of birth, social security number, ATM or Debit Card PIN number, and finally the user is required to upload a proof of identity document, which must be either a scan of a credit card, passport, driver’s license, or a government-issued photo ID.
Request for Excessive Information
This PayPal phishing scam seeks an extensive amount of information, which should serve as a warning that all is not what it seems, especially the request to enter highly sensitive information such as a Social Security number and PIN.
There are also warning signs in the email that the request is not what it seems. The email is not sent from a domain associated with PayPal, the message starts with “Good Morning Customer” rather than the account holder’s name, and the notice included at the bottom of the email telling the user to mark whitelist the sender if the email was delivered to the spam folder is poorly written. However, the email has been written to encourage the recipient to act quickly to avoid financial loss. As with other PayPal phishing scams, many users are likely to be fooled into disclosing at least some of their personal information.
Consumers need to always exercise caution and should never respond immediately to any email that warns of a security breach, instead they should stop and think before acting and carefully check the sender of the email and should read the email very carefully. To check whether there is a genuine issue with the account, the PayPal website should be visited by typing in the correct URL into the address bar of the browser. URLs in emails should never be used.
To find out more about current phishing scams and some of the key protections you can put in place to improve your resilience against attacks, contact the SpamTitan team today.
Do you use the same password across online accounts?
Make your password hard to guess - use a combination of upper and lower case letters, numbers, and special characters.
Change your password frequently.
Never use the same password with more than one account. If you do and you password is stolen you are exposed and hackers could potentially gain access to every single account that that email address is associated.
If you receive one of these Paypal texts, to delete it immediately. Always read your messages before you click, or even better – don’t click on the link and contact PayPal directly.
Phishing messages can come from a range of sources, including:
Social Media messages
SpamTitan provides phishing protection to prevent whaling and spear phishing by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content. SpamTitan also performs reputation analysis on all links (including shortened URLs) contained in emails and block malicious emails before being delivered to the end user. How SpamTitan protects from phishing attempts:
URL reputation analysis during scanning against multiple reputations.
Detect and block malicious spear-phishing emails with either existing or new malware.
Heuristic rules to detect phishing based on message headers. These are updated frequently to address new threats.
Easy synchronization with Active Directory and LDAP.
Spam Confidence Levels can be applied by user, user-group and domain.
Whitelisting or blacklisting senders/IP addresses.
Infinitely scalable and universally compatible.
SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. Protect your users from email links to malicious sites with SpamTitan. SpamTitan's sandboxing feature protects against breaches and sophisticated email attacks by providing a powerful environment to run in-depth, sophisticated analysis of unknown or suspicious programs and files.
Our free trial gives you the opportunity to evaluate our industry-leading email security solution in your own environment, and your clients the opportunity to provide feedback on how effective SpamTitan is at preventing all types of malware, ransomware and phishing attacks from entering your network.
Phishing attacks are extremely complex and increasing. The best way to protect against phishing scams is with a modern, robust email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
A PayPal phishing scam was first detected in 2019 – the scam used unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign was different as the attackers are after much more than just account credentials. This PayPal phishing campaign stole credentials, credit card details, email addresses and passwords, and security questions and answers.
This PayPal phishing scam has mutated over the years and has proved to be one of the most dangerous to date in terms of the financial harm caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.
The PayPal phishing scams usually start with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.
The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.
If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained. The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.
The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.
The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.
All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.
Security experts are still finding fake paypal websites that impersonate PayPal. Using advanced social engineering techniques they try to trick users into handing over sensitive data including log in credentials.
Read more on current phishing scams and how to prevent attacks.
IT professionals are seeing an enormous number of Covid-19 themed email phishing attacks. SpamTitan is blocking increasing levels of these phishing emails. What started out as dozens of Covid 19 phishing websites has morphed to tens of thousands – more are being identified and blocked daily. With a large percentage of the workforce working from home, cybercriminals are trying to capitalize on the heightened anxieties of the public during the current crisis.
COVID-19 phishing scams are the most sophisticated versions of phishing emails the industry has seen. Are your employees and customers aware and are they protected?
COVID-19 vaccine scams
Cybercriminals are now shifting their focus to phishing email around Covid-10 vaccines. These vaccine themed phishing emails use subject lines referencing vaccine registration, locations to receive the vaccine, how to reserve a vaccine, and vaccine requirements.
For your employees looking for vaccination information on company devices the consequences are obvious. If the user falls for the scam email they may divulge sensitive or financial information, open malicious links or attachments exposing the organization to attack. These phishing campaigns are sophisticated and may impersonate trusted entities, such as health or government agencies playing a central role in the COVID vaccination rollout.
Preventing Phishing Attacks
Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. These warnings may not always be genuine and that you should always exercise caution.
The golden rule? Never click links in emails.
Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials.
Without the right security tools in place, organizations are vulnerable to phishing attacks. SpamTitan provides phishing protection by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content and performs reputation analysis on all email links, ultimately blocking malicious emails before they reach the end-user.
SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. SpamTitan's sandboxing feature protects against sophisticated email attacks by providing a powerful environment to run in-depth analysis of unknown or suspicious programs.
Phishing attacks are increasingly complex and growing in number. One of the most effective ways to protect against phishing scams is with a powerful email security solution such as SpamTitan. SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing. Few vendors offer all of these solutions in one package.
To protect against advanced phishing threats you need advanced protection.
A round up of some of the phishing campaigns and phishing tactics identified over the past few days in campaigns targeting businesses in the banking and IT sectors, and individuals seeking unemployment benefits.
Fake Google ReCAPTCHA Used in Ongoing Phishing Campaigns
The use of CAPTCHA, an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”, is now common in phishing campaigns. CAPTCHA involves an image test, such as identifying all images in a group that contain cars, a test to identify characters in a slightly obfuscated image, or simply confirming that “I am not a robot.”
The Google reCAPTCHA is used on websites to distinguish human traffic from machines to protect against abusive activities by malicious code and software. ReCAPTCHA is a sign of security and the use of this system on a website helps to inspire trust. That trust is being abused by cybercriminals who have added fake Google ReCAPTCHAs to phishing sites. This tactic is becoming much more common.
One recently identified campaign uses emails with a message about a voicemail message that impersonate company communication tools. The attachment directs the user to a phishing website where they are presented with a CAPTCHA challenge. In this campaign, the user must complete the standard ‘I am not a robot’ challenge and will then be presented with a Microsoft 365 login prompt. In addition to using Microsoft logos, the corporate logo of the company being targeted is also included. When credentials are entered, the user is told they have successfully validated and will proceed to a generic voicemail message. The lures used in these campaigns change frequently, with requests to review documents also common.
This campaigns targets business executives in the banking and IT sectors, although the same tactic has been used throughout 2020 on targets in other industry sectors.
NFA Impersonated in Phishing Campaign Targeting Member Firms
A phishing campaign has been detected targeting the financial industry which impersonates the National Futures Association (NFA). The tactics used in this campaign are common in phishing scams – Impersonating a trusted entity and abusing that trust to get individuals to install malware.
The emails in this campaign have been sent from an email address on a domain that closely resembles the legitimate NFA domain. The official NFA domain is nfa.futures.org, whereas the phishing emails have been sent from the domain nfa-futures[.]org.
The emails appear to have been sent by legitimate NFA staff members, with the signature including their name, job title, and the correct address of the office, with fake phone numbers. The signature of the email lists two websites: The official domain and also the fake domain.
As with many phishing campaigns, the recipient is told urgent action must be taken. The message says the NFA has made many attempts to contact the recipient about a matter that requires an urgent response. These emails are being used to direct individuals to malicious website or convince them to open malicious attachments with the aim of delivering malware.
Phishing Campaign Impersonates State Workforce Agencies Offering Unemployment Benefits
Cybercriminals are creating fake websites that mimic genuine state workforce agencies (SWAs) in the United States in order to steal sensitive personal information that can be used for identity theft and fraud. The tactics are similar to the above campaign, although the aim is to obtain sensitive information rather than install malware on a business network.
The state workforce agency websites that the malicious sites impersonate are used by individuals to apply for unemployment benefits. In order to receive those benefits, individuals must provide personally identifiable information. Campaigns are being conducted to impersonate these sites and trick people into believing they are on the genuine website. After landing on the malicious page, a series of questions must be answered as part of a fake application for unemployment insurance benefits.
Traffic to the fake unemployment benefit websites is generated through phishing emails and text messages that impersonate an SWA, encouraging recipients to apply for benefits. These messages have been created to closely resemble official communications, using the official logos and color schemes of each SWA, with the domain linked in the email closely resembling the official SWA website.
Solutions to Improve Defenses Against Phishing Attacks
Phishing attacks are often sophisticated and highly targeted, and tactics, techniques, and procedures continually change to bypass technical and human defenses. To stay one step ahead of the scammers, businesses need to adopt a defense in depth approach to cybersecurity and implement multiple overlapping layers of security to block threats. If phishers and hackers manage to bypass one layer of security defenses, others will be in place to provide protection.
Human defenses, such as training the workforce how to identify phishing emails is important. When a threat is encountered, employees will know how to react. It is also possible to condition employees not to take risks, such as opening emails attachments in unsolicited messages from unknown senders. The sophistication of campaigns, spoofing of email addresses, lookalike domains, and email impersonation tactics make it difficult for some phishing emails to be distinguished from genuine email communications.
Technical defenses will ensure most threats are blocked and do not reach inboxes. An email security gateway solution is a must and should also be used on Office 365 environments. The standard Office 365 spam filter is simply not good enough at blocking threats. Spam filters with machine learning capabilities and greylisting will help to ensure more threats are blocked, and multiple malware detection methods should be used, including sandboxing to detect new malware threats. A web filter should also be considered for blocking the web-based component of phishing attacks. A web filter will provide time-of click protection and prevent individuals from visiting malicious sites and downloading potentially malicious files.
For more information on improving your phishing defenses and to register for a free trial of two award-winning anti-phishing solutions, contact the TitanHQ team today.
One of the most prolific ransomware gangs has updated its ransomware giving it worm-like capabilities, allowing it to self-propagate and spread to other devices on the local network.
Ryuk ransomware first emerged in the summer of 2018 and has grown to become one of the biggest ransomware threats. The ransomware operation is believed to be run by an Eastern European threat group known as Wizard Spider, aka UNC1878.
In 2020, Ryuk ransomware was extensively used in attacks on large organizations. While some ransomware gangs took the decision not to attack healthcare organizations that were on the front line in the fight against COVID-19, that was not the case with Ryuk. In fact, the threat group embarked upon a major campaign specifically targeting the healthcare industry in the United States. In October 2020, the gang attacked 6 U.S. hospitals in a single day. If security researchers had not uncovered a plan by the gang to attack around 400 hospitals, the campaign would have claimed many more victims.
According to the ransomware remediation firm Coveware, Ryuk ransomware was the third most prolific ransomware variant in 2020 and was used in 9% of all ransomware attacks. An analysis of the Bitcoin wallets associated with the gang suggest more than $150 million in ransoms have been paid to the gang.
Ryuk ransomware is under active development and new capabilities are frequently added. The Ryuk gang was one of the first ransomware operators to adopt the double-extortion tactics first used by the operators of Sodinokibi and Maze ransomware, which involve stealing data prior to the use of encryption and threatening to publish or sell the stolen data if the ransom is not paid.
Ryuk ransomware also had a feature added that allowed it to mount and encrypt the drives of remote computers. The ransomware accesses the ARP table on a compromised device to obtain a list of IP addresses and mac addresses, and a wake-on-LAN packet is sent to the devices to power them up to allow them to be encrypted.
The latest update was discovered by the French national cybersecurity agency ANSSI during an incident response it handled in January. ANSSI discovered the latest variant had worm-like capabilities that allow it to propagate automatically and infect all machines within the Windows domain. Every reachable machine on which Windows RPC accesses are possible can be infected and encrypted.
Ryuk is a human-operated ransomware variant, but the new update will greatly reduce the manual tasks that need to be performed. This will allow the gang to conduct more attacks and will decrease the time from infection to encryption, which gives security teams even less time to identify and remediate an attack in progress.
While different methods are used for initial access, Ryuk ransomware is usually delivered by a malware dropper such as Emotet, TrickBot, Zloader, Qakbot, Buer Loader, or Bazar Loader. These malware droppers are delivered via phishing and spear phishing emails. Around 80% of Ryuk ransomware attacks use phishing emails as the initial attack vector.
Once a device has been compromised it is often too late to identify and block the attack before data theft and file encryption, especially since the attacks typically occur overnight and during the weekend when IT teams are depleted. The best defense is to block the initial attack vector: The phishing emails that deliver the malware droppers.
Having an advanced spam filtering solution in place is essential for blocking Ryuk ransomware attacks. By identifying and quarantining the phishing emails and preventing them from reaching inboxes, the malware droppers that deliver Ryuk will not be downloaded.
To block these attacks, consider augmenting your email security defenses with SpamTitan. SpamTitan is an award-winning email security gateway that is proven to block phishing emails that deliver malware downloaders. To find out more, contact the SpamTitan team or start a free trial of the solution today.
A new phishing scam has been detected targeting UK residents that spoofs the National Health Service (NHS) and offers recipients the opportunity to register to receive a COVID-19 vaccination. The NHS COVID-19 vaccine scam is one of several to be intercepted in recent weeks that offers the chance to get a vaccine, when in reality it will involve disclosing sensitive information.
Since the SARS-CoV-2 virus started spreading beyond the borders of China, scammers have been conducting a wide range of COVID-19 phishing scams. Now that the vaccine rollout is progressing in the UK and globally, using the promise of an early vaccine as a lure was to be expected.
In the latest campaign, the sender’s address has been spoofed to make it appear than the messages have been sent by the NHS, and NHS branding is used in the message body. Recipients are instructed that they have been selected to receive the vaccine based on their family and medical history.
The lure is plausible, as in the UK the most at-risk groups have mostly been vaccinated, and the NHS is now moving into priority group 6, which is all individuals aged 16 to 65 with an underlying medical condition. The NHS has also asked people to be patient and to wait until they are contacted about the vaccine to arrange an appointment, which may be via email.
The NHS COVID-19 vaccine scam emails require the recipient to click a link that directs them to a website where they are instructed to provide some information to confirm their identity. In this case, the aim of the scam is not to obtain credentials, but personal information including name, address, date of birth, and credit card details.
Phishing has become the attack vector of choice for many cybercriminal operations during the pandemic. One study indicates an increase of 667% in phishing as an attack vector, showing the extent to which cybercriminals have changed their attack tactics during the pandemic. One study by Centrify shows the number of phishing attacks had increased by 73% between March 2020 and September 2020.
Research published by the ransomware response firm Coveware shows that the volume of ransomware attacks using phishing as the infection vector increased sharpy in the final quarter of 2020, overtaking all other methods of attacks to become the main method of gaining access to business networks.
Phishing attacks are expected to continue to increase in 2021 due to the ease at which they can be conducted and the effectiveness of the campaigns. Attacks are also becoming more sophisticated and harder for employees to identify.
Spear phishing attacks that target certain companies and individuals are becoming much more prevalent. These campaigns involve prior research, and the messages are tailored to maximize the chance of a response.
With phishing so prevalent, it is vital for businesses to ensure they are sufficiently protected and have an email security solution installed that is capable to blocking these threats.
Dual AV engines and sandboxing are capable of blocking known and zero-day malware and ransomware threats, while machine learning technology and multiple threat intelligence feeds provides protection against current and emerging phishing threats.
SpamTitan significantly improves protection for Microsoft Office 365 accounts, the credentials to which are highly sought after by phishers and offers businesses excellent protection from all email-based attacks at a very affordable price.
If you want to protect your inboxes and block more malicious emails, contact TitanHQ for more information about SpamTitan. The multi-award-winning antispam solution is also available on a free trial for you to see for yourself how effective it is and how easy it is to use.
Tax season has begun and so have the annual scams targeting tax professionals. Each year in the run up to the tax filing deadline, cybercriminals conduct scams in order to obtain electronic filing identification numbers (EFINs).
In the United States, the Internal Revenue Service (IRS) issues EFINS to tax professionals and individuals to allow them to file tax returns electronically. If cybercriminals obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. Obtaining an e-file number of a tax professional will allow tax returns to be filed for many individuals, so these scams can be very lucrative.
These scams usually start with a phishing email using a lure to get the recipient to visit a malicious website where they are asked to provide information or upload documents that contain sensitive information. Alternatively, recipients are told to download files which silently install a malware downloader which ultimately gives the attackers full control of the victim’s computer.
Commonly, the spam emails spoof the IRS and instruct tax professionals to provide information or documents in order to prevent the suspension of their account. At such as busy time of year, suspension of an account is best avoided. Faced with this threat, tax professionals may provide the requested information.
One of the phishing emails recently intercepted spoofed the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked convincing and required “authorized e-file originators” to reverify prior to filing returns through the IRS system. The emails claimed the IRS had started using this new security measure to prevent unauthorized and fraudulent activities. The scammers requested a PDF file/scan of the EFIN acceptance letter and both sides of the individual’s driver’s license. Similar scams have been conducted that require tax preparers’ ID numbers and e-services usernames and passwords to be provided.
This year, in addition to the usual phishing emails spoofing the IRS, campaigns have been detected where the attackers claim to be potential clients looking for tax preparers ahead of the filing deadline. Attachments are provided that would typically be needed by tax preparers, but they are laced with malicious scripts that install keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.
Tax preparers that fall victim to these scams can suffer catastrophic damage to their reputations, so it is important to exercise caution when opening any emails and to stop and think carefully about any request to provide sensitive information or download files.
One of the easiest ways to protect against these scams is to implement an advanced spam filtering solution that can identify and block these malicious messages. SpamTitan is a powerful email security solution that identifies and blocks malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning techniques. In addition to blocking malware threats, SpamTitan is highly effective at blocking phishing emails containing malicious links.
The award-winning spam filter is quick and easy to implement and maintain, requiring no technical knowledge. You can be up and running in minutes and protecting your inbox from phishing and malware attacks, which will allow you to concentrate on your business at this busy time of year and avoid costly cyberattacks.
For more information about SpamTitan, to book a product demonstration or to register for a free trail, give the SpamTitan team a call today.
Phishers regularly changes their tactics, techniques and procedures and create more convincing scams to trick employees into disclosing sensitive information or installing malware on their computers. One novel tactic that was first observed in the fall of 2020 involved the use of malformed URL prefixes. Over the following months, the number of emails sent with these atypical URL prefixes grew, and according to GreatHorn researchers, the volume of these messages increased by almost 6,000% in the first month of the year.
URLs start with either HTTP:// or HTTPS://, which are the standard URL protocols. While end users may check to see if the URL starts with HTTP or HTTPS to determine whether the connection to the website is encrypted, they may not notice or be overly concerned about what comes after the colon. That is also true of certain security solutions and browsers, which also do not check that part of the URL.
The new tactic sees one of the forward slashes swapped with a backslash, so HTTPS:// becomes HTTP:/\ and it is enough of a change to see phishing emails delivered to inboxes. This tactic has been combined with another tactic that reduces the chance of the link being identified as malicious. The URL linked in the emails directs the user to a web page that includes a reCAPTCHA security feature. This feature will be known to most internet users, as it is used by a great deal of websites and search engines to distinguish between real users and robots.
The challenge must be passed for a connection to the website to me made. Having this security feature helps to convince the visitor that they are arriving on a legitimate site, but it also stops security solutions from assessing the content of the site. If the user passes the reCAPTCHA challenge, they are then redirected to a different URL that hosts the phishing form. That webpage very closely resembles the login prompt of Office 365 or Google Workspace, with this campaign mostly targeting Office 365 credentials.
Since this new tactic is now proving popular it is worthwhile incorporating this into your security awareness training sessions to make employees aware of the need to check the URL prefix, and also add a rule in SpamTitan to block these malformed URLs.
A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 93rd anniversary and is giving 3000 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.
“Adidas is giving away 3000 Free Pair of Shoes to celebrate its 93rd anniversary. Get your free shoes at <link>”
The very same scam was run in 2019 claiming to celebrate 69th anniversary and on that occasion was giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription. The scammer saw success previously and have clearly decided it’s worth trying again.
The Scam Adidas Email
There is also an email version of the scam. The fake Adidas email claims the recipient has won a large sum of money and all they need to do to claim the cash is send their personal details via email.
A successful breach can cost an organization millions but defending against this kind of attack requires powerful anti-spam and malware technology. To defend against this kind of phishing attack you need a cutting edge email security solution to stop scam emails, a security aware workforce to identify a scam email and spot a spoof email, and powerful web protection that blocks user from accessing dangerous websites
WhatsApp phishing scam
The WhatsApp phishing scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.
On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified spoofing different shoe manufacturers.
The link supplied in the WhatsApp phishing message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.
There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.
Be warned. If you receive any unsolicited WhatsApp message offering you free goods, best to assume it is a phishing scam.
To find out more about some of the key protections you can put in place to improve your resilience against email scams and phishing attacks, contact the SpamTitan team today.
Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.
At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.
The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.
The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.
Most Ransomware Attacks Now Start with Phishing
Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.
Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.
Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.
The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.
70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.
Steps to Take to Block Ransomware Attacks
What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.
With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.
A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.
DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?
There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.
What is DMARC
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is a critical component of email cybersecurity that reduces an attacker’s ability to get email threat to an end user’s inbox.
With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.
The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.
DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes. DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.
What is Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) is an email-authentication technique used to restrict who can send emails from your domain. It allows your mail server determine when a message comes from the domain that it uses. SPF has three major elements: a policy framework, an authentication method and specialized headers to convey the information.
An email message contains two sender addresses:
The From:header, displaying the name and email address of the sender
The Envelope From:or Return-Path email address.
Both types of sender addresses can be easily spoofed.
SPF uses a DNS record to verify the Envelope From:only. This means that if a spammer spoofs the Envelope From: address using a domain where SPF is enabled, the mail will be caught by the receiving server. If the spammer spoofs the From: header, SPF will not catch this. The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.
If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.
DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. Both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks. Enabling SPF, DKIM and DMARC will help greatly reduce the amount of spoof emails recieved, and that is only good.
The notorious Emotet botnet, which has been used in extensive attacks on companies around the globe for many years, has been taken down as part of a coordinated effort by Europol, the FBI, the UK National Crime Agency, and other law enforcement agencies.
The threat actors behind Emotet used their malware to create a backdoor in the systems of many companies, with access then sold to other threat groups to conduct further malicious activities including stealing sensitive data and extortion through the deployment of ransomware.
The operation has been planned for around two years and was coordinated to ensure that the multi-country infrastructure was simultaneously taken down to disrupt any attempts by the threat group to reconstruct the network. Law enforcement agencies have seized control of hundreds of servers and have taken control of the entire Emotet infrastructure, in what will be seen by many to be the most important malware takedowns to date. The takedown has prevented the Emotet gang from communicating with the malware and has resulted in the loss of control of the army of compromised devices that make up the botnet.
Europol and its partners succeeded in mapping the entire infrastructure, took control of the network, and deactivated the Emotet Trojan. A software update was placed on the main servers used to control the malware, two of which were located in the Netherlands. Infected computer systems will retrieve the update, which will see Emotet Trojan on those systems quarantined.
The Most Dangerous Malware and Most Prolific Botnet
Emotet is arguably the most dangerous malware of recent years and the botnet used to distribute it is one of the most prolific. Around 30% of all malware attacks in 2020 involved the Emotet Trojan.
Phishing emails were used to deliver the Emotet Trojan. Massive phishing campaigns were conducted using a wide range of lures to trick recipients into opening malicious attachments or visiting websites that downloaded the Emotet Trojan. The lures used in the campaigns frequently changed, taking advantage of world events to maximize the probability of the attachments being opened.
Emotet started life as a banking Trojan but was later developed to also serve as a malware dropper. Emotet delivered other banking Trojans such as TrickBot as the secondary malware payload, and ransomware variants such as Ryuk – each of which were dangerous in their own right.
Devices infected with Emotet are added to the botnet and used to distribute copies of the Emotet Trojan to other devices on the network and the user’s contacts by hijacking the user’s email account. A single device on a corporate network that was infected with Emotet could quickly result in widespread infection. The Trojan was also particularly difficult to eradicate, as removal of the infection would only be temporary, with other devices on the network simply re-infecting the cleaned device.
In the leadup to the 2020 Presidential election in the United States, Microsoft and its partners succeeded in seizing control of some of the infrastructure used to control and distribute the TrickBot Trojan. In that case the operation was only temporarily successful, as the TrickBot gang was able to rapidly recover and restore its infrastructure.
Time will tell as to how successful the Emotet takedown has been and whether the operation has only temporarily disrupted the activities of the Emotet gang or whether the takedown has left it completely crippled.
A new phishing campaign has been identified that abuses the Windows Finger command to download a malware variant called MineBridge.
The Finger command in Windows can be used by a local user to obtain a list of users on a remote machine or, alternatively, to obtain information about a specific remote user. The Finger utility originated in Linux and Unix operating systems but is also included in Windows. The utility allows commands to be executed to find out whether a particular user is logged on, although this is now rarely used.
There are also security concerns with the finger utility, and it has been abused in the past to find out basic information about users that can be targeted in social engineering attacks. Vulnerabilities in the finger protocol have also been exploited in the past by some malware variants.
Recently, security researchers discovered Finger can be used as a LOLBin to download malware from a remote server or to exfiltrate data without triggering alerts from security solutions. Finger is now being used in at least one phishing campaign to download malware.
MineBridge malware is a Windows backdoor written in C++ that has previously been used in attacks on South Korean companies. The malware was first identified in December 2020 by researchers at FireEye and in January 2020 several campaigns were identified distributing the malware via phishing emails with malicious Word attachments.
The latest campaign sees the attackers impersonate a recruitment company. The email is a recommendation of a candidate for consideration for a position at the targeted firm. The sender recommends even if there are no current openings, the CV should be checked, and the candidate considered. The email is well written and believeable.
As is common in phishing campaigns, if the document is opened a message will be displayed that tells the user the document has been created in an old version of Windows and to view the content the user needs to ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will fetch and download a Base64 encoded certificate using the Finger command. The certificate is a malware downloader that used DLL hijacking to sideload the MineBridge backdoor. Once installed, MineBridge will give the attacker control over an infected device and allow a range of malicious actions to be performed.
It is easiest to block attacks like this by installing an advanced spam filtering solution to block the malicious emails and prevent them from reaching inboxes. As an additional protection against this and other campaigns that abuse the Finger.exe utility in Windows, admins should consider disabling finger.exe if it is never used.
Phishing scams can be difficult for employees to identify. The emails provide a plausible reason for taking a certain action, such as clicking a link in an email. The websites that users are directed to are virtually indistinguishable from the genuine websites that the scammers spoof and credentials are commonly captured.
The pandemic has seen increasing numbers of employees working from home and accessing their company’s cloud applications remotely. Businesses are now much more reliant on email for communication than when employees were all office based. Cybercriminals have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been successful.
Employees often receive training on cybersecurity and are told to be wary of emails that have been sent from unknown individuals, but many still open the emails and take the requested action. The emails often spoof an individual that is known to the recipient, which increases the likelihood of that email being opened. It is also common for well known brands to be impersonated in phishing attacks, with the attackers exploiting trust in that brand.
A recent analysis of phishing emails by Check Point revealed the most commonly impersonated brand in phishing attacks over the past 3 months is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands impersonate Microsoft.
Microsoft credentials are then captured in these attacks and are used to remotely access accounts. The data stored in a single email account can be substantial. There have been many healthcare phishing attacks that have seen a single account compromised that contained the sensitive data of tens of thousands or even hundreds of thousands of patients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the foothold they need for a much more extensive attack on the organization, often resulting in the theft of large amounts of data and ending with the deployment of ransomware.
Microsoft is far from the only brand impersonated. The analysis revealed DHL to be the second most impersonated brand. DHL-based phishing attacks use failed delivery notifications and shipping notices as the lure to get individuals to either disclose sensitive information such as login credentials or open malicious email attachments that download malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target businesses and especially during a pandemic when there is increased reliance on courier companies.
Other well-known brands that are commonly impersonated include PayPal and Chase to obtain account credentials, LinkedIn to allow professional networking accounts to be compromised, and Google and Yahoo are commonly impersonated to obtain account credentials. Attacks spoofing Amazon, Rakuten, and IKEA also make the top 10 most spoofed brand list.
Phishers mostly target business users as their credentials are far more valuable. Businesses therefore need to ensure that their phishing defenses are up to scratch. Security awareness training for employees is important but given the realistic nature of phishing emails and the plausibility of the lures used, it is essential for more reliable measures to be implemented to block phishing attacks.
Top of the list of anti-phishing measures should be an advanced spam filter. Many businesses rely on the spam filtering capabilities of Office 365, but this only provides a level of protection. The default spam filter in Office 365 is not particularly effective at blocking sophisticated phishing attacks. Businesses that rely on Microsoft’s Exchange Online Protection (EOP) see many phishing emails delivered to inboxes where they can be opened by employees.
To better protect against phishing attacks, a third-party spam filter should be layered on top of Office 365. SpamTitan has been developed to provide enhanced protection for businesses that use Office 365. The solution implements seamlessly with Office 365 and the solution is easy to implement and maintain. The result will be far greater protection from phishing attacks and other malicious emails that employees struggle to identify.
For further information on SpamTitan, to register for a free trial, and for details of pricing, give the TitanHQ team a call today.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
Support: World class support – we are renowned for our focus on supporting customers.
Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
Private or Public Cloud deployment
Access to the Partner Portal
Dedicated Account Manager
White Label or Co-branding
Co-Branded Evaluation Site
Assigned Sales Engineer Support
Social Network participation
Access to Global Partner Program Hotline
Free 30-day evaluations
Access to Partner Knowledge Base
Joint White Papers
Partner Events and Conferences
24/7 Priority Technical Support
Tiered Deal Registration
5 a.m. to 5 p.m. (PST) Technical Support
Better Together Webinars
Online Technical Training and FAQs
Advanced Product Information
Partner Certificate – Sales and technical
Access to Partner Technical Knowledge Base
Competitive Information and Research
Sales Campaigns in a box
Not-for-Resale (NFR) Key
Public Relations Program and Customer Testimonials
Product Brochures and Sales Tools
TitanHQ Corporate Style Guide and Logo Usage
Partner Advisory Council Eligibility
TitanHQ Partner Welcome Kit
QTRLY Business Planning and Review
Access to TitanHQ’s MVP Rewards Program
Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
A Trump-themed phishing campaign has been detected that attempts to deliver the Qnode Remote Access Trojan (QRAT) under the guise of a video file that appears to be a Donald Trump sex tape.
QRAT is a Java-based RAT that was first detected in 2015 that has been used in several phishing campaigns over the years, with an uptick in distribution observed from August 2020. Interestingly, the malicious file attachment – named “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no relation to the phishing email body and subject line, which offers a loan as an investment for a dream project or business plan. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be provided if there is a good return on the investment and between $500,000 and $100 million can be provided. It is unclear whether an error has been made and the wrong file attachment was added to the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are unlikely to fool many end users, there may be enough interest in the video to pique the interest of some recipients.
The phishing campaign does appear to be poorly constructed, but the same cannot be said of the malware the campaign attempts to deliver. The version of QRAT delivered in this campaign is more sophisticated than previously detected versions, with several improvements made to evade security solutions. For instance, the malicious code used as the QRAT downloader is obfuscated and split across several different buffers within the .jar file.
Phishing campaigns often take advantage of interest in popular new stories and the Presidential election, allegations of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is likely that this will not be the only Trump-themed phishing campaign to be conducted over the next few days and months.
This campaign appears to target businesses, where the potential returns from a malware infection is likely to be far higher than an attack on consumers. Blocking threats such as this is easiest with an advanced email security solution capable of detecting known and new malware variants.
SpamTitan is an advanced, cost-effective spam filtering for businesses and the leading cloud-based spam filter for managed service providers serving the SMB market. SpamTitan incorporates dual anti-virus engines to identify known malware threats, and a Bitdefender-powered sandbox to identify zero-day malware. The solution also supports the blocking of risky file types such as JARs and other executable files.
SpamTitan is also effective at blocking phishing emails without malicious attachments, such as emails with hyperlinks to malicious websites. The solution has multiple threat detection features that can identify and block spam and email impersonation attacks and machine learning technology and multiple threat intelligence feeds that provide protection against zero-minute phishing attacks.
One of the main reasons why the solution is such as popular choice with SMBs and MSPs is the ease of implementation, use, and maintenance. SpamTitan takes the complexity out of email security to allow IT teams to concentrate on other key tasks.
SpamTitan is the most and top-rated email security solution on Capterra, GetApp and Software Advice, is a top three solution in the three email security categories on Expert Insights and has been a leader in the G2 Email Security grids for 10 consecutive quarters.
If you want a spam filtering solution that is effective and easy to use, look no further than SpamTitan. For more information, give the TitanHQ team a call. SpamTitan is also available on a free trial to allow you to evaluate the solution in your own environment before deciding on a purchase.
The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.
2020 Phishing Statistics
Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.
Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.
Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.
The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.
2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.
How to Detect and Block Phishing Threats
Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.
End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.
Cybercriminals are leveraging interest in COVID-19 vaccination programs and are conducting a range of COVID-19 vaccine phishing scams with the goal of obtaining sensitive data such as login credentials or to distribute malware. Several government agencies in the United States have recently issued warnings to businesses and consumers about the scams including the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services, and law enforcement agencies such as the FBI.
COVID-19 vaccine scams can take many forms. Campaigns have already been detected that offer early access to COVID-19 vaccines. These scams require a payment to be made as a deposit or a fee to get to the top of the waiting list. Other scams offer the recipients a place on the waiting list if they apply and provide personal information.
COVID-19 vaccine phishing scams are being conducted via email; however, it is likely that fraudsters will advertise on websites, social media channels, or conduct scams over the telephone or via SMS messages and instant messaging platforms. While many of these scams target consumers, there is potential for businesses to be affected if employees access their personal emails at work or if the scam emails are sent to work email addresses.
Scam emails often include links to websites where information is harvested. These links may be hidden in email attachments to hide them from email security solutions. Office documents are also commonly used for delivering malware, via malicious macros.
The emails typically impersonate trusted entities or individuals. COVID-19 vaccine scam emails are likely to impersonate healthcare providers, health insurance companies, vaccine centers, and federal, state, or local public health authorities. During the pandemic there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing scams.
The U.S. Department of Justice recently announced that two domains have been seized that impersonated vaccine developers. The domains were virtual carbon copies of the legitimate websites of two biotechnology companies involved in vaccine development. The malicious content has been removed, but there are likely to be many more domains registered and used in COVID-19 vaccine phishing scams over the coming weeks.
Warnings have also been issued about the risk of ransomware attacks that take advantage of interest in COVID-19 vaccines and provide the attackers with the foothold in networks they need to conduct their attacks.
There are four important steps that businesses can take to reduce to risk of falling victim to these scams. Since email is extensively used, it is essential to have an effective spam filtering solution in place. Spam filters use blacklists of malicious email and IP addresses to block malicious emails, but since new IP addresses are constantly being used in these scams, it is important to choose a solution that incorporates machine learning. Machine learning helps to identify phishing threats from IP addresses that have not previously been used for malicious purposes and to identify and block zero-day phishing threats. Sandboxing is also important for identifying and blocking zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.
While spam filters can identify and block emails that contain malicious links, a web filtering solution is also recommended. Web filters are used to control the websites that employees can access and prevent visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are constantly updated via threat intelligence feeds to provide protection against recently discovered malicious URLs.
Businesses should not neglect end user training and should regularly provide refresher training to employees to help them identify phishing threats and malicious emails. Phishing simulation exercises are also beneficial for evaluating the effectiveness of security awareness training.
Multi-factor authentication should also be applied as a last line of defense. In the event of credentials being compromised, multi-factor authentication will help to ensure that stolen credentials cannot be used to remotely access accounts.
With these measures implemented, businesses will be well protected from malware, COVID-19 vaccine phishing scams, and other phishing threats.
For further information on spam filtering, web filtering, and protecting your business from malware and phishing attacks, give the TitanHQ team a call today.
Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.
PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.
The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.
The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.
What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.
In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.
This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.
One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.
SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.
To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.
The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.
Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.
While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.
The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.
Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.
The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.
According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.
Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.
At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.
A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.
As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must. Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.
End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.
These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.