Phishing & Email Spam

QR Code Phishing Scam Requests Verification of Tax Information

by titanadmin | Mar 31, 2025 | Phishing & Email Spam |

One of the ways that cybercriminals are bypassing traditional email security solutions is to use QR codes rather than embedded hyperlinks in their phishing emails. QR codes are increasingly used by businesses to drive traffic to web pages, as consumers do not need to go through the process of typing a URL into their browser. The QR code can simply be scanned with a smartphone camera, the URL will be recognized, and the web resource can be visited with a single tap of the finger.

Spam filtering services will detect links in emails, check them against blacklists of known malicious websites, and will often follow the links to find the destination URL. If the website is malicious, the email will not be delivered to the user’s inbox. By using a QR code rather than a hyperlink, there is an increased chance that the message will be delivered, as many anti-spam software solutions are incapable of reading QR codes.

One such campaign has recently been identified that warns the recipient that they must review and update their tax records. The email has the subject, “urgent reminder,” and claims to have been sent by the Tax Services Team. The email has a PDF file attachment and advises the recipient that a review of their tax records must be completed by April 16, 2025, to avoid potential penalties. Tax season is well underway and annual tax returns need to be submitted by April 15, 2025, so the deadline for a response is plausible.

Rather than include a link, the PDF file includes a QR code, which the user is told they should scan with their mobile device to access the secure tax portal, where they must log in, review their tax information, and confirm it is up to date.

If the QR code is scanned and the link followed, the user must first pass a CAPTCHA test, after which they are presented with a Microsoft login prompt and asked to enter their password. The form is already populated with the user’s email address to make it appear that the user is known or has visited the site before, adding an air of legitimacy to the scam. If the password is entered, it will be captured and used to hijack the user’s Microsoft account. After entering the password, the user is told “We could not find an account with that username. Try another account,” which may allow the attacker to steal credentials for another account.

QR code phishing forces users onto a mobile device, which typically has weaker security than a desktop computer or laptop, plus only the domain name can usually be viewed rather than the full URL, which helps to make the link seem legitimate. Phishers also often use open redirects on legitimate websites to make their links appear authentic and hide the final destination URL.

With QR code phishing scams on the rise, it is important to raise awareness of the threat through your security awareness training program. Employees should be warned that QR codes are commonly used by threat actors, and never to follow links encoded in QR codes that arrive via email. It is also recommended to use a phishing simulator to assess whether the workforce is susceptible to QR code phishing attempts. The SafeTitan security awareness training platform allows businesses to easily conduct phishing simulations on the workforce to gauge susceptibility to phishing threats. The phishing simulator will generate relevant training content immediately if a phishing test is failed, ensuring targeted training content is delivered immediately, when it is likely to be most effective at correcting behavior.

Technical defenses should also be implemented. An advanced spam filtering service should be used that is capable of identifying QR codes and following and assessing URLs for phishing content and malware. The outbound spam filter of SpamTitan is capable of following QR codes and assessing content, and in recent tests, correctly identified 100% of phishing attempts. SpamTitan also includes email sandboxing for in-depth analysis of email attachments. A DNS security solution is also recommended for in-depth analysis of URLs for malicious content to provide an extra layer of protection against phishing and malware.

New Phishing Kit Dynamically Displays Relevant Landing Pages Based on DNS Queries

by titanadmin | Mar 30, 2025 | Phishing & Email Spam |

A new phishing-as-a-service (PhaaS) platform has been identified that highlights the sophistication of phishing attacks, and how even cybercriminals with limited skill sets can conduct extremely effective phishing campaigns.

One of the problems when conducting phishing campaigns is ensuring the phishing emails are convincing. Phishing has traditionally been a numbers game, where large volumes of messages are sent in the knowledge that a small number of individuals will be tricked into responding. Those individuals may simply be busy and respond without taking the time to carefully consider what they are being asked, or individuals with poor security awareness. Targeted phishing attempts, termed spear phishing, involve research and are tailored to individuals or small numbers of individuals, and because of the targeting, there is a much higher response rate. The trade-off is that these campaigns involve considerable time and effort.

The new PhaaS platform allows a threat actor to tailor the content to display a fake login page relevant to the individual receiving the message, while still sending a large volume of phishing emails. The phishing kit allows individuals to be tricked by displaying a login prompt that impersonates any of 114 brands in around a dozen different languages, with the content displayed tailored to each individual. The threat actor configures the phishing campaign, sends out phishing emails via the PhaaS kit, and the link in the email directs the recipient to a phishing webpage. The next stage is where the targeting occurs. The threat actor queries the email domain DNS MX records (DNS over HTTPS) obtained from Cloudflare or Google to identify the user’s email service provider. The phishing page is then dynamically displayed based on the results of that query, and if no response is received, the phishing page defaults to Roundcube.

DNS queries are fast, so the query and response occur in a fraction of a second, as is the case when a DNS query is sent to identify the IP address of a webpage when browsing the internet. As such, there is only a very small delay, often unnoticeable to the user, before the content is loaded. The result is that if the user’s email service provider is Gmail, they will be presented with a Gmail login prompt, and if they use Microsoft Outlook, they will be presented with a Microsoft login prompt. If the user responds and enters their login credentials, they are captured and sent to the collection server, and the user is redirected to the real login page for that service, most likely unaware that they have been phished. The phishing campaign was identified by InfoBlox, which identified thousands of phishing emails sent via the kit. While the kit appears to have been first used in 2020, since then the number of brands being impersonated has increased considerably, with support also provided to target users in several languages.

The phishing kit demonstrates the sophistication of phishing attacks and how threat actors are increasing the effectiveness of their campaigns. Businesses should respond to the evolving threat landscape by adopting a defense-in-depth approach that includes a DNS filtering solution such as WebTitan, advanced spam filtering software such as SpamTitan, and ongoing security awareness training and phishing simulations for the workforce to raise awareness of threats and reduce susceptibility to phishing attempts, using a solution such as SafeTitan.

ClickFix Phishing Scam Targets Hospitality Sector Workers

by titanadmin | Mar 15, 2025 | Phishing & Email Spam |

Individuals in the hospitality sector are being targeted in a sophisticated phishing scam that uses the ClickFix phishing technique. The ClickFix campaign has been active since at least December 2024 and is being conducted on targets in North America, Europe, Oceania, South and Southeast Asia.

The phishing emails impersonate booking.com and target staff at hotels, guest houses, and other accommodation providers that are likely to work with booking.com. A wide range of emails have been associated with this ClickFix campaign, including emails that appear to have been sent by prospective guests about the accommodation asking for advice, notifications from booking.com about complaints from guests about previous stays, requesting feedback on the guests’ comments, and security notifications from booking.com about suspicious login attempts.

While the lures are varied, they all use social engineering techniques to trick the recipient into clicking a link, which directs the user to a web page with a fake CAPTCHA overlayed on a visible background that appears to be the Booking.com website. The link may be added to the message body using anchor text to make it appear that the link is legitimate, or in some of the emails, the link is added to a PDF file attachment in an effort to bypass email security solutions.

When the user attempts to complete the CAPTCHA prompt, they are advised of an error and are told they must use a keyboard shortcut (Windows key + R), then CTRL + V to paste a command into the Windows Run window, and press Enter to execute that command. The command copied to the clipboard will download and launch malicious code through mshta.exe, a legitimate Windows process. If the command is executed, it will lead to the delivery of malware such as AsyncRAT, VenomRAT, NetSupport RAT, Danabot, XWorm, and Lumma Stealer. Victims may get a cocktail of malware installed on their device.

The campaign is being run by a threat actor tracked by Microsoft Threat Intelligence as Storm-1865. Storm-1865 is a financially motivated threat actor that primarily engages in payment data theft and fraudulent charges to victims’ accounts. After achieving its aims, the group may sell access to victims’ devices to other threat actors. Previous campaigns have used similar techniques and have involved messages sent through vendor platforms such as travel agencies, e-commerce platforms, and email services such as Gmail and iCloud mail.

The ClickFix technique was first identified in October 2023 and has been adopted by several different threat actors including financially motivated cybercriminal groups and nation state actors from Russia and North Korea. The lures and malware may differ, but all use social engineering to trick the victim into running a command to fix a fictitious technical issue.

Businesses should ensure they have appropriate defenses to block phishing emails, as the ClickFix technique has proven to be highly effective. TitanHQ offers two solutions for blocking phishing attempts – the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 users.  The engine that powers both of these solutions was rated #1 out of all tested solutions in the Q4, 2024 tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.98% of spam emails. In the February 2025 tests, TitanHQ had a perfect score, blocking 100% of malware, phishing, and spam emails with a 0% false positive rate.

SpamTitan incorporates email sandboxing for behavioral analysis of emails and machine-learning algorithms to identify suspicious emails, ensuring an incredibly high detection rate. PhishTitan adds an additional layer of protection for Microsoft 365 accounts, augmenting Microsoft’s protections to identify and block the threats that Microsoft misses. Businesses should also ensure they provide security awareness training to the workforce and conduct phishing simulations of the ClickFix phishing technique. TitanHQ can help in this area with the SafeTitan security awareness training and phishing simulation platform. Call TitanHQ today for more information on phishing defense, or take advantage of the free trial of all of these solutions.

Cracked Software Used to Deliver Information Stealing Malware

by titanadmin | Feb 20, 2025 | Phishing & Email Spam |

Information stealers are one of the most common ways that initial access is gained to business networks, and the extent to which these malware variants are used is alarming. According to Hudson Rock, an estimated 30 million computers have been compromised using information stealers in the past few years and Check Point reports that infections have increased by 58% in the past year.

Cybercriminals specialized in infecting devices distribute their information stealers, which collect sensitive data such as session cookies and login credentials, allowing access to be gained to corporate networks. Oftentimes, the cybercriminals then sell that access to other cybercriminal groups, acting as initial access brokers. The groups that they work with have their own specialisms, such as conducting ransomware attacks. These malware variants are capable of stealing large amounts of sensitive information from compromised devices. They can exfiltrate files, obtain web browser data and passwords, and steal cryptocurrency extensions. Infection with an information stealer can result in the large-scale theft of data, compromised accounts, and further attacks, including ransomware infections.

Security researchers have recently uncovered a new campaign that distributes information stealers such as Lumma and ACR Stealer via cracked versions of legitimate software. The pirated software can be obtained and used free of charge, albeit illegally, and is available through warez sites and from peer-to-peer file-sharing networks. The installers have been packaged to silently deliver an information stealer. Cybercriminals often use SEO poisoning to get their malicious sites to appear high in search engine listings or add malicious adverts to legitimate ad networks (malvertising) to get them to appear on high-traffic websites. The adverts direct internet users to download sites.  Initial contact is also made via email, with workers tricked into opening malicious files that launch scripts that deliver the information stealer payload or direct users to websites where the malware is downloaded under the guise of a legitimate program. Contact may also be made via the telephone, with the criminals impersonating IT helpdesk staff and tricking employees into downloading the malware.

Defending against information stealers means improving defenses against all these tactics, and that means there is no single cybersecurity solution or measure that will be effective against them all, but there are three important cybersecurity measures that you should strongly consider: anti-spam software, a DNS filter, and security awareness training.

Anti-spam Software

Many malware infections occur via email, either through attachments containing malicious scripts or via hyperlinks to websites from which malware is downloaded. When malicious attachments are used, they are not always detected by antispam software and can easily reach end users. To improve detection, email sandboxing is required, where messages are sent to the sandbox for deep inspection. In the sandbox, hyperlinks are also followed to identify any downloads that are triggered. If malicious actions are confirmed, the messages are quarantined and are not deleted.

A DNS Filter

Since many malware infections occur via the Internet, businesses should consider web filtering software. DNS-based web filters allow businesses to control the web content that users can access, block certain file downloads from the internet, and assess web content in real-time for malicious content, without the latency associated with other types of web filters. A DNS filter can prevent users from accessing malicious content and will reduce reliance on employees recognizing and avoiding threats.

Security Awareness Training

Anti-spam software and DNS filters will greatly improve security; however, employee security awareness also needs to be improved. Through regular security awareness training, businesses can eliminate risky practices and train employees how to recognize and avoid threats. By providing training continuously in small chunks throughout the year, businesses can develop a security culture and significantly improve their human defenses.

TitanHQ offers multi-award-winning cybersecurity solutions for SMBs and managed service providers (MSPs) that are easy to implement and offer exceptional protection, including the SpamTitan cloud-based spam filtering service, the WebTitan DNS filter, and the SafeTitan security awareness training and phishing simulation solution. All three solutions are available on a free trial to allow you to see for yourself the difference they make before making a purchase decision. Give the TitanHQ team a call to find out more and to discuss these options, and take the important first step toward improving your defenses.

New Phishing Kit Bypasses MFA in Real-Time

by titanadmin | Feb 18, 2025 | Phishing & Email Spam |

A growing number of businesses are implementing multi-factor authentication to add an extra layer of security and improve defenses against phishing attacks. While multifactor authentication (MFA) can prevent unauthorized individuals from accessing accounts using compromised credentials, MFA does not provide total protection. Several phishing kits are sold on hacking forums and Telegram that are capable of bypassing MFA, and a new phishing kit has recently been identified that can intercept credentials in real-time and bypass MFA through session hijacking. The phishing kit is being used to steal credentials and access Gmail, Yahoo, AOL, and Microsoft 365 accounts.

The Astaroth phishing kit has been offered on cybercrime forums since at least January 2025. Similar to the Evilginx phishing kit, Astaroth uses a reverse proxy to intercept and manipulate traffic between the victim and the legitimate authentication of the account being targeted. A cybercriminal can use the Astaroth phishing kit in an adversary-in-the-middle attack, capturing not only login credentials but also 2FA tokens and session cookies, thereby bypassing MFA. The credential theft and session hijacking take place in real time, allowing the cybercriminal to instantly access the user’s account.

The user is presented with a phishing link, which is commonly communicated via email. If that link is clicked, the user is directed to a server and is presented with what appears to be a legitimate login page. The page has valid SSL certificates, so no security warnings are generated. The server acts as a reverse proxy, and when the username and password are entered, they are captured and forwarded to the legitimate authentication service in real time.

The cybercriminal is alerted about the credential capture via the admin panel of the phishing kit or via Telegram, and the one-time passcodes, usually generated via SMS, push notifications, or authentication apps, are intercepted as they are entered by the user. When session cookies are generated, they are immediately hijacked and injected into the attacker’s browser, which means the attacker can impersonate the genuine user without needing their username, password, or 2FA token, since the session has already been authenticated. The kit also includes bulletproof hosting and reCAPTCHA bypasses and allows the attacker to access the account immediately before the user suspects anything untoward has happened.

Phishing kits such as Astaroth are able to render multifactor authentication useless, demonstrating why it is so important to have effective anti-spam software, capable of identifying and blocking the initial phishing emails. SpamTitan is frequently rated as the best spam filter for business due to its ease of implementation and use, exceptional detection, and low false positive rate. TitanHQ also offers MSP spam filtering, with the solution developed from the ground up to meet all MSP needs. In recent independent tests by VirusBulletin, SpamTitan outperformed all other tested email security solutions, achieving the highest overall score thanks to a 100% malware catch rate, 100% phishing catch rate, 99.999% spam catch rate, and a 0.000% false positive rate. The exceptional performance is due to extensive threat intelligence feeds, machine learning to identify phishing attempts, and email sandboxing to detect and block malware and zero-day threats.

In addition to an advanced spam filtering service, businesses should ensure they provide regular security awareness training to the workforce and reinforce training with phishing simulations. SafeTitan from TitanHQ is an easy-to-use security awareness training platform that makes it easy to create effective training courses and automate the delivery of training content. The platform also includes a phishing simulator with an extensive library of phishing templates that makes it easy to create and automate phishing simulations, generating relevant training automatically if a user is tricked. That means training is delivered at the point when it is likely to be most effective at correcting behavior.

Give the TitanHQ team a call today for more information about these solutions. TitanHQ’s SpamTitan and SafeTitan products, like all TitanHQ solutions, are also available on a free trial.

SVG Files Increasingly Used in Phishing Campaigns

by titanadmin | Feb 14, 2025 | Phishing & Email Spam |

Security awareness training programs teach employees to be constantly alert to potential phishing emails, especially emails with file attachments. Most employees will be aware that Office documents can contain macros, which if allowed to run, can download malware onto their device, but they are likely much less suspicious about image files. Image files are far less likely to be malicious; however, there is an image file format that can contain malicious content – SVG files – and they are increasingly being used in phishing campaigns.

An SVG or Scalable Vector Graphics file is XML-based, which means it can be scaled without loss of quality. These file types are commonly used for icons and buttons and are extensively used in graphic design, including for company logos. Image files may seem pretty innocuous, but one of the properties of SVG files, unlike non-scalable image formats such as Jpegs, is they can be created to include scripts, anchor tags, and other types of active web content. When opening an SVG file, unless a computer has been configured to open the file using a specific image program, the file will be opened in a web browser.

One campaign incorporated the SharePoint logo and advised the user that a secure document has been shared through Microsoft SharePoint. The image included a folder icon with the file name “Updated Compensation and Benefits”, and an “open” button that the user is encouraged to click. Clicking that button directs the user to a phishing page where they must enter their credentials to view the file. Those credentials will be captured and used to access the user’s account. Many phishing campaigns that use SVG file attachments include hyperlinks that direct the user to a site that spoofs a well-known brand such as Microsoft to harvest credentials, such as displaying a fake Microsoft 365 login page. These phishing pages have been designed to be indistinguishable from the genuine login prompt and may even autofill the user’s login name into the login prompt.

There are two main advantages to using SVG files in phishing campaigns. First and foremost, the file is less likely to be flagged as malicious by an email security solution, many of which do not analyze the content of SVG files, therefore ensuring messages containing SVG files are delivered to an end user’s inbox. Secondly, since awareness of malicious SVG files is low, the targeted individuals may be easily tricked into clicking on the hyperlink. The use of SVG files in phishing campaigns is becoming more common, and this trend is likely to continue in 2025. Businesses should ensure that they have adequate defenses to block these attacks, which should consist of advanced anti-spam software to block these phishing emails, and security awareness training content should be updated to raise awareness of this attack technique.

SpamTitan is an advanced spam filtering service from TitanHQ that has been proven to block more phishing emails than other email security solutions. SpamTitan was recently put to the test by VirusBulletin and outperformed all other tested anti-spam software solutions, blocking 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. Machine learning algorithms ensure that the solution gets better over time, extensive threat intelligence feeds keep the solution automatically updated with up-to-the-minute threat intelligence, and a next-generation email sandbox provides exceptional protection against malware. When coupled with the SafeTitan security awareness training and phishing simulations to improve employee awareness, businesses will be well protected against phishing, malware, and other email-based attacks. Give the TitanHQ team a call today for more information about these solutions or take advantage of a free trial and see for yourself the difference these solutions make to your security posture.

Beware of Tax Season Phishing Scams

by titanadmin | Jan 28, 2025 | Phishing & Email Spam |

In the United States, tax returns for the previous year need to be filed before Tax Day, which falls on Tuesday, April 15, 2025.  Tax season officially started on January 27, 2025, when the Internal Revenue Service (IRS) started accepting tax returns for 2024. Tax season is a popular time for cybercriminals who take advantage of individuals and businesses that are under pressure to file their annual tax returns and try to steal personal information to file fraudulent tax returns in victims’ names and for other nefarious purposes.

Cybercriminals use tried and tested methods for their scams, but over the past few years, the scams have become more sophisticated. There has been a significant increase in the use of AI tools to craft highly convincing phishing emails. Phishing is one of the most common ways that cybercriminals trick people into disclosing sensitive information during tax season. One of the most common phishing techniques in tax season involves impersonation of the IRS. Emails are sent that appear to have come from an official IRS domain, the contact information in the email may be 100% correct, and the emails contain the IRS logo. The lures used in these scams include fake offers of tax refunds with rapid payment, legal threats, and criminal charges for tax fraud. These scams tempt or scare people into visiting a website linked in the email or calling a telephone number provided in the email.

The website to which the user is directed mimics the official IRS site and social engineering techniques are used to get the user to disclose sensitive information. That information is rapidly used to file a fraudulent tax return, with the victim only discovering they have been scammed when they file their tax return and are notified by the IRS that it is a duplicate. Alternatively, they are told that they must pay outstanding tax immediately and are threatened with fines and criminal charges if they fail to do so. Scams promising a tax return require personal information and bank account details to be disclosed.

Businesses are targeted in a variety of tax season scams, with one of the most common being fake tax services. Filing tax returns can be a time-consuming and arduous process, so tax filing services that do all of the work are an attractive choice. Businesses may be contacted via email, telephone, or could be directed to these scam services via the Internet. Businesses are tricked into providing personal and financial information, which could be used to file a fraudulent tax return. Commonly, the aim is to trick the business into downloading malware onto their device. These services may lure victims by promising quick tax refunds, which can be attractive for cash-strapped businesses.

According to the IRS, last year taxpayers lost $5.5 billion to tax scams and fraud so vigilance is key during tax season. Be aware that cybercriminals are incredibly active during tax season, and any offer that seems too good to be true most likely is. The IRS will not initiate contact via email or text message, as initial contact is typically made via the U.S. Postal Service, and emails and text messages are only sent if the IRS has been given permission to do so. The IRS will not make contact via social media, does not accept gift cards as payment, does not use robocalls, and does not threaten to call law enforcement or immigration officials.

Businesses should ensure they have anti-spam software to catch and neutralize phishing threats; however, not all spam filtering services are equal. Spam filters will perform a range of checks on inbound email, including reputation checks of the sender’s domain and email address, anti-spoofing checks, checks of blacklists of malicious IP addresses, and the email content will be assessed for malicious links, common signatures of phishing, and email attachments will be checked using anti-virus software. While these methods will identify the vast majority of spam emails and many phishing attempts, these checks are no longer sufficient.

The best spam filter for business is an advanced solution that has AI and machine learning capabilities for detecting advanced phishing scams and AI-generated threats. To catch and block AI-generated threats you need AI in your defenses. SpamTitan is an advanced cloud-based anti-spam service from TitanHQ (an anti-spam gateway is also available) that performs all of the standard checks mentioned above, scans emails with twin anti-virus engines, and uses machine-learning-based detection to identify the threats that many other spam filtering software solutions miss. If initial checks are passed, emails are sent to an email sandbox for deep analysis. With email sandboxing, attachments are assessed in a safe environment and their behavior is analyzed in depth, allowing novel malware to be identified and links are followed and assessed for malicious content.

SpamTitan consistently outperforms other leading email security solutions and, in the latest round of independent tests at VirusBulletin, SpamTitan was ranked in first place due to unbeatable detection rates, having blocked 100% of malware, 100% of phishing emails, and 99.999% of spam emails, with a 0.000% false positive rate. This tax season, ensure you have the best email protection for your business by using SpamTitan. Call TitanHQ for more information, to arrange a product demonstration, or sign up for a free trial to see for yourself how effective SpamTitan is at blocking email threats.

AI-Generated Voice Phishing Calls Combined with Email to Steal Gmail Credentials

by titanadmin | Jan 26, 2025 | Phishing & Email Spam |

Cybercriminals often devise phishing lures that can be used on as many individuals as possible, which is why they often impersonate big-name brands such as Microsoft, Apple, Facebook, and Google, since there is a high percentage chance that the emails will land in the inbox of someone that uses the products of those companies.

In the case of Google, a phishing campaign targeting Gmail account holders makes sense from the perspective of a cybercriminal as there are around 2.5 billion Gmail users worldwide. One such campaign has recently been identified that uses a combination of an email and a phone call to obtain account credentials. Email accounts can contain a wealth of sensitive information that can be misused or used in further attacks on an individual, and the accounts can be used for phishing and spear phishing campaigns.

Phishing campaigns that combine multiple communication methods are becoming more common, such as callback phishing. With callback phishing, the scam starts with an email devoid of malicious links, scripts, and attachments. The recipient is told that a charge will be applied to their account for a subscription or free trial that is coming to an end. The user is informed that they must call the number in the email to terminate the subscription before the charge is applied. If the number is called, the threat actor uses social engineering techniques to trick the user into downloading a remote access solution to remove the software and prevent the charge. The software gives the threat actor full control of their device.

The latest campaign uses emails and phone calls in the opposite order, with initial contact made via the phone by a person impersonating the Google support team. The reason for the phone call is to advise the Gmail user that their account has been compromised or suspended due to suspicious activity, or that attempts are being made to recover access.

One user received a call where a Google customer support worker told them that a family member was trying to gain access to their account and had provided a death certificate. The call was to verify the validity of the family member’s claim. People targeted in this campaign may attempt to verify the validity of the call by checking the phone number; however, Caller ID is spoofed to make it appear that the call has come from a legitimate Google customer support number.

The second phase of the scam includes an email sent to the user’s Gmail account corroborating the matter discussed in the phone call, with the email requiring action to recover the account and reset the password. A link is provided that directs the user to a spoofed login page where they are required to enter their credentials, which are captured by the scammer. There have also been reports where initial contact is made via email, with a follow-up telephone call.

Performing such a scam at scale would require a great deal of manpower, and while telephone scams are commonly conducted by call center staff in foreign countries, this scam involves AI-generated calls. The caller sounds professional and polite and has a native accent, but the victim is not conversing with a real person. The reason for the call is plausible, the voice very realistic, and the scam is capable of fooling even security-conscious individuals.

Businesses looking to improve their defenses against advanced phishing scams should ensure that they cover these types of sophisticated phishing attempts in their security awareness training programs. Employees should be told that threat actors may use a variety of methods for contact, often combining more than one communication method in the same scam. Keeping employees up to date on the latest tactics used by scammers is straightforward with the SafeTitan security awareness training platform. New training content can easily be created in response to changing tactics to keep the workforce up to date on the latest scams. SafeTitan also includes a phishing simulator for reinforcing training.

An advanced email security solution is also strongly recommended for blocking the email-based component of these sophisticated phishing scams. SpamTitan cloud based anti spam software incorporates machine learning capable of identifying previous unseen phishing scams, ensuring phishing attempts are blocked and do not land in inboxes. In recent independent tests at VirusBulletin, SpamTitan achieved the top spot due to comprehensive detection rates, blocking 100% of malware and phishing emails, and 99.999% of spam emails. To block sophisticated AI-generated phishing attempts you need sophisticated AI-based defenses. Give the TitanHQ team a call today to find out more about improving your defenses against AI-based attacks.

New Phishing Campaigns Impersonate Amazon Prime and the US Postal Service

by titanadmin | Jan 20, 2025 | Phishing & Email Spam |

New phishing schemes are constantly developed by threat actors to trick people into disclosing sensitive information or downloading malicious files that provide the attacker with remote access to their devices. This month, two campaigns have been identified that use PDF files to hide the phishing content from email security solutions, one of which uses a lure of expired Amazon Prime memberships, and the other impersonates the US Postal Service and advises the recipient about a failed delivery.

Amazon Prime Phishing Campaign

The emails in this phishing campaign appear to have been sent by Amazon Prime and include a PDF file attachment. The PDF file advises the recipient that their membership is due to expire on a specified date; however, the card Amazon has on file is no longer valid. In order to continue with the membership, new card details must be supplied; however, attempts will first be made to charge the membership to all other cards on the account. Users are warned that if payment is not made, the account will be suspended.

Due to the huge number of Amazon Prime members, the emails have a good chance of landing in the inbox of an Amazon Prime subscriber; however, anyone who has previously had an Amazon Prime membership may be tricked into following the link in the PDF to ensure that the cards on file will not be charged.

If the link is clicked, the user is directed to a URL (a duckdns.org subdomain) that displays an exact copy of the Amazon sign-in page. If they attempt to log in, they are asked to secure their account by confirming their identity and are told to sign out of all web apps, devices, and web browsers. The “Verify Your Identity” page asks for their full name, date of birth, Social Security number, phone number, and full address. They are then taken to a page where they are asked to enter their payment card information. In addition to fraudulent charges to their card, the theft of personal information puts victims at risk of identity theft.

US Postal Service Phishing Campaign

A large-scale phishing campaign is being conducted impersonating the US Postal Service that similarly uses malicious PDFs. This campaign specifically targets mobile devices with the aim of harvesting personal information. More than 630 phishing pages have been identified as part of this campaign targeting individuals in more than 50 countries. The PDF files use a novel technique for hiding the phishing URL from email security solutions, making it harder to identify and extract the URL for analysis.

Text messages are sent that advise the recipient that a package has arrived at a USPS distribution center; however, the package cannot be delivered due to incomplete address information. A link is included to a web-hosted PDF file that the recipient is told they must click to complete the address information. The link directs the user to a phishing page, where they must enter their full address, email address, and contact telephone number into the form. They are then asked to pay a small service charge for redelivery – $0.30 – and must submit their card details.

Improve Your Phishing Defenses

These are just two examples of new phishing campaigns that use PDF files to hide phishing links from email security solutions. PDF files are commonly used for this purpose as they can contain clickable links, scripts, and even malicious payloads. What makes the attacks even more effective is when they target mobile devices, which have smaller screens that make it harder to view the URL, thus making it easier to hide a domain unrelated to the company being impersonated. Mobile devices also tend to have weaker security than desktop computers and laptops.

Businesses should ensure they conduct regular security awareness training to teach cybersecurity best practices, warn employees about cyber threats, and teach the skills needed to identify phishing and social engineering attempts. Training should be an ongoing process and should include the latest scams and new techniques used by cybercriminals to target employees, especially campaigns targeting mobile devices as malicious text messages are harder to block than malicious emails. An advanced email security solution should be implemented that has AI and machine learning capabilities, and email sandboxing to analyze emails and attachments in-depth to identify malware, malicious scripts, and embedded hyperlinks.

TitanHQ can help in both of these areas. SafeTitan is a comprehensive security awareness training platform that makes it easy to create and automate security awareness training for the workforce. The platform includes a phishing simulator for conducting internal phishing campaigns to reinforce training and identify individuals who are susceptible to phishing attempts.

TitanHQ’s cloud-based anti-spam service – SpamTitan is an advanced email security solution for blocking the full range of email threats including phishing, spear phishing, business email compromise, and malware. In independent tests, SpamTitan achieved 1^st spot for detection, blocking 100% of phishing attempts, 100% of malware, and 99.999% of spam emails, with a 0.000% false positive rate.

For more information on cloud-based email filtering and attachment and message sandboxing with SpamTitan and security awareness training and phishing simulations with SafeTitan, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial, and MSP-focused solutions are available to easily add advanced anti-phishing and security awareness training to service stacks.

AI-Generated Phishing Emails Trick More Than 50% of Recipients

by titanadmin | Jan 15, 2025 | Phishing & Email Spam |

Large language models (LLMs) are used for natural language processing tasks and can generate human-like responses after being trained on vast amounts of data. The most capable LLMs are generative pretrained transformers, or GPTs, the most popular of which is ChatGPT, although there are many others including the China-developed DeepSeek app.

These AI-powered tools have proven incredibly popular and are used for a wide range of tasks, eliminating a great deal of human effort. They are used for creating articles, resumes, job applications, and completing homework, translating from one language to another, creating summaries of text to pull out the key points, and writing and debugging code to name just a few applications.

When these artificial intelligence tools were released for public use, security professionals warned that in addition to the beneficial uses, they could easily be adopted by cybercriminals for malicious purposes such as writing malware code, phishing/spearphishing, and social engineering.

Guardrails were implemented by the developers of these tools to prevent them from being used for malicious purposes, but those controls can be circumvented. Further, LLMs have been made available specifically for use by cybercriminals that lack the restrictions of tools such as ChatGPT and DeepSeek.

Evidence has been growing that cybercriminals are actively using LLMs for malicious purposes, including writing flawless phishing emails in multiple languages. Human-written phishing emails often contain spelling mistakes and grammatical errors, making them relatively easy for people to identify but AI-generated phishing emails lack these easily identified red flags.

While cybersecurity professionals have predicted that AI-generated phishing emails could potentially be far more effective than human-generated emails, it is unclear how effective these AI-generated messages are at achieving the intended purpose – tricking the recipient into disclosing sensitive data such as login credentials, opening a malicious file, or taking some other action that satisfies the attacker’s nefarious aims.

A recently conducted study set out to explore how effective AI-generated spear phishing emails are at tricking humans compared to human-generated phishing attempts. The study confirmed that AI tools have made life much easier for cybercriminals by saving them a huge amount of time. Worryingly, these tools significantly improve click rates.

For the study, researchers from Harvard Kennedy School and Avant Research Group developed an AI-powered tool capable of automating spear phishing campaigns. Their AI agents were based on GPT-4o and Claude 3.5 Sonnet, which were used to crawl the web to identify information on individuals who could be targeted and to generate personalized phishing messages.

The bad news is that they achieved an astonishing 54% click-through rate (CTR) compared to a CTR of 12% for standard phishing emails. In a comparison with phishing emails generated by human phishing experts, a similar CTR was achieved with the human-generated phishing emails; however, the human version cost 30% more than the cost of the AI automation tools.

What made the phishing emails so effective was the level of personalization. Spear phishing is a far more effective strategy than standard phishing, but these attacks take a lot of time and effort. By using AI, the time taken to obtain the personal information needed for the phishing attempt and develop a lure relevant to the targeted individual was massively reduced. In the researchers’ campaign, the web was scraped for personal information and the targeted individuals were invited to participate in a project that aligned with their interests. They were then provided with a link to click for further information. In a genuine malicious campaign, the linked site would be used to deliver malware or capture credentials.

AI-generated phishing is a major cause of concern, but there is good news. AI tools can be used for malicious purposes, but they can also be used for defensive purposes and can identify the phishing content that humans struggle to identify. Security professionals should be concerned about AI-generated phishing, but email security solutions such as SpamTitan can give them peace of mind.

SpamTitan, TitanHQ’s cloud-based anti-spam service, has AI and machine learning capabilities that can identify human-generated and AI-generated phishing attempts, and email sandboxing for detecting zero-day malware threats. In recent independent tests, SpamTitan outperformed all other email security solutions and achieved a phishing and malware catch rate of 100%, a spam catch rate of 99.999%, with a 0.000% false positive rate. When combined with TitanHQ’s security awareness training platform and phishing simulator – SafeTitan, security teams will be able to sleep easily.

For more information about SpamTitan, SafeTitan, and other TitanHQ cybersecurity solutions for businesses and managed service providers, give the TitanHQ team a call. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.

AI Tools Used to Research Executives in Targeted Phishing Campaigns

by titanadmin | Dec 30, 2024 | Phishing & Email Spam |

It used to be relatively easy to spot a phishing attempt. Phishing emails would have poor grammar and be littered with spelling mistakes, with relatively easy-to-identify lures such as too-good-to-be-true offers. The unsolicited emails would be sent from unknown email addresses in huge volumes, as threat actors knew they were good enough to fool enough recipients and make the campaigns worthwhile. Provided employees had a modicum of security awareness training and took time to carefully read emails, the phishing attempts could be easily identified and avoided.

Phishing has been growing in sophistication and while these poorly constructed emails are not exactly a thing of the past, there is now a new breed of phishing emails that are expertly written, contain no errors, and are highly personalized to maximize the probability of getting the desired response. In order to conduct a highly personalized spear phishing campaign, threat actors need to spend a considerable amount of time researching their intended targets. In order to warrant that amount of time, the potential rewards must be high. These campaigns are usually conducted on high-value targets such as C-suite members by well-resourced threat actors, such as state-sponsored hacking groups.

Advances in AI technology have made these highly targeted phishing campaigns much easier to conduct. AI tools greatly reduce the amount of human effort required and that has opened up these targeted campaigns to a much broader range of cybercriminals. AI tools can be used to craft perfect phishing emails that closely mimic the companies and brands they spoof, making identification difficult. AI tools are also being used to analyze online profiles to gather personal information to be included in phishing emails, massively reducing the time required to construct the perfect scam email.

AI tools can also be used to assess online interactions by a particular individual to find out topics the individual is likely to respond to. They can rapidly ingest large amounts of data to craft phishing lures closely mimicking the style of emails written by a particular company or individual, making the spoofing almost impossible for individuals to distinguish from genuine communications. With the tools to gather a wealth of personal information and create flawless emails on appropriate topics, business email compromise scams have become much easier and can be conducted by a broader range of cybercriminals. The consequences of falling for one of these scams can be severe.

To combat these advanced phishing campaigns, businesses need advanced defenses. It is important to ensure that all members of the workforce receive ongoing security awareness training, including the C-suite as they are often the people being targeted in these campaigns. However, given the quality of these phishing attempts, security awareness training and a standard spam filter appliance will not cut it. For many years, spam filters have relied on blacklists of IP addresses and domains that have been previously identified as malicious or have low trust scores, along with antivirus engines for malware detection, and scans of message content for phrases commonly associated with spam and phishing. These spam filters will catch the majority of spam and bulk phishing emails, but will not detect the more sophisticated, AI-generated threats.

Advanced email security solutions are now a necessity. The latest anti-spam software and cloud based anti-spam services incorporate AI and machine learning-based detection in addition to the standard spam filtering methods, such as the engine at the heart of TitanHQ’s SpamTitan and PhishTitan M365 anti-phishing solutions. In recent independent tests by VirusBulletin, TitanHQ’s SpamTitan Skellig engine scored joint first place for detection in the Q3, 2024 tests and first place in Q4, achieving a 100% phishing detection rate with a 0.00% false positive rate and a 100% malware catch rate. Whether you are a business looking to improve your defenses or a managed service provider looking to provide more advanced security to your clients, give the TitanHQ team a call to find out more about getting the right tools in place to counter these advanced phishing threats.

DocuSign Phishing Campaign Abuses HubSpot Tools to Attack European Businesses

by titanadmin | Dec 28, 2024 | Phishing & Email Spam |

An ongoing large-scale phishing campaign targets European businesses and attempts to obtain credentials for their Microsoft Azure cloud infrastructure. While businesses in multiple sectors have been attacked, the majority are in the automotive, chemical, and industrial manufacturing sectors. According to an analysis of the campaign by the Unit 42 team, this campaign has targeted at least 20,000 businesses in Europe.

Like many current phishing campaigns targeting companies, the campaign uses DocuSign-themed lures, where the user is asked to review an emailed document, which includes the branding of the company being targeted. If the document is opened, the user is directed via embedded hyperlinks to an online form created using HubSpot’s free online form builder tool. The drag-and-drop form builder allows forms to be created quickly, and in this case, the threat actor has used the free-to-use tool to create a form with a link button to view the document on Microsoft’s secured cloud.

If the button is clicked, the user will be directed to a phishing page that mimics the Office 365 Outlook Web App login page. If credentials are entered in the fake login page – commonly hosted on attacker-controlled .buzz domains – they are captured by the threat actor, who will attempt to login, and then pivot and move laterally to the cloud. A successful login will see the threat actor add a new device to the victim’s account for persistence.

There are several measures that can be taken by businesses to protect against phishing campaigns such as this, starting with an email spam filter to block the initial contact via email. SpamTitan is an advanced cloud-based anti-spam service for blocking email phishing and malware threats. The solution checks inbound messages against up-to-the-minute lists of blacklisted domains, performs SPF, DKIM, and DMARC checks, malware scans, assessments of message headers and content for phishing indicators, and incorporates AI and machine learning algorithms to identify anomalies in message content. Email sandboxing is used to subject messages to in-depth analysis to identify zero day threats. In recent independent testing by VirusBulletin, SpamTitan achieved first place for overall score out of 11 leading email security solutions, blocking 100% of phishing attempts, 100% of malware, and 99.998% of spam email, with a 0.00% false positive rate.

Security awareness training is vital to teach security best practices and make employees aware of threats, including email threats that abuse legitimate services and tools. TitanHQ’s SafeTitan platform allows businesses to quickly create and automate security awareness training programs, tailored for departments, user groups, and individuals, and reinforce training through phishing simulations.  An additional recommended protection is the WebTitan DNS-based web filter, which incorporates URL filtering to prevent users from visiting known malicious websites, incorporating controls to prevent users from downloading malware.

For more information on improving your defenses against phishing, give the TitanHQ team a call today. The full TitanHQ suite of cybersecurity solutions is available on a free trial, with full product support provided throughout the trial.

Google Calendar Abused in Phishing Campaign

by titanadmin | Dec 28, 2024 | Phishing & Email Spam |

Companies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via email via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the user recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these phishing emails identified each week, according to Check Point.

The aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file attachment (.ics), both of which will send the user to either Google Forms or Google Drawings.  Next, the user is tricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the user to the scam page, where they will be taken through a fake authentication process that captures personal information, and ultimately payment card information. This campaign could easily be adapted to obtain credentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted credentials.

An attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look exactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the phishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and trusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.

Depending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can then trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation email also includes a hyperlink to a malicious website.

The use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of requests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than 500 million active users of the tool.

There are simple steps to take to block these threats, although the first option will also limit legitimate functionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event settings switch from automatically add invitations to only show invitations I have responded to.  Also, access Gmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the functionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user has had no interactions with an individual in the past.

It is important to have an advanced email security solution that is capable of detecting sophisticated phishing attacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF, DKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can detect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email sandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check the destination URL. While this campaign does not use malware, an email filtering service with email sandboxing will also protect against malware threats.

Meeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are sent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam emails in security awareness training. Employees should be made aware that these requests may not be what they seem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees are to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving invites from legitimate services to allow businesses to incorporate these into their simulations.

Call TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security awareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft 365.

Threat Actors Adopt Corrupted Word Files for Phishing Campaigns

by titanadmin | Dec 16, 2024 | Phishing & Email Spam |

A new phishing campaign has been identified that uses the novel tactic of attaching corrupted Microsoft Word files to emails. The files themselves do not contain any malicious code, so scans of the attachments by email security solutions may not flag the emails as malicious.

In order to get the recipient to open the email, the threat actor impersonates the HR department or payroll team, as employees will typically open these messages. The attached files have file names related to payments, annual benefits, and bonuses, which employees may open without performing standard checks of the email, such as identifying the true sender of the message. Many employees place a moderate amount of trust in Word files, as if they contain a macro, it should not run automatically if the Word document is opened.

The threat actor relies on the employee’s curiosity to open the file and the way that operating systems handle corrupted files. The file recovery feature of Microsoft Word will attempt to recover corrupted files. The user will be informed that parts of the file contain unreadable content, and the user is prompted to confirm if they would like the file to be recovered. The documents have been crafted to ensure that they can be recovered by Word, and the recovery will present the user with a QR code that they are told they must scan to retrieve the document.

The document includes the logo of the company being targeted, and the user does not need to “enable editing” to view the contents of the document, so they may mistakenly believe they are safe. If they scan the QR code using their mobile device, they will be directed to a phishing page where they are asked to enter their Microsoft credentials on a phishing page that is an exact match of the genuine Microsoft login prompt.

Businesses with spam filter software may not be protected as email security solutions often fail to scan corrupted files. For instance, the phishing emails bypass Outlook spam filters according to the researchers at Any.Run who identified the campaign. That means the emails may be delivered to inboxes, especially as the messages do not contain any content in the body of the email indicative of a phishing attempt.

If the user opens the file and scans the QR code, they will switch from their desktop or laptop to their mobile phone. Mobile devices rarely have the same level of security protection, so corporate anti-phishing controls such as web filters will likely be bypassed.

Threat actors are constantly developing new ways to trick employees in their phishing campaigns, which is why it is important to run security awareness training programs continuously, updating the training content with new training material in response to threat actors’ changing tactics. By warning employees about this method, they should recognize the scam for what it is if they receive an email with a corrupted file attachment. That is easy to do with a security awareness training platform such as SafeTitan. New training content can be quickly created and rolled out to all users as part of their monthly allocation of training modules. It is also easy to add this type of threat to the SafeTitan phishing simulator to test how employees respond to this new threat type.

As the researchers demonstrated, Microsoft fails to detect the threat, demonstrating why it is important to bolster your M365 phishing defenses with a third-party solution, such as PhishTitan from TitanHQ. PhishTitan integrates seamlessly with Microsoft 365 to augment protection and catches the phishing threats that Microsoft misses. PhishTitan will also add a banner to all inbound emails that come from external sources, giving users a clear flag that these emails are not genuine. The HR department and payroll have internal email addresses.

An email security solution with email sandboxing is also advisable for deep inspection of file attachments, including the ability to read QR codes. Spam filters for incoming mail should also have machine learning and AI-based detection capabilities for identifying emails that deviate from the messages typically received by the business.

All of these features are part of TitanHQ’s email security suite. Give the team a call today to find out more.

Phishing Campaign Targets Law Firms by Impersonating U.S. Federal Courts

by titanadmin | Nov 30, 2024 | Phishing & Email Spam |

A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.

Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.

Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.

One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.

The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.

Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.

The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.

It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.

Phishing Campaign Uses Visio File Attachments for Credential Theft

by titanadmin | Nov 29, 2024 | Phishing & Email Spam |

A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.

To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.

If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.

While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).

If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.

If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.

SVG Image Files Being Used for Phishing and Malware Delivery

by titanadmin | Nov 29, 2024 | Phishing & Email Spam |

Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.

SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.

SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.

Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.

While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.

DocuSign Abused in Massive Phishing Campaign

by titanadmin | Nov 28, 2024 | Phishing & Email Spam |

A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.

DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.

The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.

The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.

SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.

For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.

Excel File Attachments Used in Phishing Campaign to Deliver Fileless Remote Access Trojan

by titanadmin | Nov 15, 2024 | Phishing & Email Spam |

A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device.  The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.

Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.

The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.

Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.

TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.

A Russian APT Group is Conducting a Massive Spear Phishing Campaign

by titanadmin | Oct 31, 2024 | Phishing & Email Spam |

The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.

While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.

Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.

RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.

The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.

Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.

An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.