Phishing & Email Spam
Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.
Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.
Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:
- If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
- Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
- Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
- Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
- Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.
Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).
Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.
The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.
by titanadmin | Nov 30, 2024 | Internet Security, Phishing & Email Spam |
Holiday season officially started the day after Thanksgiving in the United States, or Black Friday as it is now known. Taking its name from a term used by police officers in Philadelphia to describe the chaos in the city caused by the deluge of suburban shoppers heading to the city to do their holiday shopping, it has become a day when retailers offer bargains to entice the public to buy their goods and services. While the jury is still out on how good many of those bargains are, the consensus is that there are bargains to be found in stores and online, with the official day for the latter being the Monday after Black Friday – Cyber Monday.
The holiday season for shoppers is boom time for cybercriminals who take advantage of the increase in online shoppers looking to buy gifts for Christmas and pick up a bargain of two. Many people time major purchases to take advantage of Black Friday and Cyber Monday offers and cybercriminals are poised to pounce on the unwary. The losses to scams over the holiday period are staggering. According to the Federal Bureau of Investigation (FBI), more than $73 million was lost to holiday season scams in 2022; however, the true total is likely to be considerably higher since many losses go unreported. Those figures do not include the losses to phishing, malware, ransomware, BEC attacks, and other cyberattacks that occur over the holiday period. For instance, the surge in ransomware attacks over Thanksgiving weekend and Christmas when the IT staff is spread thin.
Given the heightened risk of scams and cyberattacks over the holiday season, consumers should be on their guard and take extra care online and ensure that vendors are legitimate before handing over their card details and double-checking the legitimacy of any email requests. While consumers face elevated risks during the holiday season, so do businesses. There are end-of-year deadlines to meet and it’s a short month with many workers taking annual leave over Christmas and the New Year. As the year draws to a close it is common for vigilance to slip, and threat actors are ready to take advantage. Businesses need to ensure that their defenses are up to scratch, especially against phishing – the most common initial access vector in cyberattacks – as a slip in vigilance can easily lead to a costly cyberattack.
Businesses can take several proactive steps to ensure they are protected against holiday season cyber threats, and conducting a security awareness training session is a good place to start. Employees should be reminded about the increase in malicious cyber activity over the holiday period and be reminded about the risks they may encounter online, via email, SMS, instant messaging services, and the phone. With TitanHQ’s SafeTitan security awareness training platform, it is easy to spin up training courses for employees to remind them to be vigilant and warn them about seasonal and other cyber threats. The training platform makes it quick and easy to create and automate training courses, with the training delivered in modules of no more than 10 minutes to ensure employees can maintain concentration and fit the training into their workflows. The SafeTitan platform also incorporates a phishing simulator, which businesses can use to reinforce training and identify individuals who are fooled by phishing scams and ensure they receive the additional training they need.
Due to the high risk of phishing attacks, it is a good idea to implement an advanced spam filter service, one that reliably identifies and neutralizes phishing and business email compromise attempts and provides cutting-edge protection against malware. You need look no further than SpamTitan for that protection. SpamTitan incorporates machine learning and AI-based detection capabilities for detecting phishing, BEC, and scam emails, and dual antivirus engines and email sandboxing for detecting malware threats, including novel malware variants. In Q3, VirusBulletin’s tests of SpamTitan confirmed a phishing detection rate of 99.99% and a malware catch rate of 99.511%. The interim figures for November 2024 are a 100% phishing catch rate and a 100% malware catch rate, demonstrating the reliability of TitanHQ’s cloud-based email filtering solution.
TitanHQ also offers online protection through the WebTitan DNS filter, which prevents access to known malicious websites, blocks malware downloads from the Internet, and can be used to control the web content employees can access, providing an important extra layer of security against web-based threats. At TitanHQ we hope you have a happy holiday period and above all else that you are well protected against cyber threats. Give the team a call today to find out more about how we can help protect your business this holiday season and beyond.
by titanadmin | Nov 30, 2024 | Phishing & Email Spam |
A phishing campaign has been identified that targets law firms by impersonating U.S. federal courts and purports to contain an electronic notice of court filings. Like many similar campaigns in recent months, the campaign aims to trick law firm employees into downloading malware that provides the threat actor with persistent access to the law firm’s network.
Threat actors often target businesses, but a far more effective use of their time and resources is to target vendors. If a threat actor gains access to a vendor’s network, they can potentially use the vendor’s privileged access to attack all downstream clients. Even when a vendor does not have privileged access to client networks, they are likely to store large amounts of data from multiple clients. In the case of law firms, that data is highly sensitive and easily monetized. It can be easily sold on darknet marketplaces and be used as leverage to extort the law firm and its clients.
Over the last few years, law firms have been extensively targeted by threat actors for this very reason. According to a 2023 report from the UK’s National Cyber Security Centre, 65% of law firms have been a victim of a cyber incident and a 2024 report from the chartered accountancy firm Lubbock Fine indicates cyberattacks on law firms have increased by 77% year-over-year. The main motivation for these attacks is extortion and ransomware attacks. There has also been a surge in business email compromise (BEC) attacks on law firms, as they are typically involved in large financial transactions that threat actors can try to divert to their own accounts.
One of the latest campaigns seeks persistent access to the networks of law firms by tricking the firms into installing malware. The campaign came to light following multiple complaints about fake notices of electronic court filings, which prompted the U.S. federal judiciary to issue a warning to U.S. lawyers to be alert to email notifications that purport to be notifications from the courts. The emails impersonate the PACER case management and electronic case files system, and instruct the recipient to respond immediately. The judiciary advised law firms to always check the federal judiciary’s official electronic filing system and never open attachments in emails or download files from unofficial sources.
The intercepted emails impersonate lower courts and prompt the recipient to click an embedded hyperlink to access a document from a cloud-based repository. Clicking the link directs the user to a malicious website where they are prompted to download a file. Opening the file triggers the installation of malware that will give the threat actor the access they need for an extensive compromise. The campaign will undoubtedly result in the theft of sensitive data and attempted extortion.
Most law firms will be well aware that they are prime targets for threat actors and the importance of implementing robust cybersecurity defenses. Since phishing is the most common way that threat actors get access to their networks and sensitive data, it is vital for law firms to ensure that they have an effective email security solution – one that is capable of detecting and blocking malware and correctly classifying phishing and BEC emails. This is an area where TitanHQ can help. TitanHQ offers a suite of cutting-edge cybersecurity solutions that provide multiple layers of protection against the most common attack vectors.
The primary defense against phishing and BEC attacks is anti-spam software, which TitanHQ can provide as a cloud-based anti-spam service or virtual anti-spam appliance that can be installed on-premises on existing hardware. The SpamTitan solution incorporates dual anti-virus engines and email sandboxing for detecting malware and malicious code in email attachments, even zero-day malware threats. The solution has machine learning capabilities for detecting novel email threats such as phishing and BEC attacks that are needed to detect and block the latest AI-generated threats. In independent tests by Virus Bulletin in November 2024 on 125,000 emails, SpamTitan had a 100% malware and phishing catch rate and only miscategorized 2 benign spam emails.
It is also important to ensure that all lawyers and support staff are made aware of the latest threats and receive regular cybersecurity awareness training. TitanHQ offers a comprehensive security awareness training platform (SafeTitan) and phishing simulator that makes it easy to create effective, ongoing training programs that incorporate training material on the latest threats. Give the TitanHQ team a call today for more information on these and other cybersecurity solutions and for advice on improving your cybersecurity defenses against the most common attack vectors.
by titanadmin | Nov 29, 2024 | Phishing & Email Spam |
A new phishing scam uses Microsoft Visio files to bypass phishing defenses to steal Microsoft 365 credentials. Microsoft Visio is a diagramming and vector graphics application used to create a variety of diagrams, including building plans, data flow diagrams, organizational charts, and flowcharts. While the software is widely used by businesses, Visio files are unlikely to feature heavily in security awareness training courses as they are not commonly used in phishing campaigns or for malware delivery. Security awareness training tends to focus on the most common file types such as documents, spreadsheets, and executable files. Unfamiliarity with the file type should mean employees exercise extreme caution; however, since Visio is part of the Microsoft 365 family, the files may be trusted and opened.
To increase the chance of that, this campaign uses compromised accounts to send the phishing emails. By using trusted accounts there is less chance of the emails being identified by email security solutions as malicious since emails are likely to pass reputation and authentication checks. It also increases the chance of emails being opened, as employees are trained to be suspicious of emails from unknown senders and generally trust emails from known senders. Like countless other phishing campaigns, tried and tested lures are used to get the recipient to open the attached .vsdx file. In this campaign the phishing emails masquerade as a purchase order and business proposals. Also observed in this campaign is the use of an Outlook message attachment, with that message including the malicious Visio file. Some emails use hyperlinks instead which direct the recipient to a SharePoint page hosting the Visio file. The latter helps to ensure that the email message is not blocked by email security solutions, which typically trust SharePoint URLs.
If the Visio file is opened, the user will be presented with branding that makes the file appear legitimate and they are advised to click an embedded link to view the contents of the file. The user is told to hold down the CTRL key when they click the link – an additional measure for evading security solutions. That link directs the user to a URL that hosts a spoofed login page that prompts them to enter their Microsoft credentials, which are captured by the threat actor.
While the use of Visio files for phishing is not common, there has been an increase in the use of these files as threat actors look for more reliable methods of phishing. It is certainly worthwhile ensuring that these file types are covered in your security awareness training programs and phishing simulations. While it is important to train employees to be aware of the latest tactics, techniques, and procedures used by threat actors to steal credentials, having an advanced email security solution in place can ensure that these malicious emails do not reach their targets. One of the easiest ways to block the threat, given that these are not commonly used files, is to configure your spam filter to block/quarantine emails containing .vsdx attachments, and certainly to do so for users who do not need to use these file types for work purposes. This is straightforward with SpamTitan (see our Help section).
If it is not practical to block these file types, SpamTitan does incorporate a variety of safeguards for preventing the delivery of malicious messages, including email sandboxing for deep analysis of file attachments to identify malicious URLs (and malware) and machine learning to identify emails that deviate from the messages typically received by the user/business. These features are critical, since the messages in this campaign are sent from compromised email accounts that are potentially trusted.
If you are not a SpamTitan user, give the TitanHQ team a call to find out more about the solution and why so many businesses are switching to SpamTitan for email security and check out this post, which highlights SpamTitan’s 100% malware and phishing block rate in recent tests.
by titanadmin | Nov 29, 2024 | Phishing & Email Spam |
Cybercriminals are increasingly leveraging SVG files in their email campaigns. These file attachments have been used as part of convincing campaigns that have fooled many end users into disclosing their credentials or installing malware.
SVG files, or Scalable Vector Graphics files to give them their full name, differ from standard image files such as BMP, JPG, and PNG files. Vector graphics are constructed using mathematical formulas that establish points on a grid, rather than specific blocks of color (pixels). The advantage of vector graphics files is that they can be scaled infinitely with no loss of resolution, something that cannot be done with pixel-based images. Vector files are often used for logos, as they can be scaled up easily to be used in billboards with no loss of resolution, and they are increasingly being used on the web as the images will display correctly regardless of the size of the browser window or screen.
SVG is an incredibly versatile file format that can incorporate elements other than the image code, for instance, SVG files can be used to display HTML. It is possible to create an SVG image file that incorporates HTML and executes JavaScript on loading, redirecting users to a malicious website such as a phishing landing page. Images can be created that incorporate clickable download buttons, which will download payloads from a remote URL. An end user could easily be tricked into downloading a file with a double extension that appears to be a PDF file but is actually a malware executable.
Some of the recently intercepted phishing emails have included an SVG file that displays an image of an Excel spreadsheet. Since the spreadsheet is an image, the user cannot interact with it, but it includes an embedded form that mimics the Microsoft 365 login prompt. If the user enters their credentials into that form, they are transmitted to the threat actor. One of the problems with this type of file format is it is not generally blocked by anti-spam software, so is likely to be delivered to inboxes.
While SVG and other vector graphics file formats are invaluable for design and can be found extensively on the web, they are not generally used for image sharing, so the easiest way to protect against these malicious campaigns is to configure your spam filtering service to block or quarantine emails containing SVG file attachments, at least for employees who do not usually work with these file formats. If you have a cloud-based anti-spam service that incorporates email sandboxing, where attachments are sent for deep analysis, it is possible to detect SVG files that incorporate malicious JavaScript. Since the use of these file formats is increasing, it is important to make your employees aware of the threat through security awareness training. Emails with SVG file attachments should also be incorporated into your phishing simulations to determine whether employees open these files. Both are easy with the SafeTitan security awareness training and phishing simulation platform.
by titanadmin | Nov 28, 2024 | Phishing & Email Spam |
A large-scale phishing campaign has been identified that abuses the e-signature software DocuSign, a hugely popular software solution used to legally and securely sign digital documents and eliminate the time-consuming process of manually signing documents.
DocuSign uses “envelopes” to send documents to individuals for signing. These document containers may contain one or more documents that need to be signed, and the envelopes are sent via email. In this campaign, a bad actor abuses the DocuSign Envelopes API to create fake invoices, which are mass-distributed via email. This campaign aims to get the recipient of the invoice to sign it using DocuSign, then the signed document can be used for the next phase of the scam, which typically involves sending the signed document to the billing department for payment, which may or may not be through DocuSign. The invoices generated for this campaign are based on legitimate DocuSign templates and are generated through a legitimate DocuSign account. The invoices include legitimate branding for DocuSign and the company/product the threat actor is impersonating – such as Norton Internet Security, PayPal, and other big-name brands.
The problem for businesses with this campaign is the emails are sent from the genuine docusign[.]net domain, which means email security solutions are unlikely to block the messages since the domain is trusted. Since the emails appear to be legitimate invoices with genuine branding and the correct invoice amount for the product being spoofed, end users are likely to be tricked by the emails. The tactics used in this campaign are similar to others that have abused legitimate cloud-based services to bypass email security solutions, such as sending malicious URLs in documents hosted on Google Docs and Microsoft SharePoint.
The primary defense against these campaigns is security awareness training. Businesses need to make their employees aware of campaigns such as these messages, which often bypass email security solutions and are likely to land in inboxes since they may not contain any malicious URLs or malware code and are sent from a legitimate, trusted domain. The workforce needs to be trained on cybersecurity best practices and told about the red flags in emails that are indicative of a scam. Training needs to be provided continuously to make employees aware of the latest scams, as bad actors are constantly refining their tactics, techniques, and procedures, and developing new ways to trick end users. The easiest way to do this is with a comprehensive security awareness training solution such as SafeTitan.
SafeTitan makes it easy to create training programs for different roles in the organization and automate these training programs to ensure training content is delivered in manageable chunks, with new content added and rolled out in response to the latest threats. These training programs should be augmented with phishing simulations. An email security solution with AI and machine-learning capabilities is also important, as standard spam software is not effective at identifying threats from legitimate and trusted cloud services. TitanHQ’s PhishTitan solution for Microsoft 365 has these capabilities and identifies the phishing emails that Microsoft often misses. PhishTitan scans inbound messages for malicious content, uses email sandboxing for detecting zero-day threats, adds banners to emails from external sources, and allows security teams to rapidly remediate identified threats throughout the entire email environment. In November 2024, Virus Bulletin assessed the engine that powers the SpamTitan spam filtering service and PhishTitan anti-phishing solution using around 125,000 emails. SpamTitan and PhishTitan blocked 100% of malware and 100% of phishing emails and only miscategorized 2 benign spam emails, demonstrating how effective these solutions are at blocking malicious emails.
For more information on improving your defenses against malicious email campaigns through cutting-edge email security and security awareness training, give the TitanHQ team a call today.
by titanadmin | Nov 26, 2024 | Phishing & Email Spam, Spam Software |
It is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing attacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop the threat actor from using those credentials to access the account, as they will not have the necessary additional authentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where credentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts but, in response, threat actors have developed new tactics to bypass MFA protections.
For example, there is a scam where an employee is contacted by an individual who claims to be from their IT department. The scammer tells them there is an issue with their account and they need to update their password. They are directed to a site where they are prompted to enter their password and enter the MFA code sent to their phone. The threat actor uses that information in real-time to access their account. Multiple campaigns have targeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify their identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA codes.
Phishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram channels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a reverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to a login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the user is the attacker sits between them and the site and captures credentials and the session cookie after MFA is successfully navigated. The attacker then has access to the account for the duration of the session cookie and can register a new device to receive future codes.
PhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for example, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs, including MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable malicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that allows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such as Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security solutions. This is just one phishing kit. There are many being offered with similar capabilities.
The take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can be expensive to implement, so at the very least ensure that you have some form of MFA implemented and implement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as it can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the best spam filters for business due to how easy the solution is to use and its excellent detection rate. In November 2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test involving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating the reliability and accuracy of the solution.
Another layer of protection can be provided by a web filter, which will block attempts to visit known malicious websites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as does TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts against phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.
Technical defenses are important, but so too is workforce training. Through regular security awareness training and phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid scam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call and have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full product support is provided during that trial.
by titanadmin | Nov 25, 2024 | Email Scams, Phishing & Email Spam |
As consumers wait patiently for Black Friday to snaffle a bargain or two, scammers are hard at work perfecting their Black Friday scams and getting ahead of the game by offering amazing deals via email. In the run-up to Black Friday, Cyber Monday, and throughout the holiday season, everyone should be wary of scams and spam emails. The superb offers and hugely discounted prices are not always what they seem. Most are scams.
There are Black Friday and Cyber Monday deals aplenty, with bricks and mortar and online retailers vying to get your business to kick start the holiday season shopping bonanza. Rather than being confined to the weekend, many retailers have offers over an extended period, and marketing for those deals starts well in advance. Black Friday deals seem to be taking over much of November. While there are bargains to be had, even the incredible prices being offered by genuine retailers may not be quite as good as they seem. While Black Friday deals are touted as being the lowest prices of the year, research suggests that is not necessarily the case. According to the consumer group Which? it is common for prices to be inflated in the run-up to Black Friday to make the discounts seem bigger, and in some cases, the price that a retailer claims a product has been reduced from has never been offered in the previous 12 months. It pays to do some research before you buy.
As far as online shopping goes, it is important to visit your favorite retailers’ websites directly and, as a general rule of thumb, never respond to any offers received by email by clicking links. If you get an email from a retailer advising you of a Black Friday deal, visit their website using your bookmark or by typing in the URL. If the offer is available it should be detailed on the website. This is important as the majority of Black Friday emails are scams. According to a recent analysis by Bitdefender – the company that powers the SpamTitan email sandbox – 77% of Black Friday-themed spam were scams, a 7% increase from 2023. Many of these scam emails impersonate big-name brands and offer impressive but fake discounts on products and services. They often lead to financial loss, data theft, and malware infections.
Black Friday scams include offering top-name brands at heavily discounted prices, but actually mailing cheap counterfeit goods or not mailing any product at all. Big-name brands have been impersonated in spam emails that include an attachment that purports to be a shipping confirmation, confirming that orders are ready for shipment when the attachments direct users to websites where they are asked to disclose their credentials or the attachments install malware.
At this time of year there is a surge in survey scams, where consumers are asked to take part in surveys in exchange for a discount or voucher, and after completing the survey are asked to disclose sensitive information that can be used directly for fraud or spear phishing campaigns. If you receive unwanted marketing communications from genuine retailers, you can use the unsubscribe option to update your preferences, but make sure you carefully check the destination of the unsubscribe button and the sender’s email address to confirm the communication is from a legitimate retailer.
If you receive spam emails, the unsubscribe option should be avoided. Using the unsubscribe option lets the scammer know that the account is active, and all that is likely to happen is you will receive even more spam. Far better is to mark the email as spam and block the sender. Clicking an unsubscribe option in an email may direct you to a site where a vulnerability is exploited to download malware.
Businesses should ensure they have an effective spam filter, and it is never more important than in November, December, and January when spammers are highly active. At TitanHQ, we offer products that provide exception protection against spam, scams, phishing emails, and malware. In recent independent tests by VirusBulletin, the engine that powers the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 achieved a 100% phishing catch rate, a 100% malware catch rate, and a spam catch rate in excess of 99.9% in November 2024 results. These follow overall scores in excess of 99.99% for blocking spam, phishing, and malware earlier in the year, demonstrating these email security products provide excellent and reliable protection against malicious and spam emails.
by titanadmin | Nov 22, 2024 | Industry News, Phishing & Email Spam |
TitanHQ is thrilled to announce that the engine that powers its email security solutions – SpamTitan and PhishTitan – achieved an incredible 100% catch rate for phishing emails and malware in November 2024 in independent tests by Virus Bulletin.
Virus Bulletin is a testing and certification body that has an excellent reputation within the information security community. Virus Bulletin performs independent tests of security solutions and has been reviewing, benchmarking, and issuing certifications for security products for more than 2 decades.
The spam, malware, and phishing identification tests are conducted over a 16-day period each month, with the final results published each quarter. For the past two quarters, TitanHQ’s email security solutions have achieved VBSpam+ certification, and the results from October and November indicate SpamTitan email security and the PhishTitan anti-phishing solutions are on track to receive their third consecutive quarterly VBSpam+ certification.
The interim results for November are based on an evaluation of almost 125,000 emails. TitanHQ’s solutions correctly identified all malware and phishing emails over that period, and it was nearly a clean sweep of 100% scores; however, there was a narrow miss on blocking non-malicious spam emails, as while the vast majority of spam emails were correctly identified, 2 spam emails were unfortunately miscategorized.
The flawless results for malware blocking and phishing identification by TitanHQ’s cloud-based anti-spam software clearly demonstrate the superb reliability and effectiveness of TitanHQ’s email security solutions and validate what our customers already know – That you can rely on TitanHQ to keep your email accounts free from threats.
“We are thrilled to have significantly outperformed our main competitors and surpassed the industry average,” said Ronan Kavanagh, CEO at TitanHQ. “Our unwavering commitment to providing unmatched email security is evident in these results, and we remain dedicated to protecting our clients from evolving cyber threats.”
In addition to providing a cutting-edge, easy to use, email filtering service, TitanHQ’s cybersecurity portfolio also includes a comprehensive security awareness training and phishing simulation platform – SafeTitan; a DNS-based web filtering solution for blocking Internet threats and controlling internet access – WebTitan; an easy-to-use and cost-effective email archiving solution – ArcTitan; and an email encryption solution for securing sensitive data – EncryptTitan.
All TitanHQ solutions are cloud-based and easy to implement and use, even by individuals with little technical expertise. These solutions can be used by businesses of all sizes and TitanHQ also offers anti-spam solutions for managed service providers to allow them to provide comprehensive security services to their clients.
For more information about these solutions or joining our partner program, give the TitanHQ team a call today and be sure to check out these anti-spam tips.
by titanadmin | Nov 15, 2024 | Phishing & Email Spam |
A phishing campaign has been identified that uses purchase order-related lures and Excel file attachments to deliver the Remcos RAT, a commercially available malware variant that gives threat actors remote access to an infected device. The malware allows the threat actor to log keystrokes, record audio via the microphone, and take screenshots and provides a foothold allowing an extensive compromise. Infection with the Remcos RAT invariably involves data theft and could lead to a ransomware attack and extortion.
Businesses with antivirus software installed are unlikely to be protected. While antivirus software is effective at detecting and neutralizing malware, the Remcos RAT is poorly detected as it is fileless malware that runs in memory and does not install files on the disk. The campaign, detected by researchers at FortiGuard Labs, targets Windows users and starts with a phishing email with an encrypted Excel attachment. The emails purport to be a purchase order and include a malicious Excel file attachment. The Excel file uses OLE objects to exploit an old vulnerability in Office, tracked as CVE-2017-0199. Successful exploitation of the vulnerability will see an HTML Application (HTA) file downloaded, which is launched using mshta.exe. The file is heavily obfuscated to evade security solutions, and its function is to download and execute a binary, which uses process hollowing to download and run the Remcos RAT in the memory.
The Remcos RAT is used to enumerate and terminate processes, execute commands, capture sensitive data, and download additional malware payloads. Since the Remcos RAT runs in the memory, it will not survive a reboot. To achieve persistence, it runs the registry editor (reg.exe) to edit the Windows Registry to add a new auto-run item to ensure it is launched after each reboot.
Since the initial contact is made via email, an advanced email security solution with email sandboxing and AI- and machine learning capabilities should ensure the email is identified as malicious and blocked to prevent delivery. Should the email be delivered and the attachment opened, end users are informed that the document is protected. They are presented with a blurred version of the Excel file and are told they need to enable editing to view the content – a red flag that should be identified by security-aware employees. If that red flag is missed, enabling content will trigger the exploitation of the vulnerability that ultimately delivers the Remcos RAT. Businesses with an advanced DNS-based web filter will have another layer of protection, as the URLs hosting the malicious files should be blocked.
TitanHQ offers cutting-edge cybersecurity solutions that provide exceptional protection against phishing, BEC, and malware attacks, blocking the initial emails and connections to malicious websites to prevent end users from viewing malicious emails (SpamTitan) and preventing malicious file downloads from the Internet (WebTitan). In November 2024 tests by Virus Bulletin, TitanHQ’s SpamTitan Solution had a 100% phishing and malware block rate. TitanHQ also provides a comprehensive security awareness training platform (SafeTitan) to teach cybersecurity best practices and keep employees aware of the latest threats. The platform also incorporates a phishing simulator for reinforcing training. Give the TitanHQ team a call today for more information on TitanHQ solutions and how they can improve your defenses against email, web, SMS, and voice-based threats at your business.
by titanadmin | Oct 31, 2024 | Phishing & Email Spam |
The notorious Russian advanced persistent threat (APT) group Midnight Blizzard (aka Cozy Bear, APT29) has been conducting a massive spear phishing campaign on targets in the United Kingdom, Europe, Australia, and Japan. Midnight Blizzard is a hacking group with strong links to Russia’s Foreign Intelligence Service (SVR) which engages in espionage of foreign interests and seeks persistent access to accounts and devices to steal information of interest to the SVR. The latest campaign is a highly targeted information-gathering exercise that was first observed on October 22, 2024.
While Midnight Blizzard’s spear phishing attacks are usually conducted on government officials and individuals in non-governmental organizations (NGOs), individuals in academia and other sectors have also been targeted. The spear phishing attacks were identified by Microsoft Threat Intelligence which reports that thousands of emails have been sent to more than 100 organizations and the campaign is ongoing. While spear phishing is nothing new, Midnight Blizzard has adopted a new tactic in these attacks and is sending a signed Remote Desktop Protocol (RDP) configuration file as an email attachment, with a variety of lures tailored to the individual being targeted. Some of the intercepted emails impersonated Microsoft, others impersonated cloud service providers, and several of the emails used lures related to zero trust. The email addresses used in this campaign have been previously compromised in other Midnight Blizzard campaigns.
Amazon has also reported that it detected phishing emails that impersonated Amazon Web Services (AWS), attempting to trick the recipients into thinking AWS domains were used; however, the campaign did not seek AWS credentials, as Midnight Blizzard is targeting Windows credentials. Amazon immediately started the process of seizing the domains used by Midnight Blizzard to impersonate AWS and that process is ongoing.
RDP files contain automatic settings and resource mappings and are created when a successful connection to an RDP server occurs. The attached RDP files are signed with a Lets Encrypt certificate and extend features and resources of the local system to a remote server under the attacker’s control. If the RDP file is executed, a connection is made to a server under the control of Midnight Blizzard, and the targeted user’s local device’s resources are bidirectionally mapped to the server.
The server is sent resources including logical hard disks, clipboard contents, printers, connected devices, authentication features, and Windows operating system facilities. The connection allows the attacker to install malware, which is set to execute via AutoStart folders, steal credentials, and download other tools to the user’s device, including remote access trojans to ensure that access to the targeted system is maintained when the RDP session is closed.
Since the emails were sent using email addresses at legitimate organizations, they are unlikely to be flagged as malicious based on reputation checks by anti-spam software, although may be detected by more advanced anti-spam services that incorporate machine learning and AI-based detection mechanisms and email sandboxing. You should configure your spam antivirus filter to block emails containing RDP files and other executable files and configure your firewall to block outbound RDP connection attempts to external or public networks. Multifactor authentication should be configured on all accounts to prevent compromised credentials from granting access, and consider blocking executable files from running via your endpoint security software is the executable file is not on a trusted list. Also, ensure that downloaded files are scanned using antivirus software. A web filter can provide added protection against malicious file downloads from the internet.
An anti-phishing solution should also be considered for augmenting the protection provided through Microsoft Defender and EOP for Microsoft 365. PhishTitan from TitanHQ has been shown to improve protection and block threats that Microsoft’s anti-phishing solution fails to detect, augmenting rather than replacing the protection provided by EOP and Defender. It is also important to provide security awareness training to the workforce and ensure that spear phishing and RDP file attachments are included in the training. Also, consider conducting spear phishing simulations.
by titanadmin | Oct 30, 2024 | Phishing & Email Spam, Security Awareness |
Several new campaigns have been detected in recent weeks that use diverse tactics to trick people into disclosing sensitive information and installing malware.
Cybercriminals Target Crypto Wallets via Webflow Sites
Webflow is a software-as-a-service company that businesses can use to accelerate website development. The platform makes it easier to create websites and web pages, simplifying and eliminating many of the complex tasks to speed up website creation. Cybercriminals have taken advantage of the platform and are using it to rapidly spin up phishing pages and create pages to redirect users to malicious sites. One of the main advantages of Webflow compared to alternative platforms is the ease of creating custom subdomains, which can help phishers make their phishing pages more realistic. Subdomains can be created to mimic the login pages that they are impersonating, increasing the probability that individuals will be fooled into disclosing their credentials.
The number of detected phishing pages on Webflow has increased sharply, especially for crypto scams. One of the campaigns impersonated the Trezo hardware wallet. Since the subdomain can be customized to make the phishing page appear official, and screenshots of the actual Trexor site are used, these phishing pages can be very convincing. In these campaigns, the aim is to steal the seed phrases of the victim to allow the threat actor to access cryptocurrency wallets and transfer the funds. In one campaign, when the seed phrase is disclosed, the user is told their account has been suspended for unauthorized activity and they are told to launch a chat service for support. The chat service is manned by the threat actor who keeps the victim engaged while their wallet is emptied.
Hackers Use Deepfakes to Target Finance Professionals
The cost of artificial intelligence (AI) solutions is falling and cybercriminals are taking advantage. AI is increasingly being used to manipulate images, audio, and video recordings to make their scams more convincing. These deepfakes are realistic and more effective at tricking individuals into making fraudulent wire transfers than business email compromise scams, as they include deepfake videos of the person being spoofed. Cybercriminals use AI tools to create deepfakes from legitimate video presentations and webinars, impersonating an executive such as the CEO or CFO in an attack on finance team members. The aim is to trick the employees into making a wire transfer. Earlier this year, the engineering group Arup was targeted using a deepfake of the company CFO, and $25 million was transferred to the scammers in transfers to five different bank accounts.
Vendors are often spoofed in deepfake scams to trick their clients into wiring payments to attacker-controlled bank accounts. A recent survey by Medius revealed that 53% of finance professionals in the UK and US had experienced at least one attempted deepfake scam. These scams may occur over the phone, with the deepfake occurring in real-time, and there have been many cases of deepfake impersonations over video conferencing platforms such as Microsoft Teams and Zoom.
North Korean Hackers Target Developers with Fake Job Interviews
The North Korean hacking team, Lazarus Group, is known to use diverse tactics in its attacks. The group has now been observed infiltrating business networks by obtaining positions as IT workers. According to Mandiant, dozens of Fortune 100 companies have been tricked into hiring workers from North Korea, who steal corporate data after being hired. One UK firm discovered they had been duped 4 months after employing an It worker who was actually based in North Korea. The IT worker used the network access provided to siphon off sensitive data, and when the worker was sacked for poor performance, demanded a ransom to return the stolen data. Researchers believe the data was provided to North Korea.
The Lazarus Group has also been targeting developers through fake interviews. The group hosts fake coding assessments on legitimate repositories such as GitHub and hides malicious code in those repositories, especially in Python files. The developers are tricked into downloading the code and are tasked with finding and fixing a bug but will inadvertently execute the malicious code regardless of whether they complete the assessment. The hackers often pose as legitimate companies in the financial services.
Legitimate File-Hosting Services Used for Phishing Attacks and Malware Distribution
One of the ways that cybercriminals attempt to bypass filtering mechanisms is to use legitimate hosting services for phishing and malware delivery. Dropbox, OneDrive, Google Drive, and SharePoint are all commonly used by cybercriminals. These services are used by businesses for storing and sharing files and for collaboration, so these services are often trusted. They are also often trusted by security solutions. Tactics commonly used include sharing links to files hosted on these services via phishing emails, often restricting access to the files to prevent detection by security solutions. For instance, the user is required to be logged in to access the file. Files may be hosted in view-only mode to avoid detection by security solutions, with social engineering techniques used to fool the user into downloading the files.
Cybercriminals are constantly evolving their tactics to phish for credentials, distribute malware, and gain unauthorized access to sensitive data. Businesses need to adopt a defense-in-depth approach to security, adding several layers to their defenses to combat new threats. These measures include an advanced spam filtering service with machine learning capabilities and email sandboxing, a web filter for blocking access to malicious websites and preventing malware downloads from the Internet, anti-phishing solutions for Microsoft 365 environments to block the threats that Microsoft often fails to detect, and comprehensive security awareness training for the workforce.
Cybercriminals will continue to evolve their tactics, so security solutions should also be able to evolve and be capable of detecting zero-day threats. With TitanHQ as your security partner, you will be well protected against these rapidly changing tactics. Give the TitanHQ team a call today to find out more about improving your technical and human defenses against these threats.
by titanadmin | Oct 28, 2024 | Phishing & Email Spam |
For many years, cybercriminals have favored Office documents for distributing malware. These documents are familiar to most workers and are likely to be opened because they are so familiar and used so often. The documents may contain hyperlinks to malicious websites where malware is downloaded, but the easiest method is automating the delivery of malware using a malicious macro. If that macro is allowed to run, the infection process will be triggered.
Microsoft has helped to make documents and spreadsheets more secure by disabling macros by default if they have been delivered via the Internet and increasing numbers of companies are providing workforce security awareness training and instructing their employees not to enable content on Office documents delivered via the Internet. It has become much harder for cybercriminals to distribute malware using these file formats, so they have turned to script languages for malware delivery.
The use of VBScript and JavaScript in malware distribution campaigns has been increasing, with these executable files often hidden from security solutions by adding them to archive files. The scripts used in campaigns are snippets of code that include command sequences, which automate the downloading and execution of malware, often only operating within the system’s memory to avoid detection. The user is likely to be unaware that malware installation has been triggered.
For example, in one campaign, a malicious VBS script was hidden in an archive file to evade email security defenses. If extracted and executed, the script executes PowerShell commands, which can be difficult for security solutions to identify as malicious. PowerShell triggered the BitsTransfer utility to fetch another PowerShell script, which downloaded and decoded Shellcode, which in turn loaded a second shellcode that used the Windows wab.exe utility to download an encrypted payload. The shellcode decrypted and incorporated the payload into wab.exe, turning it into the remote access trojan, Remcos RAT. This multi-stage infection process used living-off-the-land techniques to evade security solutions, and it all started with an email that used social engineering to trick the recipient into executing the script.
Using this attack as an example, there are opportunities for identifying the email for what it really is. Businesses need to ensure they have advanced email security defenses in place such as an advanced spam filter for Office 365 or a machine-learning/AI-driven spam filtering service. These services perform standard checks of inbound email, such as anti-spoofing and reputation checks on the sender, Bayesian analysis to determine whether the email is likely to be spam, but also machine learning checks, where the inbound message is compared against the emails typically received by a business and is flagged if any irregularities are found.
Anti-virus scans are useful for detecting malware, but these checks can often be evaded by adding malicious scripts to archive files, and the multi-stage process involved in infection is often sufficient to defeat signature-based malware detection. An email security solution therefore needs to also use email sandboxing. All attachments capable of being used for malicious purposes are scanned with an anti-virus engine and are then sent to the sandbox for deep analysis. Malware sandboxing for email is important, as it detects malware not by its signature, but by its behavior, which is vital for identifying script-based malware delivery. While there are sandboxing message delays, it prevents many costly malware infections.
SpamTitan, TitanHQ’s cloud-based anti-spam service, incorporates these checks to provide exceptional malware detection. In recent independent tests, SpamTitan blocked 100% of malware and had a 99.99% phishing catch rate and a 0.000% false positive rate. In addition to using an advanced spam filter, businesses can further reduce risk by blocking delivery of the 50 or so archive file formats supported by Windows if they are not used by the business.
It is also important to provide continuous security awareness training to the workforce to improve awareness of threats and the new tactics, techniques, and procedures being used by threat actors to trick individuals into providing them with network access. This is easily down with TitanHQ’s SafeTitan security awareness training platform solution, especially when combined with phishing simulations.
Cyberattacks targeting individuals are increasing in sophistication and standard security defenses are often evaded. To find out more about improving your defenses against sophisticated phishing, malware, and business email compromise threats, give the TitanHQ team a call. Improving your defenses is likely to be much cheaper than you think.
by titanadmin | Oct 26, 2024 | Phishing & Email Spam |
The purpose of phishing attacks is usually to steal credentials to gain unauthorized access to accounts. If an employee falls for a phishing attack and their credentials are obtained, the attacker can gain access to that user’s account and any data contained therein. That access can be all that is required for the threat actor to achieve a much more extensive compromise.
Oftentimes, a threat actor conducts a more extensive phishing campaign on multiple employees at the same organization. These phishing attacks can be harder to spot as they have been tailored to that specific organization. These attacks usually spoof an internal department with the emails seemingly sent from a legitimate internal email account. The emails may address each individual by name, or appear to be broadcast messages to staff members. One successful campaign was identified by the Office of Information Technology at Boise State University, although not before several employees responded to the emails and disclosed their credentials. In this campaign, the emails were addressed to “Dear Staff,” and appeared to have been sent from the postmaster account by “Health Services,” purporting to be an update on workplace safety. The emails had the subject line “Workplace Safety: Updates on Recent Health Developments,” with a similar campaign indicating a campylobacter infection had been reported to the health department.
In the message, recipients were advised about a health matter involving a member of staff, advising them to contact the Health Service department if they believed they had any contact with the unnamed worker. In order to find out if they had any contact with the worker, the link must be clicked. The link directed the user to a fraudulent login page on an external website, where they were required to enter their credentials. The login page had been created to look like it was a legitimate Boise State University page, captured credentials, and used a Duo Securit notification to authorize access to their account.
These targeted campaigns are now common, especially at large organizations where it is possible to compromise a significant number of accounts and is worth the attacker’s time to develop a targeted campaign. Another attack was recently identified by the state of Massachusetts. The attacker created a fake website closely resembling the HR/CMS Employee Self-Service Time and Attendance (SSTA) system, which is used for payroll. Employees were tricked into visiting the portal and were prompted to enter their credentials, which the attacker used to access their personal and direct deposit information. In this case, the aim of the attack appeared to be to change direct deposit information to have the employees’ wages paid into the attacker’s account. Several employees were fooled by the scam; although in this case the attack was detected promptly and the SSTA system was disabled to prevent fraudulent transfers.
A different type of campaign recently targeted multiple employees via email, although the aim of the attack was to grant the threat actor access to the user’s device by convincing them to install the legitimate remote access solution, AnyDesk. The threat actor, the Black Basta ransomware group, had obtained employee email addresses and bombarded them with spam emails, having signed them up for newsletters via multiple websites. The aim was to create a legitimate reason for the next phase of the attack, which occurred via the telephone, although the group has also been observed using Microsoft Teams to make contact. The threat actor posed as the company’s IT help desk and offered assistance resolving the spam problem they created, which involved downloading AnyDesk and granting access to their device. During the session, tools are installed to provide persistent access. The threat actor then moved laterally within the network and extensively deployed ransomware.
These attacks use social engineering to exploit human weaknesses. In each of these attacks, multiple red flags should have been spotted revealing these social engineering attempts for what they are but more than one employee failed to spot them. It is important to provide security awareness training to the workforce to raise awareness of phishing and social engineering threats, and for training to be provided regularly. Training should include the latest tactics used by threat actors to breach networks, including phishing attacks, fake tech support calls, malicious websites, smishing, and vishing attacks.
A phishing simulator should be used to send realistic but fake phishing emails internally to identify employees who fail to spot the red flags. They can then receive additional training relative to the simulation they failed. By providing regular security awareness training and conducting phishing simulations, employers can develop a security culture. While it may not be possible to prevent all employees from responding to a threat, the severity of any compromise can be limited. With TitanHQ’s SafeTitan solution, it is easy to create and automate tailored training courses and phishing simulations that have been shown to be highly effective at reducing susceptibility to phishing and other threats.
Since threat actors most commonly target employees via email, it is important to have robust email defenses to prevent the threats from reaching employees. Advanced anti-spam services such as SpamTitan incorporate a wide range of threat detection methods to block more threats, including reputation checks, extensive message analysis, machine-learning-based detection, antivirus scans, and email sandboxing for malware detection. SpamTitan has been shown to block more than 99.99% of phishing threats and 100% of malware.
by titanadmin | Oct 24, 2024 | Phishing & Email Spam |
Phishing is one of the most effective methods used by cyber actors to gain initial access to protected networks Phishing tactics are evolving and TOAD attacks now pose a significant threat to businesses. TOAD stands for Telephone-Oriented Attack Delivery and is a relatively new and dangerous form of phishing that involves a telephone call, although there are often several different elements to a TOAD attack which may include initial contact via email, SMS messages, or instant messaging services.
TOAD attacks often start with an information-gathering phase, where the attacker obtains personal information about individuals that can then be targeted. That information may only be a mobile phone number or an email address, although further information is required to conduct some types of TOAD attacks.
One of the most common types of TOAD attacks is callback phishing. The attacker impersonates a trusted entity in an email and makes a seemingly legitimate request to make contact. There is a sense of urgency to get the targeted individual to take prompt action. Rather than use a hyperlink in the message to direct the user to a website, the next phase of the attack takes place over the telephone or a VOIP-based service such as WhatsApp. A phone number is included that must be called to resolve a problem.
If the call is made, the threat actor answers and during the call, trust is built with the caller and the threat actor makes their request. That could be an instruction to visit a website where sensitive information must be entered or a file must be downloaded. That file download leads to a malware infection.
Several TOAD attacks have involved the installation of legitimate remote access software. One campaign involved initial contact via email about an expensive subscription that was about to be renewed, which required a call to cancel. The threat actor convinces the user to download remote access software which they are told is necessary to prevent the charge being applied, such as to fully remove the software solution from the user’s device.
The user is convinced to give the threat actor access to their device through the software and the threat actor keeps the person on the line while they install malware or perform other malicious actions, reassuring them if they get suspicious. Other scams involve initial contact about a fictitious purchase that has been made, or a bank scam, where an email impersonates a bank and warns the victim that an account has been opened in their name or a large charge is pending. These attacks result in the victim providing the threat actor with the information they need to access their account.
TOAD attacks often involve the impersonation of a trusted individual, who may be a colleague, client, or even a family member. Since information is gathered before the scam begins, when the call is made, the threat actor can provide that information to the victim to convince them that they are who they claim to be. That information may have been purchased on the dark web or obtained in a previous data breach. For instance, following a healthcare data breach, the healthcare provider may be impersonated, and the attacker can provide medical information in their possession to convince the victim that they work at the hospital.
The use of AI tools makes these scams even more convincing. Deepfakes are used, where a person’s voice is mimicked, or video images are manipulated on video conferencing platforms. Deepfakes were used in a scam on an executive in Hong Kong, who was convinced to transfer around £20 million in company funds to the attacker’s account, believing they were communicating with a trusted individual via a video conferencing platform.
TOAD attacks may be solely conducted over the phone, where the attacker uses call spoofing to manipulate the caller ID to make it appear that the call is coming from a known and previously verified number. Other methods may be used to convince the victim that the reason for the call is genuine, such as conducting a denial-of-service attack to disrupt a service or device to convince the user that there is an urgent IT problem that needs to be resolved. TOAD attacks are increasing because standard phishing attacks on businesses are becoming harder to pull off due to email security solutions, multifactor authentication, and improved user awareness about scam messages.
Unfortunately, there is no single cybersecurity solution or method that can combat these threats. A comprehensive strategy is required that combines technical measures, security awareness training and administrative controls. Advanced anti-spam software with machine learning and AI-based detection can identify the emails that are used for initial contact. These advanced detection capabilities are needed because the initial emails often contain no malicious content, other than a phone number. SpamTitan, TitanHQ’s cloud-based anti-spam service, can detect these initial emails through reputation checks on the sender’s IP address, email account, and domain, and machine learning is used to analyze the message content, including comparing emails against the typical messages received by a business.
WebTitan is a cloud-based DNS filter that is used to control the web content that users can access. WebTitan will block access to known malicious sites and can be configured to prevent certain file types from being downloaded from the internet, such as those commonly used to install malware, unauthorized apps, and remote access solutions.
Regular security awareness training is a must. All members of the workforce should be provided with regular security awareness training and TOAD attacks should feature in the training content. SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, makes it easy for businesses to create and automate training courses for the workforce. Employees should be trained in how to identify a TOAD attack, told not to trust caller ID alone, to avoid clicking links in emails and SMS messages, and to be vigilant when receiving or making calls, and to report any suspicious activity and immediately end a call if something does not seem right.
by titanadmin | Oct 20, 2024 | Phishing & Email Spam |
Researchers have identified a new phishing kit that is being used to steal credentials for Microsoft 365 accounts and gain access to accounts protected by multi-factor authentication (MFA). The phishing kit, called Mamba 2FA is a cause of concern as it has the potential to be widely adopted given its relatively low price and there are signs it is proving popular with cybercriminals since its release in late 2023. Phishing kits make it easy for low-skilled cybercriminals to conduct sophisticated attacks as they provide all the tools required to breach accounts. The Mamba 2FA kit includes the necessary infrastructure to conduct phishing campaigns, masks IP addresses to prevent them from being blocked, and updates the phishing URLs frequently to ensure they remain active and are not blocked by security solutions.
The Mamba 2FA kit includes phishing pages that mimic Microsoft services such as OneDrive and SharePoint, and the pages can be customized to create realistic phishing URLs for targeting businesses, including allowing the business logo and background images to be added to the login page. Since businesses often have MFA enabled, simply stealing Microsoft credentials is not sufficient, as the MFA will block any attempt to use the credentials for unauthorized access. Like several other popular phishing kits, the Mamba 2FA kit supports adversary-in-the-middle (AitM) attacks, incorporating proxy relays to steal one-time passcodes and authentication cookies in real time. When credentials are entered into the phishing page, they are relayed to Microsoft’s servers in real-time and Microsoft’s responses are relayed back to the victim, including MFA prompts, which allows the threat actor to steal the session cookie and gain access to the user’s account.
Phishing kits such as Mamba 2FA pose a serious threat to businesses, which should take steps to protect against attacks. The AitM tactics can defeat less secure forms of MFA that are based on one-time passwords but are not effective against hardware-based MFA. Implementing phishing-resistant MFA will ensure these attacks do not succeed. Other recommended controls include geo-blocking and allowlisting for IPs and devices. While these advanced phishing kits are effective, threat actors must convince people to click a link in an email and disclose their login credentials, and with advanced email security solutions these phishing threats can be identified and blocked before they reach inboxes. Training should also be provided to the workforce to help with the identification and avoidance of phishing.
TitanHQ can help through the SpamTitan cloud-based spam filtering service and the SafeTitan security awareness training and phishing simulation platform. SpamTitan incorporates reputation checks, Bayesian analysis, greylisting, machine learning-based detection, antivirus scans, and email sandboxing to block phishing and malware threats. Independent tests demonstrated SpamTitan was one of the best spam filtering solutions for businesses at blocking threats, with a 99.99% phishing block rate and a 100% malware block rate.
The SafeTitan security awareness training platform makes it easy for businesses to provide regular cybersecurity awareness training. The platform includes more than 80 training modules, videos, and webinars, with hundreds of phishing simulation templates based on real-world phishing examples. Regular training and phishing simulations have been proven to be highly effective at reducing susceptibility to phishing and other threats targeting employees. This month, TitanHQ has also launched its security awareness training platform for MSPs, which has been specifically developed to make it quick and easy for MSPs to incorporate security awareness training into their service stacks. Speak with TitanHQ today for more information about these and other cybersecurity solutions for combatting the full range of cyber threats.
by titanadmin | Sep 28, 2024 | Phishing & Email Spam, Security Awareness, Spam Software |
New SEO poisoning, phishing, and deepfake techniques have been identified in campaigns for malware delivery, credential theft, and financial fraud this month. It is important to ensure you have appropriate defenses in place and you update your training programs to raise awareness of these new tactics.
SEO Poisoning Used to Deliver Wikiloader Malware Masquerading as the GlobalProtect VPN
Early in September, Palo Alto Networks reported that its virtual private network, GlobalProtect, was being spoofed in a campaign to deliver Wikiloader (WailingCrab) malware – A malware variant used for delivering other malware payloads onto infected devices. The threat actors behind Wikiloader campaigns sell access to other cybercriminals. An infection with Wikiloader could lead to all manner of other infections.
This campaign was focused on the higher education and transportation sectors and like many malware distribution schemes used search engine (SEO) poisoning to get malicious websites to appear high in the search engine listings for key search terms targeting those sectors. The campaign claimed to offer a download of GlobalProtect and used a combination of cloned webpages and cloud-based git repositories and delivered a file – named GlobalProtect64.exe – offering the VPN. The file delivered was a trojanized version of a share trading application, that sideloaded a malicious DLL that allowed the execution of shellcode that delivered Wikiloader from a remote server. On execution, the user was told that GlobalProtect could not be installed due to missing libraries.
This was a marked change from other campaigns that have distributed Wikiloader, which has previously been delivered via phishing emails. This is the first time that GlobalProtect has been spoofed to deliver Wikiloader. The change in tactics is believed to be due to a different initial access broker starting using Wikiloader.
Threat Actors Increasingly Using Archive Files for Email Malware Distribution
One of the most common ways of delivering malware is via phishing emails with malicious attachments. For years, the most common method involved emailing Microsoft Office documents that contained malicious macros. If the files are opened and macros are allowed to run, a malware download will be triggered. A variety of file attachments are now used for malware delivery, including PDF files, which allow links, scripts and executable files to be incorporated into the files. To hide malicious files from email security solutions, they are often added to archive files.
According to a recent analysis by HP security researchers, 39% of malware deliveries came from archive files in Q2, 2024, up from 27% the previous quarter. The researchers noted that in addition to using the most popular and well-known archive formats such as.zip, .rar, and .7z, more obscure archive files are increasingly being used. The researchers identified around 50 different archive file formats in Q2. Threat actors are also moving away from documents and are instead favoring script languages such as VBScript and JavaScript for malware delivery, with the scripts hidden in encrypted archive files to evade email security defenses.
End users are less likely to identify obscure archive formats and script files as malicious, as security awareness training has tended to focus on malicious documents containing macros. Security awareness training programs should inform employees about the different file types that may be used for malware delivery and safeguards should be implemented to reduce the risk of malware downloads, such as advanced spam filter software and web filters for blocking malware downloads from the Internet.
Deepfakes Increasingly Used in Attacks on Businesses
Deepfakes are increasingly being used in attacks on businesses on both sides of the Atlantic, and these scams have proved to be highly effective in financial scams. According to a survey conducted by Medius, around half of UK and US businesses have been targeted with deepfake scams and around 43% have fallen victim to the scams. Deepfake scams use artificial intelligence to alter images, videos, and audio recordings, making it appear that respected or trusted individuals are requesting a certain action.
The individuals deepfaked in these scams include executives such as the CEO and CFO, as well as vendors/ suppliers. For example, a deepfake of the CEO of a company was used in a video conference call with the company’s employees. In one of these scams, an Arup employee was tricked into making 5 fraudulent transfers to Hong Kong bank accounts before the scam was detected. These scams highlight the importance of covering deepfakes in security awareness training.
TitanHQ Solutions That Can Help Protect Your Business
TitanHQ has developed a range of cybersecurity solutions for businesses and managed service providers to help defend against increasingly sophisticated cyberattacks.
- SpamTitan Email Security – An advanced AI-driven cloud-based anti-spam service with email sandboxing that has been recently shown to block 99.98% of phishing threats and 100% of malware in independent performance tests.
- PhishTitan Microsoft 365 Phishing Protection – A next-generation anti-phishing and phishing remediation solution for Microsoft 365 environments that augments native M365 defenses and blocks threats that EOP and Defender misses
- WebTitan DNS Filter – A cloud-based DNS filtering and web security solution providing AI-driven threat protection with advanced web content controls for blocking malware delivery from the Internet and access to malicious websites.
- SafeTitan Security Awareness Training – A comprehensive, affordable, and easy-to-use security awareness training and phishing simulation platform that delivers training in real-time in response to security mistakes.
For more information on these solutions, give the TitanHQ sales team a call today. All TitanHQ solutions are available on a free trial and product demonstrations can be arranged on request.
by titanadmin | Sep 27, 2024 | Phishing & Email Spam |
Generative artificial intelligence (GenAI) services are already being leveraged by cybercriminals to create convincing phishing emails, and it appears that these tools are being used for the creation of malware. GenAI services are capable of writing code; however, guardrails have been implemented to prevent malicious uses of these tools, such as the creation of malware. If those guardrails can be circumvented, the creation of malware would no longer be limited to skilled malware developers. Lower-skilled cybercriminals could develop their own malware using GenAI services, and there is growing evidence they are doing just that.
Over the summer, HP security researchers identified an email campaign targeting French users. The phishing email used HTML smuggling (encrypted HTML) to evade detection, and on analysis, the campaign delivered malicious VBScript and JavaScript code that appeared to have been created using GenAI tools. The entire malicious code included comments about what each function does, which is rare in malware development as the exact workings of the code tend not to be described. The comments, along with the use of native language function names and variables all suggest that GenAI was used to create the malware.
The code was used to deliver AsyncRAT malware, a widely available, open source malware that is an information stealer capable of recording the victim’s screen and logging keystrokes. The malware also acts as a malware downloader that can deliver other malware payloads, including ransomware. In this campaign, little technical skill was required as HTML smuggling does not require any programming, the malware being delivered is widely available, and the fact that the comments had not been removed and there was no obfuscation, points to the development of malware by an inexperienced cybercriminal.
There have been other examples of apparent malicious code creation using GenAI, such as a malicious PowerShell script identified earlier this year that was also used to deploy infostealer malware. That campaign targeted users in Germany and impersonated Metro cash-and-carry and was also delivered via email. Just as GenAI tools are helping writers rapidly create written content, GenAI tools can be used to rapidly develop malicious code. ChatGPT and Gemini have guardrails in place that it may be possible to circumvent, but there are many dark LLMs that lack those controls such as WormGPT and FraudGPT. If these tools are leveraged, relatively low-skilled cybercriminals can develop their own malware variants.
Traditional antivirus solutions use signature-based detection. When malware is identified, a signature is added to the antivirus solution for that specific malware variant that allows it to be detected in the future. There is a delay between the creation of malware and the addition of malware signatures to the definition lists of antivirus solutions, during which time malware can easily be smuggled onto devices undetected. If the creation of malware can be accelerated with GenAI tools, cybercriminals will have the upper hand.
The solution for businesses is to deploy security solutions capable of detecting novel malware variants by their behavior rather than a signature. Since malware is commonly delivered via email, having a cloud-based email security solution that incorporates behavioral analysis of attachments will help identify and neutralize these malware variants before they can be installed.
SpamTitan from TitanHQ is a cloud-based antispam software that incorporates email sandboxing. When standard antivirus checks are passed, suspicious emails and attachments are sent to a next-generation email sandbox for deep inspection, where the behavior of the attachments is assessed in an isolated sandbox environment. If malicious actions are detected, the threat is neutralized. SpamTitan also incorporates AI-based and machine-learning detection mechanisms to assist with malicious email detection, and along with a host of other checks ensure malicious emails are detected and blocked. In recent independent tests, SpamTitan has a 99.99% phishing catch rate and a 100% malware catch rate, with zero false positives.
SpamTitan, like all other TitanHQ cybersecurity solutions, is available on a free trial to allow you to see for yourself the difference it makes. To find out more about protecting your business from increasingly sophisticated threats, give the TitanHQ team a call.
by titanadmin | Sep 24, 2024 | Network Security, Phishing & Email Spam, Security Awareness |
Cybercriminals and nation state threat actors are targeting businesses to steal sensitive information, often also using file encryption with ransomware for extortion. Initial access to business networks is gained through a range of tactics, but the most common is the use of compromised credentials. Credentials can be guessed using brute force tactics, by exploiting password reuse in credential stuffing attacks, using malware such as keyloggers to steal passwords, or via phishing attacks.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), compromised credentials are the most common method for initial access in attacks on critical infrastructure entities. CISA revealed that 41% of all attacks on critical infrastructure used compromised credentials and phishing and spear phishing were identified as the second most common attack vector. A separate study by Osterman Research and OPSWAT revealed that the majority of critical infrastructure entities have suffered an email security breach in the past 12 months, with 75% of critical threats arriving via email.
Should any of these email threats arrive in inboxes, they could be opened by employees resulting in the theft of their credentials or the installation of malware. Both could provide a threat actor with the access they need to steal sensitive data and encrypt files with ransomware. Email threats usually impersonate a trusted entity such as a vendor, well-known organization, colleague, or previous acquaintance, which helps to make the correspondence appear authentic, increasing the likelihood of an employee responding.
According to CISA, the success rate of these emails depends on the technical defenses a business has in place and whether security awareness training has been provided to the workforce. The primary defense against phishing and other email attacks is a spam filter, which can be a cloud-based spam filtering service or gateway spam filter. CISA recommends implementing email filtering mechanisms incorporating Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), as both are important for protecting against spoofing and email modification.
Antiphishing defenses should rewrite URLs to show their true destination, and for maximum protection – especially against AI-generated phishing attempts – anti-spam software should incorporate machine learning and AI-based detection mechanisms and analyze email content to determine how emails deviate from the typical emails received by a business. Malware is often used in attacks, so spam filters should incorporate antivirus protection, including email sandboxing to detect malware based on its behavior rather than signature since many novel threats can bypass the signature-based defenses of standard anti-virus products.
A web filter is a useful tool for protecting against the web-based component of phishing attempts, as it can block access to known malicious websites and also prevent visits to malicious websites from general web browsing. Security awareness training should be provided frequently to the workforce to improve human-based defenses and reduce the risk of employees being tricked by social engineering and phishing attempts. Employees should also be provided with an easy way of reporting suspicious requests to their security teams. Backing up security awareness training with phishing simulations can help reinforce training and identify knowledge gaps.
To protect against compromised credentials, multifactor authentication should be implemented, with phishing-resistant MFA providing the highest level of protection. Password policies should be implemented that require the use of unique, strong passwords, all default passwords should be changed, and any inactive or unnecessary accounts should be disabled.
TitanHQ can help protect against these attacks through a suite of cybersecurity solutions. SpamTitan email Security, the WebTitan DNS-based web filter, the PhishTitan anti-phishing solution for Microsoft 365, and the SafeTitan security awareness training platform. All solutions have been developed to be easy for businesses to implement and use and provide cutting-edge protection against the full range of cyber threats. For more information give the TitanHQ team a call and take the first steps towards improving your defenses against increasingly sophisticated cyber threats.
by Jennifer Marsh | Aug 30, 2024 | Phishing & Email Spam |
QR codes are used for a wide range of purposes, including marketing, communications, and even in restaurants to direct diners to menus, and with the popularity of QR codes soaring it should be no surprise that they are being used by cybercriminals in their phishing campaigns. QR codes are similar to the bar codes on products. They are black and white images that contain information, which for QR codes is commonly a URL for a web page or hosted file. A camera on a smartphone is used to scan the code, which will detect the URL, and the user can click that URL to visit the resource. It is far more convenient than entering a URL on a mobile phone keypad.
The use of QR codes has been growing considerably. According to a 2024 report from QR Tiger on QR Code trends, there has been 47% year-over-year growth in QR code usage. The convenience of QR codes and their growing popularity have not been lost on cybercriminals who are using QR codes to direct unsuspecting users to malicious websites that host malware or are used to phish for credentials. As an added advantage, many traditional security solutions are unable to assess the URLs in QR codes and fail to block access to malicious sites.
QR code phishing (aka quishing) may involve QR codes sent via email. Instead of embedding a hyperlink in an email, a QR code is used to evade email security solutions. A novel campaign has recently been detected by security researchers at Netskope Threat Labs that uses QR codes to steal Microsoft 365 credentials. In this campaign, a Microsoft 365 product called Microsoft Sway is abused to host the spoofed web pages.
Microsoft Sway is used for creating newsletters and presentations and was first released by Microsoft under the M365 product suite in 2015. Since Microsoft Sway is a legitimate Microsoft cloud-based tool, a link to a Sway presentation is unlikely to be identified as malicious by security solutions, as Sway is a trusted platform. The link to the Sway presentation may be distributed in emails, SMS messages, and instant messenger platforms, or can be added to websites in an iframe. A QR code could even be used to direct a user to the Sway presentation.
That presentation includes a QR code that encodes a URL for a website that masquerades as a legitimate Microsoft site. If scanned, the user is directed to a web page where they are asked to enter their Microsoft 365 credentials. What makes this campaign even harder for users to identify is the transparent phishing technique used. Entering credentials will log the user into the legitimate site, and at the same time credentials are captured along with any MFA code, which are relayed to the attacker. The credentials and MFA code are then used to hijack the account.
TitanHQ offers several cybersecurity solutions that provide layered protection against advanced phishing attempts, including quishing. Since these scams target individuals, it is important to raise awareness of the threat by providing security awareness training to the workforce. The SafeTitan platform from TitanHQ includes a wealth of training content, including modules for raising awareness of quishing. The platform also includes a phishing simulator with quishing templates to test whether employees scan QR codes and visit the websites they encode.
Regardless of how a URL is communicated to a member of the workforce, it is possible to block access to a malicious URL with a DNS filter. TitanHQ’s DNS filter, WebTitan, blocks access to all known malicious websites and is constantly updated with the latest threat intelligence from a global network of users. As soon as a malicious URL is detected, the solution is updated and all WebTitan users are protected. QR code may direct users to websites where malware is downloaded. WebTitan can be configured to block file downloads from the internet by file type.
QR codes are commonly sent via email, so an advanced email security solution is required. SpamTitan is a cutting-edge spam filtering service that uses advanced detection techniques, including AI and natural language processing to identify and block these threats, even zero-minute phishing attempts. In contrast to many spam filters for incoming mail, SpamTitan can detect novel phishing and quishing attempts. Finally, businesses can add another layer of protection through PhishTitan, TitanHQ’s advanced anti-phishing solution for Microsoft 365 which blocks attempts to visit phishing sites and allows security teams to easily remediate phishing attempts across their entire email system.
Phishers are constantly developing new tactics and techniques for distributing malware and stealing credentials, but with TitanHQ solutions in place, you will be well protected against these rapidly evolving threats. Talk with TitanHQ’s cybersecurity experts today for more information on staying one step ahead of cybercriminals and keeping your company safe.
by Jennifer Marsh | Aug 29, 2024 | Phishing & Email Spam, Security Awareness |
If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.
There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.
In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.
Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.
Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.
It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.
The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.
Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts. These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.
Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.
TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.
The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.
The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.
For more information about improving your phishing defenses, speak with TitanHQ today.
by Jennifer Marsh | Aug 27, 2024 | Phishing & Email Spam, Security Awareness |
Business email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial losses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.
BEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These attacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker then tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the case of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black supplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was conversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.
BEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted email accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker often has access to emails, they will be aware of confidential information that no other individual other than the genuine account holder should know. The attacker can also check past emails between the account holder and the victim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans to distinguish from genuine communications. Scammers often reply to existing email threads, which makes these scams even more believable.
BEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams even harder for humans and email security solutions to identify. AI tools can be fed past emails between two individuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could fool even the most security-aware individual.
Some of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains access to the account through phishing or stolen credentials and searches through the account for information of interest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s clients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change the bank account information for genuine upcoming payments.
Due to the difficulty of identifying these threats, a variety of measures should be implemented to improve defenses, including administrative and technical controls, as well as employee training. In order to beat AI tools, network defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning capabilities, such as the SpamTitan cloud-based spam filtering service.
SpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails can be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to identify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution is also strongly recommended to protect accounts against initial compromise and to raise awareness of potential threats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about external emails and other threats and allows IT teams to rapidly remediate any attacks in progress.
Security awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these scams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the threat, taught how to identify these scams, and the actions to take when a potentially malicious message is received. With the SafeTitan security awareness training program it is easy to create training courses and tailor the content to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most pertinent threats.
While spam email filtering and security awareness training are the most important measures to implement, it is also important to strengthen defenses against phishing through the adoption of multi-factor authentication on all email accounts, to prevent initial compromise. Administrative controls should also be considered, such as requiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and maintaining a contact list of verified contact information to allow phone verification of any high-risk change. This two-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.
by Jennifer Marsh | Aug 20, 2024 | Phishing & Email Spam |
Russian threat actors have been conducting increasingly advanced phishing campaigns against media organizations, international NGOs, and other targets perceived as being a threat to Russia. According to a recent report from Access Now and Citizen Lab, several international NGOs have reported being targeted with spear phishing emails in a campaign that has been ongoing since the start of 2023.
The campaign has been attributed to a threat actor known as COLDRIVER (aka Star Blizzard, Calisto) which multiple governments have attributed to the Russian Federal Security Service (FSB), and another campaign has been conducted by a second threat group, a relatively;y new threat group known as COLDWASTREL, whose interests align with those of COLDRIVER.
The campaigns aim to steal credentials rather than infect devices with malware. Spear phishing emails are used to make initial contact and trick the targets into disclosing their credentials. Emails are sent to individuals that have been highly personalized to maximize the probability of the recipient responding. A common theme was to make initial contact by masquerading as a person known to the target, including colleagues, funders, and U.S. government employees.
One of the common lures used in the emails was to request that the recipient review a document relevant to their work, which for media companies was often a draft article. In some of the emails, the document that the target was requested to view was not attached to the email. The failure to attach the file is likely a tactic used by the threat actor to see if the recipient responds and to only provide the file if they do. That could help to ensure that only the intended recipient is presented with the malicious file, reducing the risk of detection.
The file is often a PDF file, which if opened, only displays blurred text. The target is told that the text has been encrypted using an online service e.g. ProtonDrive. In order to view the document, the recipient is required to click a link. If the link is clicked, JavaScript code is fetched from the attacker’s server which fingerprints the system. If deemed to be of interest, they are directed to a URL that has a CAPTCHA check that must be passed to prevent bots from landing on the destination URL.
The landing page presents the user with a login prompt relevant to their email service, such as Gmail or ProtonMail, which may be pre-populated with the user’s email address so they are only required to enter their password and multifactor authentication code. If they are entered, the threat actor will obtain a session cookie that will allow them to access the account for some time before they are required to reauthenticate, allowing them to immediately access sensitive information in the target’s email account and associated online storage, such as Google Drive. The domains used for these campaigns did not remain operational for more than 30 days and they were registered with Hostinger, which rotates the IP addresses for the domains every 24 hours in an effort to prevent the sites being blocked by security solutions.
The targets of the campaign who spoke with the researchers chose to remain anonymous. They included Russian opposition figures in exile, NGO staff members in the US and Europe, funders, and media organizations. The researchers suggest that the campaign may have been conducted more broadly on other targets that are perceived threats to Russia. The researchers said a common theme among the targets was that they had extensive networks among sensitive communities and links to Russia, Ukraine, and Belarus.
Spear phishing campaigns can be highly effective as they are hyper-focused on small numbers of individuals and often are highly researched preceding initial contact to ensure that the right person is impersonated and a lure is used that the target is likely to respond to. Various measures are also used to reduce the chance of detection, including avoiding sending malicious content in the initial email, the use of CAPTCHA checks, and rotating IP addresses. Standard email security solutions may fail to detect these threats which means it is often down to the individuals to identify and avoid these threats. The consequences of failing to do so can be severe, especially for the targeted individuals in this campaign who could be subjected to physical harm or arrest and imprisonment.
Spear phishing is also used by cybercriminals in their campaigns, and while these attacks are typically financially motivated, they can cause significant harm to businesses. Similar tactics are used and the campaigns can be highly effective. To block spear phishing and other sophisticated phishing attacks, businesses need to have advanced email security measures that include email sandboxing and machine learning algorithms to identify potentially malicious emails, since standard checks of the sender’s reputation, embedded URLs, and malware scans are unlikely to identify anything suspicious. This is an area where TitanHQ can help. Give the team a call to find out more about protecting against advanced phishing and malware threats.
by Jennifer Marsh | Aug 15, 2024 | Phishing & Email Spam, Security Awareness |
Business Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest data from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500 complaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion. Between October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and internationally.
What is Business Email Compromise?
BEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to individuals that appear to have come from a trusted source and making a legitimate-sounding request, which is typically a change to bank account details for an upcoming payment or payment of a fake invoice.
One such scam targets homebuyers, with the attacker impersonating the title company and sending details for a wire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire money for an upcoming payment to a different bank account. While the scammer is usually based overseas, the bank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are immediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.
BEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email account, then the account is used to send phishing emails internally. The goal is to compromise the account of an executive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively, vendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their customers.
Once a suitable email account has been compromised, the scammers search through previous emails in the account to find potential targets – the company’s customers in the case of a vendor account or individuals responsible for making wire transfers in the case of a CEO’s account. The attackers study previous communications between individuals to learn the writing style of the account holder, and then craft their messages impersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching targets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email addresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen via malware infections.
From here, a single request may be sent or a conversation may ensue over several emails to build trust before the request is made. Considerable time and effort is put into these scams because the effort is worth it for the scammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of dollars or more, and with two recent scams, the losses have been immense.
Tens of Millions Fraudulently Obtained in BEC Scams
INTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC attack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In July, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to a new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an account that differed slightly from the supplier’s legitimate email address. That difference was not identified and the bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was only determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL was able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery of a further $2 million.
There has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing company Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm told the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into transferring the funds to multiple third-party accounts. So far, that loss has not been recovered.
How to Reduce Risk And Defeat BEC Attacks
Defending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers are expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against BEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare the workforce by improving awareness of the threats.
Security awareness training is vital. All members of the workforce should receive training and be made aware of BEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they are conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly beneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying these scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it easy for businesses to improve their human defenses against BEC attacks.
Policies and procedures should be developed and implemented to reduce risk. For instance, it should be company policy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank account changes by vendors to require verification by phone, using previously verified contact information.
It is vital to implement technical security measures to prevent email accounts from being compromised, malware from being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect these sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s reputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate compromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel malware threats.
What is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can learn about the standard emails sent and received by a company or individual and determine when emails deviate from the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI tools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection to identify and block novel malware threats, to prevent the malware infections that are used to gather information to support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests confirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as BEC attacks.
The most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your business featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses for your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.
by Jennifer Marsh | Jul 31, 2024 | Phishing & Email Spam |
A massive phishing campaign that involved around 3 million emails a day was made possible due to a misconfiguration in Proofpoint’s email servers. The vulnerability was exploited to get the emails DomainKeys Identified Mail (DKIM) signed and approved by SPF, thereby ensuring the emails were delivered to inboxes.
Researchers at Guardio identified the campaign, which ran from January 2024 to June 2024 and at its peak involved sending around 14 million emails a day. The purpose of the campaign was to steal credit card numbers and set up regular credit card payments. The emails impersonated well-known brands such as Nike, Disney, Coca-Cola, and IBM. As is common in phishing attempts, the headers of the emails were spoofed to make it appear that the email had been sent by a genuine company. The majority of spam filters would be able to detect this spoofing and block the emails because they use Sender Policy Framework (SPF) and DKIM, specifically to detect and prevent spoofing.
Emails must be sent from approved servers to pass SPF checks and they must be authenticated using the DKIM encryption key for the domain. With DKIM, public-key cryptography is used to sign an email with a private key when it leaves the sender’s server, and the recipient server uses the public key to verify the source of the message. If the from filed matches the DKIM check is passed and the email is determined to be authentic and will be delivered. If not, the email will identified as spam and will be blocked. In this campaign the emails were all properly signed and authenticated, ensuring that they would be delivered.
For an email that impersonated Nike, a spoofed email address would be used with the nike.com domain, which thanks to passing the SPF and DKIM checks, would be verified by the recipient as having been authenticated. The recipient may be fooled that the email has come from the genuine company domain, and since the emails themselves contained that company’s branding and provided a plausible reason for taking action, the user may click the link in the email.
As with most phishing emails, there is urgency. Action must be taken quickly to avoid negative consequences, such as an impending charge, notification about the closure of an account, or another pressing matter. If the link is clicked, the user will be directed to a phishing site that also spoofs the brand and they are asked to provide their credit card details. Alternatively, they are offered a too-good-to-be-true offer, and by paying they also enroll in an ongoing subscription involving sizeable monthly charges.
The way that the attackers got around the checks was to send the emails from an SMTP server on a virtual server under their control and to route them through a genuine Office 365 account on an Online Exchange server, then through a domain-specific Proofpoint server which sent the email on to the intended recipient. Since the Proofpoint customers being spoofed had authorized the Proofpoint service to send emails on their behalf as an allowed email sender, the attackers only had to find a way to send spoofed emails through the Proofpoint relay. Due to a misconfiguration that allowed Microsoft Office 365 accounts to easily interact with its relay servers, they were able to do just that, pass SPF and DKIM checks, and make their fake emails appear to be clean.
They obtained the MX record for the company being spoofed by querying the domain’s public DNS, then routed the email through the correct Proofpoint host that is used to process email for that domain. Since the Proofpoint server was tricked into believing that the emails had come from the genuine domains of its customers – such as Nike and Disney – the emails were then forwarded to the intended recipients rather than being quarantined.
Spammers are constantly developing new methods of defeating the best email security solutions and while email security products can usually block spam and malicious emails, some will be delivered to recipients. This is why it is important to have layered defenses in place to protect against all phases of the attack. For instance, in this attack, spam filters were bypassed, but other measures could detect and block this attack. For instance, a web filter can be used to prevent a user from visiting a phishing website linked in an email, and security awareness training should be conducted to teach employees how to identify the signs of phishing, to check the domain of any website linked in an email, and to also check the domain when they arrive on any website.
by titanadmin | Jul 31, 2024 | Phishing & Email Spam |
Microsoft credentials are being targeted in phishing campaigns that abuse Microsoft Forms. Microsoft Forms is a feature of Microsoft 365 that is commonly used for creating quizzes and surveys. Microsoft Forms has been used in the past for phishing campaigns, and Microsoft has implemented phishing protection measures to prevent abuse, but these campaigns show that those measures are not always effective.
To increase the probability of the phishing emails being delivered and the recipients responding, threat actors use compromised email accounts for the campaigns. If a business email account can be compromised in a phishing attack, it can be used to send phishing emails internally. Vendor email accounts are often targeted and used to conduct attacks on their customers. The emails are likely to be delivered as they come from a trusted account, which may even be whitelisted on email security solutions to ensure that their messages are delivered.
If the recipient clicks the link in the email they are directed to a Microsoft Form, which has an embedded link that the user is instructed to click. If the link is clicked, the user is directed to a phishing page where they are asked to enter their Microsoft 365 credentials. If the credentials are entered, they are captured by the attacker and are used to access their account.
The initial contact includes messages with a variety of lures, including fake delivery failure notifications, requests to change passwords, and notifications about shared documents. When the user lands on the form, they are told to click a link and fill in a questionnaire, that link then sends the user to a phishing page that appears to be a genuine login page for Microsoft 365 or another company, depending on which credentials are being targeted.
The attackers make their campaign more realistic by using company logos in the phishing emails and familiar favicons in the browser tab on the fake web pages. Since Microsoft Forms is used in this campaign, the URL provided in the phishing emails has the format https://forms.office[dot]com, as the forms are on a genuine Microsoft Forms domain. Not only does that help to trick the user into thinking the request is genuine, but it also makes it much harder for email security solutions to determine that the email is not legitimate as the forms.office[dot]com is generally trusted as it has a high reputation score.
When these phishing campaigns are detected, Microsoft takes prompt action to block these scams. Each form has a ‘report abuse’ button, so if the scams are identified by users, Microsoft will be notified and can take action to shut it down. The problem is that these emails are being sent in huge numbers and there is a considerable window of opportunity for the attacks. Further, if the attacker’s campaign is detected, they can just set up different web pages and forms and continue.
These phishing campaigns involve two phases, the first phase involves compromising email accounts to send the initial phishing emails. An advanced email security solution with sandboxing, URL rewriting, and AI-based detection capabilities will help to block this first phase of the attack. Advanced anti-phishing solutions for Office 365 can reduce the number of phishing emails that land in inboxes, even when sent from trusted email accounts. Banner warnings in emails will help to alert users to potential phishing emails; however, users need to be vigilant as it may be up to them to spot and report the phishing attempt. That means security awareness training should be provided to raise awareness of these types of phishing attempts.
Security awareness training should also incorporate phishing simulations, and it is recommended to create simulations of phishing attempts using Microsoft Forms. If users fall for the fake Microsoft Forms phishing attempts, they can be provided with further training and told how they could have identified the scam. If another Microsoft Forms phishing attempt is received, they are more likely to be able to identify it for what it is.
TitanHQ can help businesses improve their defenses against phishing through the TitanHQ cybersecurity suite, which includes SpamTitan cloud-based anti-spam service, the PhishTitan anti-phishing solution, and the SafeTitan security awareness and phishing simulation platform. SpamTitan and PhishTitan have exceptionally high detection rates with a low false positive rate, and SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to employee mistakes. Give the TitanHQ team a call today for more information about these products, you can book a product demonstration to find out more, and all solutions are available on a free trial.
by titanadmin | Jul 30, 2024 | Phishing & Email Spam, Security Awareness |
Cybersecurity awareness training is now vital for businesses to raise employees’ awareness of cyber threats. Here we will explain why you need real-time security awareness training and phishing simulations and the difference they can make to your security posture.
The biggest cybersecurity threat faced by businesses is phishing. Phishing attacks target employees as cybercriminals and nation-state actors know all too well that employees are a weak link in security defenses. If they can get a phishing email in front of an employee and give them a plausible reason for taking the action they suggest, they can steal credentials that will give them the access they need or get the employee to download and open a malicious file, that will download malware and provide persistent access to the network.
If doesn’t always need to be a sophisticated phishing attempt if the email lands in the inbox of a busy employee or one who lacks security awareness. Many unsophisticated phishing attempts succeed due to human error. The problem is that phishing attempts are often sophisticated, and are now being crafted using LLMs that not only ensure that the emails are devoid of spelling mistakes and grammatical errors, but LLMs can also help to devise new phishing lures.
All it takes is for one phishing attempt to be successful to give an attacker the access they need for an extensive compromise. Cybercriminals often gain access to an employee’s email account and then use that account to conduct further phishing attempts internally, until they compromise large numbers of email accounts and manage to steal credentials with high privileges. Since email accounts often contain a wealth of sensitive and valuable data, the attack does not even need to progress further for it to be costly to remediate.
Businesses need to ensure that they have robust email security defenses, including an email security solution with sandboxing, AI, and machine learning detection to identify and block malware threats and zero-day phishing attacks, malicious URL detection capabilities, and a solution that is constantly updated with the latest threat intelligence. While the most advanced cloud-based email security solutions will block the vast majority of malicious emails, they will not block all threats. For example, in recent independent tests, SpamTitan email security was determined to have a spam catch rate of 99.984%, a phishing catch rate of 99.99%, and a malware catch rate of 100% with zero false positives, finishing second in the test.
For the small percentage of malicious emails that do reach inboxes, employees need to be prepared, be on their guard, and have the skills to identify and report suspicious emails, which is where security awareness training and phishing simulations are needed.
The purpose of security awareness training is to raise the level of awareness of cyber threats within the workforce, teach cybersecurity best practices, and eliminate risky behaviors. Training will only be effective if it is provided regularly, building up knowledge over time. Training should ideally be provided in short regular training sessions, with training programs running continuously throughout the year. Each week, every employee can complete a short training module which will help to build awareness and keep security fresh in the mind, with the ultimate goal of creating a security culture where every employee is constantly on their guard and aware that the next email they receive could well be a phishing attempt or contain malware.
Training is most effective when combined with phishing simulations. You can teach employees how to recognize a phishing email, but simulations give them practice at detecting threats and applying their training. Further, the emails will be received when the employees are completing work duties, just the same as a genuine phishing threat. A phishing simulator can be used to automate these campaigns, and administrators can track who responds to determine the types of threats that are tricking employees and the individuals who are failing to identify threats. Training programs can then be tweaked accordingly to address the weaknesses.
The most effective phishing simulation programs automatically deliver training content in real-time in response to security mistakes. When a phishing simulation is failed, the employee is immediately notified and given a short training module relevant to the mistake they made. When training is delivered in real time it serves two important purposes. It ensures that the employee is immediately notified about where they went wrong and how they could have identified the threat, and the training is delivered at the point when it is likely to have the greatest impact.
SafeTitan from TitanHQ makes providing training and conducting phishing simulations simple. The training modules are enjoyable, can be easily fitted into busy workflows, and the training material can be tailored to the organization and individual employees and roles. The training and simulations can be automated and require little management, and since the content is constantly updated with new material and phishing templates based on the latest tactics used by cybercriminals, employees can be kept constantly up to date.
For more information about SafeTitan security awareness training and phishing simulations, give the TitanHQ team a call.
by Jennifer Marsh | Jul 29, 2024 | Phishing & Email Spam |
Businesses that rely on Microsoft Defender for detecting malware and phishing emails may not be as well protected as they think. While Defender performs a reasonable job at blocking malware, spam, and phishing emails, it lacks the high detection levels of many third-party anti-phishing solutions.
Take malware for example. A study conducted in 2022 by AV-Comparatives found Defender only had a 60.3% offline detection rate. Fast forward to Q2, 2024, and TitanHQ’s email security suite was put to the test alongside 12 other email security solutions by Virus Bulletin. In the independent tests, TitanHQ had a malware catch rate of 100%.
In the same round of testing, TitanHQ’s spam filter for Office 365 and the email security suite had a spam catch rate of over 99.98%, a phishing email catch rate of 99.99%, and was given an overall final score of 99.984, the second highest in the tests. It is possible to configure an email solution to provide maximum protection; however, that will be at the expense of an elevated number of false positives – genuine emails that are inadvertently marked as potentially suspicious and are quarantined until they are released by an administrator. In the tests, TitanHQ had a 0.00% false positive rate, with no genuine emails misclassified.
Another issue with Microsoft Defender is the exception list, which contains locations such as files, folders, and processes that are never scanned. These are used to ensure that legitimate apps are not scanned, to prevent them from being misclassified as malware. The problem is that the exception list lacks security protections, which means it can be accessed internally by all users. Should a device be compromised, a threat actor could access the exceptions list, identify folders and files that are not scanned, and use those locations to hide malware.
Given the increasingly dangerous threat environment and the high costs of a cyberattack and data breach, businesses need to ensure they are well-defended, which is why many businesses are choosing to protect their Microsoft 365 environments with TitanHQ’s PhishTitan anti-phishing solution.
PhishTitan is a cloud-based, AI-driven solution for Microsoft 365 that integrates seamlessly into M365 to increase protection from sophisticated phishing attacks. Rather than replacing Microsoft’s EOP and Defender protections, PhishTitan augments them and adds next-generation phishing protection, not only ensuring that more threats are blocked but also giving users easy-to-use remediation capabilities.
PhishTitan adds advanced threat detection capabilities through machine learning and LLM to identify the zero-day and emerging threats that are missed by Defender. PhishTitan provides real-time protection against phishing links in emails in addition to checks performed when the email is received. URLs are rewritten for Link Lock protection with all links reassessed at the point a user clicks to ensure that URLs that have been made malicious after delivery are detected and blocked. If the link is detected as malicious, access to that URL will be prevented.
PhishTitan also adds banner notifications to emails to alert users to unsafe content and emails from external sources, and the auto-remediation feature allows all threats to be instantly removed from the entire mail system, with robust cross-tenant features for detection and response for MSPs.
PhishTitan has also been developed to be quick to set up and configure. There is no need to change MX records, setup typically takes less than 10 minutes, and the solution is incredibly easy to manage. Why put up with inferior threat detection and complex interfaces, when you can improve the Office 365 phishing protection with an easy-to-use anti-phishing solution
Don’t take our word for it though. Take advantage of the free trial of PhishTitan to see for yourself. Product demonstrations can also be arranged on request.
by titanadmin | Jul 27, 2024 | Phishing & Email Spam |
A ZeroFont phishing campaign is being conducted that targets Microsoft 365 users. Rather than using the ZeroFont technique to hide malicious content from anti-spam software, this method aims to trick end users into thinking the email is genuine and safe.
The ZeroFont phishing technique was first identified in phishing attempts around five years ago, so it is not a new technique; however, this version uses a novel approach. When an email is sent to a business user, before that email is delivered it will be subject to various checks by the anti-spam server. The business’s anti-spam solution will perform reputation checks, scan the email for malware, and analyze the content of the email to search for signs of spam or phishing. Only if those checks are passed will the message be delivered to the end user. ZeroFont is a technique for hiding certain words from email security solutions to ensure that the messages are not flagged as spam and are delivered.
According to Check Point, Microsoft is the most commonly impersonated brand in phishing emails. If a threat actor impersonates Microsoft, they obviously cannot send the email from the Microsoft domain as they do not have access. Spam filters will check to make sure that the domain from which the email is sent matches the signature, and if there is no match, that is a strong signal that the email is not genuine. With ZeroFont, the signature used would only display Microsoft to the end user, and the spam filter is presented with a nonsensical string of text. The user would not see that text as the padding text around the word Microsoft is set to a font size of zero, which means the text is machine-readable but cannot be seen by the user.
A recent campaign uses the ZeroFont techniques but with a twist. In this campaign, the aim is not to trick a spam filter but to instead trick Outlook users. In Outlook, it is possible to configure the mail client with a listing view option, which will show the user the first lines of text of an email. The problem for phishers is getting Outlook users to engage with the messages, which means the messages must be sufficiently compelling so as not to be deleted without opening them. This is especially important if the sender of the email is not known to the recipient.
The email was detected by Jan Kopriva, who noticed that ZeroFont was used to make the message appear trustworthy by displaying text indicating the message had been scanned and secured by the email security solution, rather than showing the first lines of visible content of the message. This was achieved by using a zero font size for some of the text. The threat actor knew that the first lines of the emails are displayed by the mail client in the listing view, regardless of the font size, which means if the font is set to zero, the text will be displayed in the listing view but will not be visible to the user in the message body when the email is opened.
The email used a fake job offer as a lure and asked the user to reply with their personal information: Full name, address, phone number, and personal email, and impersonated the SANS Technology Institute. The full purpose of the phishing attempt is not known. There were no malicious links in the email and no malware attached so the email would likely pass through spam filters. If a response is received, the personal information could be used for a spear phishing attempt on the user’s personal email account, which is less likely to have robust spam filtering in place, or for a voice phishing attempt, as we have seen in many callback phishing campaigns.
Security awareness training programs train employees to look for signs of phishing and other malicious communications, and they are often heavily focused on embedded links in emails and attachments. Emails such as this and callback phishing attempts lack the standard malicious content and as such, end users may not identify them as phishing attempts. It is important to incorporate phishing emails such as this in security awareness training programs to raise awareness of the threat.
That is easy with SafeTitan from TitanHQ, as is conducting phishing simulations with these atypical message formats. SafeTitan includes a huge library of security awareness training content, and the phishing simulator includes thousands of phishing templates from real-world phishing attempts. It is easy for businesses to create and automate comprehensive security awareness training programs for the workforce and provide training on how to identify novel techniques such as this when they are identified, to ensure employees are kept up to date on the latest tactics, techniques, and procedures used by cybercriminals.
by Jennifer Marsh | Jul 26, 2024 | Phishing & Email Spam |
CrowdStrike has confirmed that a significant proportion of Windows devices that were rendered inoperable following a faulty update last Friday have now been restored to full functionality; however, businesses are still facing disruption and many scams have been identified by cybercriminals looking to take advantage.
One of those scams involves a fake recovery manual that is being pushed in phishing emails. The emails claim to provide a Recovery Tool that fixes the out-of-bounds memory read triggered by the update that caused Windows devices to crash and display the blue screen of death. The phishing emails include a document attachment named “New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.” The document is a copy of a Microsoft support bulletin, which claims that a new Microsoft Recovery Tool has been developed that automates recovery by deleting the CrowdStrike driver that is causing the crash. The user is prompted to enable content; however, doing so will allow a macro to run, which will download a malicious DLL, which launches the Daolpu stealer – an information stealer that collects and exfiltrates credentials, login information, and cookies stored in Chrome and Firefox.
Another campaign has been identified that capitalizes on the defective Falcon Sensor update. The spear phishing campaign targeted German firms and attempts to distribute a fake CrowdStrike Crash Reporter installer via a website that spoofs a legitimate German company. The website was registered a day after the CrowdStrike disruptions started. If the user attempts to download the installer by clicking the download button in the email, a ZIP archive will be delivered that includes a malicious InnoSetup installer. If executed, the user is shown a fake CrowdStrike branded installer. The installer is password-protected to prevent analysis and the final payload could not be determined.
Another campaign attempts to distribute Lumma information-stealing malware. The campaign uses the domain, crowdstrike-office365[.]com, and tricks the recipient into downloading a fake recovery tool to deal with the boot loop that prevents Windows devices from booting up. If the downloaded file is executed, it delivers a malware loader, which will, in turn, deliver the Lumma infostealer.
These are just three campaigns that use the CrowdStrike outage to deliver malware, all of which use email as the way to make contact with individuals affected by the outage. Many other campaigns are being conducted and a large number of CrowdStrike-themed domains have been registered since the problems started. Other malicious domains used in campaigns include the following, all of which should be blocked.
crowdstrike-helpdesk.com
crowdstrike.black
crowdstrikefix.zip
crowdstrikebluescreen.com
crashstrike.com
fix-crowdstrike-bsod.com
crowdstrike-falcon.online
crowdstrike-bsod.com
crowdstrikedoomsday.com
crowdstrikedown.site
crowdstrikefix.com
isitcrowdstrike.com
crowdstriketoken.com
crowdstrike0day.com
crowdstrikeoutage.com
These scams are likely to continue for some time, so it is important to remind employees of the high risk of malicious emails and warn them to exercise extreme caution with any emails received. Employees should be told to report any suspicious emails to their security team.
TitanHQ offers a range of cybersecurity solutions to block phishing and malware distribution campaigns, all of which are quick and easy to implement and can protect you in a matter of minutes. They include the WebTitan web filter for blocking access to known malicious websites, such as those detailed in this email; the PhishTitan anti-phishing solution for Office 365, and the SpamTitan corporate email filter for blocking phishing emails. The latter incorporates email sandboxing for blocking novel and obfuscated malware threats. TitanHQ also provides a comprehensive security awareness training platform and phishing simulator for improving your human defenses by raising awareness of cyber threats and providing timely training content on the latest tactics used by cybercriminals in targeted attacks on employees.
Give the TitanHQ team a call today for further information on improving your defenses, or take advantage of the free trial available with all TitanHQ products to get immediate protection.
by Jennifer Marsh | Jul 22, 2024 | Phishing & Email Spam |
On July 19, 2024, Windows workstations and servers were disabled as a result of a bug in a software update for CrowdStrike Falcon Sensor. When the update was installed on Windows devices, it caused them to show the Blue Screen of Death or get stuck in a boot loop, rendering the devices unusable. Microsoft revealed that its telemetry showed 8.5 million Windows devices had been affected in around 78 minutes.
CrowdStrike Falcon platform is a cybersecurity solution that incorporates anti-virus protection, endpoint detection and response, threat intelligence, threat hunting, and security hygiene, and it is used by many large businesses around the world, including around half of Fortune 500 firms. The disruption caused by the update has been colossal. Airlines had to ground flights, airports were unable to check people in, healthcare providers were unable to access electronic patient records and had to cancel appointments and surgeries, financial institutions faced major disruption, and some media companies were unable to broadcast live television for hours. Even organizations that did not use the Falcon product were adversely affected if any of their vendors used the product. The incident has been called the worst-ever IT outage, with huge financial implications.
It did not take long for cybercriminals to take advantage of the chaos. Within hours, cybercriminals were registering fake websites impersonating CrowdStrike offering help fixing the problem, and domains were registered and used in phishing campaigns promising a rapid resolution of the problem. Given the huge financial impact of suddenly not having access to any Windows devices, there was a pressing need to get a rapid resolution but the fixes being touted by cybercriminals involved downloading fake updates and hotfixes that installed malware.
Those fake updates are being used to deliver a range of different malware types including malware loaders, remote access Trojans, data wipers, and information stealers, while the phishing campaigns direct users to websites where they are prompted to enter their credentials, which are captured and used to access accounts. Cybercriminals have been posing as tech specialists and independent researchers and have been using deepfake videos and voice calls to get users to unwittingly grant them access to their devices, disclose their passwords, or divulge other sensitive codes.
CrowdStrike has issued a fix and provided instructions for resolving the issue, but those instructions require each affected device to be manually fixed. The fix was rolled out rapidly, but CrowdStrike CEO George Kurtz said it will likely take some time for a full recovery for all affected users, creating a sizeable window of opportunity for threat actors. Due to the surge in criminal activity related to the outage, everyone should remain vigilant and verify the authenticity of any communications, including emails, text messages, and telephone calls, and only rely on trusted sources for guidance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reminded all organizations of the importance of having robust cybersecurity measures in place to protect their users, assets, and data, and to remind all employees to avoid opening suspicious emails or clicking on unverified links in emails.
It is important to have multiple layers of security protection to identify, detect, and avoid these attacks, including AI-driven phishing protection, web filtering to block access to malicious websites, anti-virus software to detect and neutralize malware, and security awareness training for employees. TitanHQ can help to secure your business in all of these areas and offers a cloud-based spam filtering service (SpamTitan) which includes email sandboxing and email antivirus filter, phishing protection for Office 365 (PhishTitan), and the SafeTitan security awareness training and phishing simulator.
by Jennifer Marsh | Jul 1, 2024 | Phishing & Email Spam |
Phishing attacks and business email compromise scams are leading causes of losses to cybercrime and attacks have increased in 2024. According to the Federal Bureau of Investigation, phishing is the leading cause of complaints to its Internet Crime Complaint Center and business email compromise currently ranks second out of all tracked forms of cybercrime in terms of total losses.
Over the coming days and weeks, there are several events that cybercriminals take advantage of in their attacks and scams. The UEFA European Football Championship is currently taking place in Germany and thousands of individual phishing campaigns have been detected so far that are piggybacking on the popularity of the championship in Europe and beyond.
Cybercriminals often take advantage of sporting events and commonly use lures related to tickets, which usually sell out months before the first football is kicked and this year is no exception. Now that the tournament is underway and broadcasters and other legitimate entities are running competitions offering free tickets to the finals, scammers are doing the same and are using email and social media networks to advertise their scams. These campaigns use realistic websites that are almost identical to the brands they spoof and attempt to steal sensitive information such as credit card numbers and login credentials.
Many of the phishing attacks and scams impersonate businesses associated with the tournament. These include accommodation providers, airlines and travel companies, and others. The Wimbledon tennis tournament is underway, which will be shortly followed by another major sporting event in Paris – The 2024 Olympics. The latter has a huge global audience and there is a high risk of cyber threat activity using Olympics-themed lures. Cybercriminals are impersonating event organizations, sponsors, ticketing systems, and travel companies. Many cyber espionage groups and nation-state actors are likely to target the Olympics, in addition to financially motivated threat actors.
This week, there is a major celebration in the United States on July 4. Independence Day is a very active time for a host of malicious actors who conduct scams related to the celebrations, including holiday-themed texts and emails, fake giveaways and vouchers, and Independence Day event ticket scams. Being a major holiday in the United States when staffing levels are greatly reduced, it is a time when many ransomware groups choose to strike as their activities are less likely to be identified.
Also on July 4, 2024, a major event is taking place across the Atlantic in the UK. The UK general election will be taking place to decide the next government and scammers are already taking advantage and are using deepfake scams and malicious websites used to steal information and influence voters. It will be a similar story in the United States in the run-up to the November Presidential election.
With so many events taking place, it is vital for everyone to be on their guard and be constantly alert to the threat of scams, phishing, and malware attacks. Due to the elevated threat from phishing, businesses should step up their security awareness training to raise awareness of cyber threats and teach cybersecurity best practices. It is a good idea to use these events in your internal phishing simulations to identify any knowledge gaps and provide immediate training to any individual who fails a phishing simulation.
Security awareness training is made simple with SafeTitan from TitanHQ. SafeTitan is a comprehensive security awareness training platform that teaches security best practices to eradicate risky behaviors, raises awareness of the threat from phishing and malware, teaches the red flags to look for in emails and texts, and what to do if a potential threat is found. The phishing simulator can be used to automate internal phishing simulations to test awareness of threats and how employees are applying their training.
It is also a good time for businesses to bolster email security with an advanced email security solution. SpamTitan from TitanHQ is an advanced email security solution that uses predictive techniques to identify malicious emails, including AI and machine learning to block phishing threats and email sandboxing to block malware. SpamTitan integrates seamlessly with Microsoft 365 and is consistently rated as one of the best spam filters for Outlook, improving the native defenses that Microsoft offers. TitanHQ also offers a host of cybersecurity solutions for managed services providers, including advanced phishing protection, to help them better protect their clients.
If you want to improve protection this summer against increasingly sophisticated cyberattacks and scams, give the TitanHQ team a call to find out more about improving your security posture.
by Jennifer Marsh | Jun 30, 2024 | Phishing & Email Spam |
Many malware infections start with a malicious email that contains a file attachment with a malicious script that downloads malware if executed. One response to a single email is all it takes to infect the user’s device with malware, which may be able to spread across the network or at least provide the threat actor with the foothold they need in the network for follow-on activities. There is a much worse scenario, however. Rather than a single user infecting the network with one malware variant, that single response to the malicious email results in multiple malware infections. One campaign has been identified that does just that. A malware cluster bomb is delivered that can infect the user’s device with up to 10 different malware variants.
The campaign was identified by researchers at KrakenLabs and has been attributed to a threat actor known as Unfurling Hemlock. The campaign is being conducted globally with at least 10 countries known to have been attacked, although most of the victims have so far been located in the United States. The campaign has been running since at least February 2024 and uses two methods to deliver the malware variants – malicious emails and malware loaders installed by other threat groups. The threat actor has already distributed hundreds of thousands of malicious files in the 5 months since the operation is believed to have commenced.
In the email campaign conducted by Unfurling Hemlock, the victim is tricked into downloading a file called WExtract.exe which contains nested cabinet files, each containing a different malware variant. If the file is executed, the malware is extracted in sequence, and each malware variant is executed in reverse order, starting with the last malware variant to be extracted. Each malware cluster bomb has between four and seven stages, with some of those stages delivering multiple malware variants.
The malware variants delivered vary but they consist of information stealers, backdoors, malware loaders, and botnets. Information stealers include Redline Stealer, Mystic Stealer, and RisePro, and malware loaders including Amadey and SmokeLoader. Other malware variants are used to disable security solutions such as Windows Defender, help with obfuscation and hiding malware payloads, gathering system information, and reporting on the status of the malware infections.
It is not clear how the threat actor is using these malware infections. They could be delivering malware for other threat actors and selling the access, using the malware to harvest credentials to sell on the darkweb, conducting their own attacks using whatever malware variant serves their purpose, or a combination of the three. What the attack does ensure is maximum flexibility, as there are high levels of redundancy to ensure that if some of the malware variants are detected, some are likely to remain.
The delivery of multiple malware variants means this campaign could be highly damaging, but it also increases the chance of detection. While antivirus software is a must and may detect some of the malware variants, others are likely to go undetected. The key to blocking attacks is to prevent the initial phishing emails from reaching end users and to provide training to the workforce to help with the identification and avoidance of these malicious emails.
Many email security solutions rely on antivirus engines to detect malware but cybercriminals are skilled at bypassing these signature-based defenses. TitanHQ’s SpamTitan anti-spam software, SpamTitan, uses dual antivirus engines as part of the initial checks but also email sandboxing for behavioral analysis. Suspicious emails are sent to the sandbox where files are unpacked and their behavior is analyzed in depth. The behavioral analysis identifies malicious actions, resulting in the messages being quarantined for further analysis by the security team. SpamTitan also includes AI and machine-learning algorithms to check how messages deviate from the emails typically received and can identify new threats that have previously not been seen. SpamTitan is a highly effective Microsoft 365 spam filter and can be provided as a gateway spam filter or a cloud-based anti-spam service.
End user training is an important extra layer of security that helps eradicate bad security practices and teaches employees how to recognize and avoid malicious emails. Should a malicious bypass email security defenses, trained employees will be more likely to recognize and report the threat to the security team. Training data from SafeTitan, TitanHQ’s security awareness training platform and phishing simulator, shows the training and phishing simulations can reduce susceptibility to email attacks by up to 80% when provided regularly throughout the year.
Give the TitanHQ sales team a call today for more information on these and other cybersecurity solutions to improve your defenses against the full range of cyber threats.
by Jennifer Marsh | Jun 29, 2024 | Phishing & Email Spam, Spam Advice |
Around 40% of businesses use Office 365 for email, which includes Exchange Online Protection (EOP) with standard licenses for blocking spam and other email threats. While EOP will block a substantial amount of unwanted spam emails and malicious emails, the level of protection provided falls well below what many businesses need as too many threats pass through undetected.
Businesses can opt for a more expensive Business Premium license to improve Microsoft’s spam filter for Office 365, as this license includes Defender for Office 365. Alternatively, businesses can pay for Defender as an add-on. While Defender improves the phishing detection rate, this security feature only adds a little extra protection to EOP, and many malicious emails still go undetected. The E5 license provides the greatest amount of protection but it is prohibitively expensive for many businesses, and even this license does not give you cutting-edge protection.
Fortunately, there is a way to improve Office 365 email filtering that will provide you with excellent protection against phishing, malware, spam, and other email threats without having to cover the cost of expensive licenses and add-ons. That solution is to use a third-party email security solution that augments the spam filter for Office 365 regardless of the license you have. Many businesses prefer to use a third-party solution rather than placing all of their trust in Microsoft – a company that has recently struggled with preventing hackers from compromising its own systems.
SpamTitan from TitanHQ is a cloud-based email security solution that integrates seamlessly with Office 365 to greatly increase protection against email threats such as phishing, business email compromise, malware, and data theft by insiders, and is easy to set up, configure, and manage.
There are several features of SpamTitan that are lacking in Microsoft’s security solutions. In addition to performing reputation checks and blocking known malicious email addresses and domains, SpamTitan uses predictive techniques for detecting spam and phishing emails, such as Bayesian analysis, machine learning, and heuristics. These features allow SpamTitan to detect and block zero-day phishing threats and business email compromise, which Microsoft struggles to detect and block.
SpamTitan performs extensive checks of embedded hyperlinks to combat phishing, including checks of Shortened URLs. Office 365 malware detection is greatly improved with dual antivirus engines for detecting known malware and email sandboxing. The sandboxing feature includes machine learning and behavioral analysis for the safe detonation of files in an isolated environment, and message sandboxing is vital for detecting and blocking the zero-day malware threats that EOP and Defender miss.
SpamTitan cloud-based email filtering is also an ideal choice for Managed Services Providers looking to provide their customers with more advanced email security, especially for small- and medium-sized clients unwilling to pay for E5 licenses. SpamTitan has been developed from the ground up to meet the needs of MSPs and manage email security with minimal management overhead.
TitanHQ can also MSPs additional protection against phishing with TitanHQ’s new anti-phishing solution, PhishTitan. PhishTitan uses a large language model (LLM) and AI to analyze emails to identify phishing attempts. The solution incorporates multiple curated feeds to detect malicious URLs linked in phishing emails, adds banners to emails from external sources to warn end users about potential threats, and adds post-delivery remediation across multiple tenants allowing phishing emails to be instantly removed from the email system with a single click.
The best way to find out more about the full capabilities of SpamTitan and PhishTitan and how they work is to call the TitanHQ team. A product demonstration can be arranged and you can take advantage of a free trial to see for yourself the difference these solutions make and how they can significantly improve threat detection with Office 365.
by Jennifer Marsh | Jun 28, 2024 | Phishing & Email Spam |
Two new malware distribution campaigns have been detected that deliver dangerous information-stealing malware, both targeting individuals looking to download free and pirated software.
Trojaninized Cisco Webex Meetings App Delivers Malware Loader and Information Stealer
Another malware distribution campaign has been identified that is using trojanized installers for free and pirated software to deploy a malware loader called Hijack Loader, which in turn delivers an information stealer. In the attacks, the victim was tricked into downloading a trojanized version of the Cisco Webex Meetings App, a video streaming app. The user downloaded a password-protected archive (RAR) file, which contained a file called setup.exe. When the victim executed the file, DLL sideloading was used to launch the HijackLoader, which was injected into a Windows binary.
HijackLoader connects with its command-and-control server and downloads another binary, an information stealer called Vidar Stealer. The malware bypasses User Account Control (UAC), escalates privileges, and adds an exception to the Windows Defender exclusion list. Vidar Stealer is used to steal credentials from browsers and deliver additional malware payloads, including a cryptocurrency miner. This campaign primarily targets organizations in Latin America and the Asia Pacific region.
Google Ads Used to Target Mac Users and Deliver Poseidon Malware
An information stealer called Poseidon is being distributed via malicious Google Ads that claim to provide the popular Arc web browser. The campaign targets Mac users and delivers a trojanized version of the Arc browser installer. If the installer is launched, the user gets the browser but is also infected with the malware.
According to an analysis from Malwarebytes, the new information stealer has similar features to the notorious Atomic Stealer, including a file grabber, crypto wallet extractor, and the ability to steal passwords from password managers such as Bitwarden and KeepassXC, passwords stored in browsers, and browser histories. The targeting of password managers makes this malware particularly dangerous, potentially allowing the theft of all passwords. The researchers believe the malware has been set up as a rival to Atomic Stealer
How to Protect Your Business
Protecting against malware requires a defense-in-depth approach to security, where several different security solutions provide multiple overlapping layers of protection. These security measures should include the following:
Antivirus software – Antivirus software is a must. The software will be able to detect malware when it is downloaded onto a device or is executed. The malware is identified by its signature, which means that a particular malware variant must be known and its signature must be present in the malware definition list used by that software. Antivirus software will not detect novel malware variants without behavioral analysis of files.
Web filter – One of the best defenses against malware distributed via the internet is a web filter. The web filter blocks downloads of malicious files by preventing downloads of executable files from the Internet, blocking access to known malicious websites, and limiting the sites that users can visit on their corporate-owned devices. The main advantage of a web filter is the threat is dealt with before any files are downloaded from the Internet.
Security awareness training – Users should be warned about the risks of downloading software from the Internet, be taught how to identify the signs of phishing and malicious emails, and be trained on security best practices. The latter should include carefully checking the domain of the website offering software and making sure it is the official website of the software vendor or a reputable software distributor.
Email security solution – Malware is often delivered via email, usually via a malicious script in an attached file or via a linked web page. An email security solution needs to have antivirus capabilities – signature-based detection and behavioral analysis in an email sandbox. The former will detect known malware variants and email sandboxing is used to detect novel malware variants. Your email security solutions should also include AI-based detection, which can identify malicious messages based on how they differ from standard messages received by your business and perform comparisons with previous malware distribution campaigns.
While TitanHQ does not provide antivirus software, TitanHQ can help with web filtering (WebTitan), email security (SpamTitan), phishing protection (PhishTitan), and security awareness training (SafeTitan). For more information on improving your defenses against malware and TitanHQ’s multi-award-winning cloud-based email security and internet security solutions for businesses and managed service providers, give the TitanHQ team a call today.
by Jennifer Marsh | Jun 27, 2024 | Industry News, Phishing & Email Spam, Security Awareness |
A phishing campaign targeting the Los Angeles Department of Public Health saw more than 50 employee email accounts compromised and the sensitive information of more than 200,000 individuals was exposed.
In this campaign, the threat actor impersonated a trustworthy sender and emailed a link that directed employees to a malicious website where email credentials were harvested. The website had been crafted to appear legitimate and requested they log in. When their credentials were entered, they were captured and used to access the employees’ email accounts. 53 employees fell for the scam. Their email accounts contained highly sensitive information that could be used for identity theft and fraud, including names, dates of birth, and Social Security numbers, as well as financial information and health insurance information. This campaign clearly demonstrates the damage that can be caused by phishing, and how a well-crafted campaign can fool many employees and result in a costly data breach.
While this phishing attack stands out due to the number of email accounts compromised, successful phishing attacks are common in healthcare. Healthcare employees are targeted via email, SMS, and other communication platforms, including over the phone. The Federal Bureau of Investigation and the Department of Health and Human Services recently issued a joint cybersecurity advisory about a campaign targeting IT helpdesk workers at healthcare organizations. Cybercriminals call IT helpdesks and impersonate employees to request password resets and enroll new devices to receive multifactor authentication codes. In this campaign, the attackers seek email credentials and then pivot to systems used for automated clearinghouse (ACH) payments to divert payments to their own accounts.
The Los Angeles Department of Public Health phishing attack serves as a reminder of the importance of conducting regular security awareness training. Employees need to be trained how to recognize phishing attempts. Through regular training, employees can be made aware of the red flags they need to look for in all communications and will be conditioned to be always on the lookout for threats and to report any potential threats to their security team. Healthcare employees who receive regular security awareness are less likely to be tricked by phishing scams. Training data from TitanHQ shows that organizations that conduct regular security awareness training with the SafeTitan security awareness training platform and phishing simulations using TitanHQ’s phishing simulator can reduce susceptibility to phishing scams by up to 80%.
The SafeTitan platform allows healthcare organizations to easily create and automate security awareness training programs and to tailor the training courses to different departments and users, ensuring that the training is relevant and focuses on the cyber threats that each user group is likely to encounter. The platform is modular, with each module taking no longer than 10 minutes to complete, making it easy for busy healthcare workers to fit the training into their workflows. The training content is engaging, fun, and enjoyable, and covers all threats and teaches cybersecurity best practices.
Phishing simulations can be easily conducted to test the effectiveness of training and identify employees who have not taken the training on board, allowing them to be provided with further training. The SafeTitan platform is the only security awareness training platform that delivers training in real-time in response to security mistakes, ensuring additional training is provided instantly at the moment when it is likely to have the greatest impact on changing behavior.
In addition to training, healthcare organizations must implement technical safeguards for HIPAA Security Rule compliance. TitanHQ offers a range of cloud-based security solutions for healthcare organizations to manage risks and achieve Security Rule compliance. These include SpamTitan anti-spam software which incorporates AI and machine learning algorithms to predict phishing attempts and dual antivirus engines and email sandboxing to combat malware. The WebTitan web filter protects against internet-based threats and can be used to block access to malicious and risky websites and block executable file downloads from the Internet to combat malware. Healthcare organizations that use Microsoft 365 can improve phishing protection with PhishTitan – a next-generation AI-based anti-phishing solution that offers unmatched protection against phishing and allows rapid remediation of phishing threats, preventing phishing attempts from compromising multiple email accounts.
All TitanHQ solutions are quick and easy to implement and use and can help healthcare organizations achieve and maintain HIPAA compliance, block more threats, and avoid costly data breaches. Contact TitanHQ today for more information about improving your security posture.
by Jennifer Marsh | Jun 3, 2024 | Phishing & Email Spam, Security Awareness |
Earlier this month, warnings were issued about the Black Basta ransomware group, after an increase in activity in recent weeks. Now a new tactic has emerged to gain initial access to networks that ultimately leads to a Black Basta ransomware attack.
Storm-1811 is a highly sophisticated financially motivated cybercriminal group that was first detected in April 2022. Unlike many cybercriminal groups that start slowly, Storm-1811 conducted more than 100 attacks in its first 7 months. The latest campaign linked to the group is a type of tech support scam and is conducted over the phone through voice phishing (vishing).
The threat actor targets users and uses social engineering techniques over the phone to convince the user that they need to take urgent action to fix a fictitious problem on their computer. The threat actor often impersonates a member of the IT help desk or even Microsoft technical support. This attack leverages Quick Assist – a legitimate Windows app that is used to establish a remote connection to a device.
Quick Assist is a useful tool for providing IT support. If a friend or family member is having difficulty with their computer, they can provide remote access to a more technically skilled family member to sort out the problem remotely. Through Quick Assist, it is possible to view the display, make annotations, and take full control of the connected device.
Any remote access tool can be abused by a threat actor and Quick Assist is no different. If the user is convinced that the request is genuine and access to their device is granted, the threat actor will be able to perform a range of malicious actions. In this campaign, the threat actor installs a range of malicious tools to allow them to achieve their objectives, including remote monitoring and management (RMM) tools such as ScreenConnect and NetSupport Manager, and malware including Qakbot and Cobalt Strike. After gaining access, Storm-1811 actors can steal data and the access will ultimately lead to a Black Basta ransomware attack.
One point where this campaign could fail is convincing a user that they have a problem with their computer that requires remote access to fix. To get around this problem, Storm-1811 threat actors create a problem that needs to be addressed. One of the ways they do this is by conducting an email-bombing campaign. They identify email addresses of employees at the targeted company and bombard them with spam emails by signing them up to various high-volume email subscription services. When they make the call, the user will no doubt be frustrated by the spam emails, and it is easy to convince them that the problem can be sorted via Quick Assist.
The user just needs to press CTRL plus the Windows Key and Q to initiate Quick Assist, and then enter the security code provided by the threat actor and confirm that they want to proceed with screen sharing. The threat actor can then request remote access through the session and, if granted by the user, will be provided with full control of the user’s device. If they get to that point while the user is still on the phone, the threat actor will be able to explain any installation of a program as part of the remediation efforts. The threat actor can then unsubscribe the user from the various email subscriptions to make them believe that the problem has been resolved. Since the tools used by the threat actor can easily blend in, the attack is likely to go undetected until ransomware is used to encrypt files.
There are two easy ways to reduce susceptibility to this attack. The first is for IT teams to block or uninstall Quick Assist if they are not using the tool for remote access. Since other remote access tools may be used in these tech support scams, it is also vital to educate the workforce about tech support scams.
Users should be trained never to provide remote access to their device unless they initiate the interaction with their IT help desk or Microsoft support. Many companies provide security awareness training to the workforce that focuses on email phishing since this has long been the most common method of gaining access to internal networks.
Security awareness training should also educate users about other forms of phishing, including SMS phishing (smishing), vishing, and phishing via instant messaging services. With SpamTitan, creating, automating, and updating training content with the latest tactics used by cybercriminals is easy. The platform includes an extensive range of engaging training modules and is constantly updated with new content based on real-world attacks by cybercriminal groups.
When you train your workforce with SafeTitan, you can greatly reduce susceptibility to the different types of cyberattacks. Give the TitanHQ team a call today for further information or use the SafeTitan link to sign up for a free trial.
by Jennifer Marsh | May 30, 2024 | Phishing & Email Spam |
Last month, the UK government published the findings of its 2024 cyber security breaches survey. The annual survey was conducted by the Department for Science, Innovation and Technology (DSIT) in partnership with the Home Office between September 2023 and January 2024 on 2,000 UK businesses, 1,004 registered UK charities, and 430 educational institutions. The survey provides insights into the nature of cyberattacks and data breaches experienced in the UK and confirms that attacks are increasing.
In the past year, 50% of surveyed businesses and almost one-third of charities (32%) experienced at least one cybersecurity breach or attack, with medium-sized businesses (70%), large businesses (74%), and high-income charities with £500,000+ annual income (66%) more likely to experience a cybersecurity breach.
It is often reported that cyberattacks are becoming more sophisticated; however, the most common cyber threats are relatively unsophisticated and are often effective. The most common type of cyberattack was phishing, which was reported by 84% of businesses and 83% of charities, with impersonation of organizations – online and via email – reported by more than one-third of businesses (35%) and charities (37%). Malware was used in 17% of attacks on businesses and 14% of attacks on charities. In terms of prevalence, phishing was by far the most common type of cybercrime. 90% of businesses and 94% of charities that were victims of cybercrime experienced at least one phishing attack.
The costliest type of phishing attack is business email compromise (BEC). BEC covers several types of attacks, with the most common involving criminals accessing work email accounts and using them to trick others into transferring funds or sending sensitive data. For example, a threat actor gains access to an email account of a vendor and uses the account to send an email to a customer containing a fake invoice or a request to change bank account information for an upcoming payment.
The losses to BEC attacks can be considerable. Attacks frequently result in fraudulent transfers of tens of thousands of pounds or in some cases hundreds of thousands or millions. With such large sums involved, criminals put considerable effort into these scams. Targets are researched, phishing is used to compromise an employee email account, internal phishing is used to gain access to the right accounts, the contents of accounts are studied to identify information that can be used in the scam, and the legitimate account holder is impersonated in the attack on the targeted organization or individual.
The goal in these attacks is often to gain access to the email account of the CEO or a senior executive, and that account is used to conduct a scam internally or externally. Since the request comes from a trusted authority figure and uses their legitimate account, the request is often not questioned.
BEC attacks can be difficult to identify by employees but also by email security solutions as trusted accounts are used for the scams and the emails usually do not contain any malicious content such as a URL to a phishing website or malware. These attacks use social engineering and target human weaknesses.
Defending against BEC and phishing attacks requires a combination of measures. Since targets are extensively researched, businesses should consider reducing their digital footprint and making it harder for cybercriminals to obtain information that can be used in convincing phishing and BEC campaigns, especially by reducing the amount of information that is available online about senior staff members.
Anti-spam software is a must for blocking the initial phishing attacks that are used to compromise accounts; however, an advanced solution is required to block sophisticated BEC attacks. TitanHQ’s cloud-based anti-spam service – SpamTitan – performs a barrage of spam checks for inbound and outbound emails to identify spam, phishing, and BEC content, including reputation checks of domains and accounts, scans of message content, sandboxing to identify malicious attachments, and AI and machine learning analysis to identify emails that deviate from the standard messages typically received by an organization.
PhishTitan is an anti-phishing solution for Microsoft 365 that enhances Microsoft’s anti-phishing measures and catches the phishing threats that Microsoft misses. The solution adds banners to emails to warn employees about potentially malicious content and allows security teams to quickly remediate phishing attempts across the entire email environment.
Since phishing and BEC attacks target human weaknesses, it is vital to provide training to the workforce. The aim should be to improve awareness and condition employees to always be on the lookout for a scam and to err on the side of caution and report suspicious emails to their IT security team. Phishing simulations are useful for helping staff to recognize phishing emails and identify knowledge gaps. TitanHQ’s SafeTitan training platform has all the content you need to run effective training programs to improve defenses against phishing and BEC attacks.
Contact TitanHQ today about these solutions and other ways you can improve your defenses against phishing, BEC, and other types of cyberattacks.
by Jennifer Marsh | May 30, 2024 | Phishing & Email Spam, Security Awareness |
Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.
Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.
The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.
Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.
The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.
If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.
Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.
Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.
If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.
by Jennifer Marsh | May 27, 2024 | Phishing & Email Spam, Security Awareness, Spam Advice, Spam News |
Email phishing is the most common form of phishing, with email providing threat actors with an easy way of getting their malicious messages in front of employees. Phishing emails typically include a URL along with a pressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a button or link text relevant to the lure in the message. Email attachments are often added to emails that contain malicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.
While there are many email security solutions available to businesses, many lack the sophistication to block advanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While these are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at blocking zero-day attacks, business email compromise, and advanced phishing threats.
More advanced features include email sandboxing for detecting and quarantining zero-day malware threats and malicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can assess messages and identify threats based on how they differ from the messages that are typically received by the business. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent tests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than 99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for installation on-premises on existing hardware, serving as a virtual anti-spam appliance.
Microsoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which are EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections are effective at blocking spam and known malware, they fall short of what is required for blocking advanced threats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed PhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam filter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group (APWG) has reported that more phishing attacks were conducted in 2023 than ever before.
Massive Increase in Text Message Phishing Scams
Blocking email phishing attempts is straightforward with advanced email security solutions, which make it much harder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is by switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major increase in SMS-based phishing attempts.
A recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS gateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone numbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The study involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS phishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified 35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even set up URL shortening services on their own domains to hide the destination URLs. With these shortening services, the only way to tell that the domain is malicious is to click the link.
Blocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training. SMS phishing should be included in security awareness training to make employees aware of the threat, as it is highly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform makes creating training courses simple and the platform includes training content on all types of threats, including SMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver training in real-time in response to employee errors to ensure training is provided when it is likely to have the greatest impact – immediately after a mistake is made.
by Jennifer Marsh | May 26, 2024 | Phishing & Email Spam, Security Awareness |
Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.
Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.
The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.
Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.
When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.
Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.