Phishing & Email Spam

Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.

Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.

Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
  • Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
  • Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
  • Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
  • Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.

Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.

The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

campaign is to obtain users’ Office 365 passwords.

The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.

The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.

While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.

The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.

Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.

Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.

SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.

Irish Phishing Study Shows Millennials’ Confidence in Security Awareness is Misplaced

According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.

Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.

Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.

A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.

Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.

Irish Phishing Study Findings

The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.

In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups.  Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.

Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.

It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.

Phishing Protection for Businesses

The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.

The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.

Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.

To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.

How to Improve Office 365 Security

In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.

Hackers are Targeting Office 365 Accounts

It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.

One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.

Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.

When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.

So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.

Enforce the Use of Strong Passwords

Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.

The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.

Implement Multi-Factor Authentication

Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.

Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.

Enable Mailbox Auditing in Office 365

Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.

Improve Office 365 Security with a Third-Party Spam Filter

As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.

Office 365 Spam Filtering Controls Failed to Prevent Costly Malware Infection

A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.

Multi-Layered Defenses Breached

If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.

The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.

However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.

How Was the Malware Installed?

The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.

The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.

The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.

Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.

Remediation Took 6 Weeks

Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.

The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.

The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.

While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.

Additional Protection is Required for Office 365 Inboxes

The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.

Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.

Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.

One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.

You can find out more about how SpamTitan improves protection for Office 365 in this article – Protecting Office 365 from Attack.

Sextortion Scams Now Combine Threat of Exposure with Multiple Malware Infections

Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.

In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.

Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.

This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.

However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.

The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.

Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.

Warning About Uptick in Holiday Season Gift Card Scams

The search for Christmas gifts can be a difficult process. All too often that search proves to be unfruitful and consumers opt to buy gift cards instead. At least with a gift card you can be sure that your friends and family members will be able to buy a gift that they want; however, beware of holiday season gift card scams. Many threat actors are using gift cards as the lure to fool end users into installing malware or parting with sensitive information.

Holiday Season Sees Marked Increase Gift Card Phishing Scams

Holiday season gift card scams are commonplace, and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

Everyone loves a bargain and the offer of something for nothing may be too hard to resist. Many people fall for these scams which is why threat actors switch to gift card scams around this time of year.

Consumers can be convinced to part with credit card details, but businesses too are at risk. Many of these campaigns are conducted to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will likely pay the price.

This year has seen many businesses targeted with gift card scams. Figures from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had experienced a gif card-themed attack: Up from 11% in Q2, 2018.

This year has also seen an increase in business email compromise (BEC) style tactics, with emails appearing to have been sent from within a company. The emails claim to have been sent from the CEO (or another executive) requesting accounts and administration staff purchase gift cards for clients or ask for gift cards be purchased to be used for charitable donations.

To reduce the risk from gift card scams and other holiday-themed phishing emails, businesses need to ensure they have powerful spam filtering technology in place to block the emails at source and prevent them from being delivered to inboxes.

Advanced Anti-Phishing protection for Office 365

Many businesses use Office 365, but even Microsoft’s anti-phishing protections see many phishing emails slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing controls, emails still make it past Microsoft’s filters.

To block these malicious messages, an advanced third-party spam filter is required. SpamTitan has been developed to work seamlessly with Office 365 to improved protection against malware, phishing emails, and more sophisticated phishing attacks.

SpamTitan blocks more than 99.9% of spam email, while dual anti-virus engines block 100% of known malware. What really sets SpamTitan in a different class is the level of protection it offers against new threats. A combination of Bayesian analysis, greylisting, machine learning, and heuristics help to identify zero-day attacks, which often slip past Office 365 defenses.

If you want to improve protection from email-based attacks and reduce the volume of spam and malicious messages that are being delivered to Office 365 inboxes, give TitanHQ a call today and book a product demonstration to see SpamTitan in action. You can sign up for a free trial of SpamTitan to test the solution in your own environment and see for yourself the difference it makes.

Phishing Attacks on Retailers and Food Industry Install Remote Access Trojans

There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.

Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.

PUB Files Used in Phishing Attacks on Retailers

Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.

Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.

If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.

The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.

The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.

Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000

Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.

The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.

All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.

Defense in Depth the Key to Phishing Protection

Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.

Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.

Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.

End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.

For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.

Flash Player Vulnerability Being Actively Exploited via Spear Phishing Campaign

Adobe has issued an unscheduled update to correct flaws in Adobe Flash Player, including a zero-day vulnerability that is currently being exploited in the wild by an APT threat group on targets in Russia. One target was a Russian healthcare facility that provides medical and cosmetic surgery services to high level civil servants of the Russian Federation.

The zero-day flaw is a use-after-free vulnerability – CVE-2018-15982 – which allows arbitrary code execution and privilege execution in Flash Player. A malicious Flash object runs malicious code on a victim’s computer which gives command line access to the system.

The vulnerability was discovered by security researchers at Gigamon ATR who reported the flaw to Adobe on November 29. Researchers at Qihoo 360 identified a spear phishing campaign that is being used to deliver a malicious document and associated files that exploit the flaw. The document used in the campaign was a forged employee questionnaire.

The emails included a .rar compressed file attachment which contained a Word document, the vulnerability, and the payload. If the .rar file is unpacked and the document opened, the user is presented with a warning that the document may be harmful to the computer. If the content is enabled, a malicious command is executed which extracts and runs the payload – A Windows executable file named backup.exe that is disguised as an NVIDIA Control Panel application. Backup.exe serves as a backdoor into a system. The malicious payload collects system information which is sent back to the attackers via HTTP POST. The payload also downloads and executes shell code on the infected device.

Qihoo 360 researchers have named the campaign Operation Poison Needles due to the identified target being a healthcare clinic. While the attack appears to be politically motivated and highly targeted, now that details of the vulnerability have been released it is likely that other threat groups will use exploits for the vulnerability in more widespread attacks.

It is therefore important for businesses that have Flash Player installed on some of their devices to update to the latest version of the software as soon as possible. That said, uninstalling Flash Player, if it is not required, is a better option given the number of vulnerabilities that are discovered in the software each month.

The vulnerability is present in Flash Player 31.0.0.153 and all earlier versions. Adobe has corrected the flaw together with a DLL hijacking vulnerability in version 32.0.0.101.

TrickBot Malware Updated with POS Data Stealing Capabilities

A new module has been added to TrickBot malware that adds point-of-sale (POS) data collection capabilities.

TrickBot is a modular malware that is being actively developed. In early November, TrickBot was updated with a password stealing module, but the latest update has made it even more dangerous, especially for hotels, retail outlets, and restaurants: Businesses that process large volumes of card payments.

The new module was identified by security researchers at Trend Micro who note that, at present, the module is not being used to record POS data such as credit/debit card numbers. Currently, the new TrickBot malware module is only collecting data about whether an infected device is part of a network that supports POS services and the types of POS systems in use. The researchers have not yet determined how the POS information will be used, but it is highly likely that the module is being used for reconnaissance. Once targets with networks supporting POS systems have been identified, they will likely be subjected to further intrusions.

The new module, named psfin32, is similar to a previous network domain harvesting module, but has been developed specifically to identify POS-related terms from domain controllers and basic accounts. The module achieves this by using LDAP queries to Active Directory Services which search for a dnsHostName that contains strings such as ‘pos’, ‘retail’, ‘store’, ‘micros’, ‘cash’, ‘reg’, ‘aloha’, ‘lane’, ‘boh’, and ‘term.’

The timing of the update, so close to the holiday period, suggests the threat actors are planning to take advantage of the increase in holiday trade and are gathering as much information as possible before the module is used to harvest POS data.

The recent updates to TrickBot malware have been accompanied by a malicious spam email campaign (identified by Brad Duncan) which is targeting businesses in the United States. The malspam campaign uses Word documents containing malicious macros that download the TrickBot binary.

Protecting against TrickBot and other information stealing malware requires a defense-in-depth approach to cybersecurity. The main attack vector used by the threat actors behind TrickBot is spam email, so it is essential for an advanced anti-spam solution to be deployed to prevent malicious messages from being delivered to end users’ inboxes. End user training is also essential to ensure employees are made aware of the danger of opening emails from unknown senders, launching suspicious email attachments, and clicking hyperlinks in those messages.

Antivirus solutions and endpoint security controls should also be deployed to identify and quarantine potentially malicious files in case malware makes it past perimeter defenses.

HTTPS Phishing Websites Now Account for Half of All Phishing Sites

There has been a steady increase in HTTPS phishing websites over the past couple of years, mirroring the transition from HTTP to HTTPS on commercial websites. HTTPS sites are those that have SSL/TLS certificates and display a green padlock next to the URL. The green padlock is an indicator of site security. It confirms to website visitors that the connection between their browser and the website is encrypted. This provides protection against man-in-the-middle attacks by ensuring data sent from the browser to the website cannot be intercepted and viewed by third parties.

HTTPS websites are now used by a large number of businesses, especially e-commerce website owners. This has become increasingly important since search engines such as Google Chrome provide clear indications to Internet users that sites may not be secure if the connection is not encrypted.

This is all good of course, but there is one caveat. Users have been told to look for the green padlock to make sure a site is secure, but the green padlock is viewed by many Internet users as a sign that the site is secure and legitimate. While the former is true, the latter is not. The green padlock does not mean that the site is genuine and just because it is displayed next to the URL it does not mean the site is safe.

If the website is controlled by a cybercriminal, all the green padlock means is that other cybercriminals will not be able to intercept data. Any information entered on the website will be divulged to the criminal operating that site.

It stands to reason for HTTPS phishing websites to be used. If Internet users are aware that HTTPS means insecure, they will be less likely to enter sensitive information if the green padlock is not present. Unfortunately, free SSL certificates can easily be obtained to turn HTTP sites into HTTPS phishing websites.

According to PhishLabs, back in Q1, 2016, fewer than 5% of phishing websites used HTTPS. By Q3, 2016, the percentage started to rise sharply. By Q1, 2017, the percentage had almost reached 10%, and by Q3, 2017, a quarter of phishing websites were using HTTPS. The 30% milestone was passed around Q1, 2018, and at the end of Q3, 2018, 49% of all phishing sites were using HTTPS.

A PhishLabs survey conducted late last year clearly highlighted the lack of understanding of the meaning of the green padlock. 63% of consumers surveyed viewed the green padlock as meaning the website was legitimate, and 72% saw the website as being safe. Only 18% of respondents correctly identified the green padlock as only meaning communications with the website were encrypted.

It is important for all Internet users to understand that HTTPS phishing websites not only exist, but before long the majority of phishing websites will be on HTTPS and displaying the green padlock. A conversation about the true meaning of HTTPS is long overdue and it is certainly something that should be covered in security awareness training sessions.

It is also now important for businesses to deploy a web filtering solution that is capable of SSL inspection – The decryption, scanning, and re-encryption of HTTPS traffic to ensure that access to these malicious websites is blocked. In addition to reading content and assessing websites to determine whether they are malicious, SSL inspection ensures site content can be categorized correctly. This ensures that sites that violate a company’s acceptable usage policies are blocked.

There is a downside to using SSL inspection, and that is the strain placed on CPUs and a reduction in Internet speeds. SSL inspection is therefore optional with many advanced web filters. To ensure that the strain is reduced, IT teams should use whitelisting to prevent commonly used websites from being subjected to SSL filtering.

WebTitan Includes SSL Filtering to Block HTTPS Phishing Websites

WebTitan is a powerful web filtering solution for SMBs and managed service providers (MSPs) that provides protection against web-based threats. There are three products in the WebTitan family – WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for Wi-Fi; all of which include SSL filtering as standard. If SSL filtering is activated, users will be protected against HTTPS phishing websites and other malicious sites that have SSL certificates.

All WebTitan products can be installed in minutes, require no technical knowledge, and have been designed to be easy to use. An intuitive user interface places all information, settings, and reports at users’ fingertips which makes for easy enforcement of acceptable Internet usage polices and fast reporting to identify potential issues – employees browsing habits and users that are attempting to bypass filtering controls for instance.

Whether you are an MSP that wants to start offering web filtering to your clients or a SMB owner that wants greater protection against web-based threats, the WebTitan suite of products will provide all the features you need and will allow you to improve security and employee productivity, reduce legal liability, and create a safe browsing environment for all users of your wired and wireless networks.

For further information on WebTitan, details of pricing, web filtering advice, to book a product demonstration, or to register for a free trial of the product, contact TitanHQ today.

 

Beware of this California Wildfire Scam

A California wildfire scam is circulating that requests donations to help the victims of the recent wildfires. The emails appear to come from the CEO of a company and are directed at its employees in the accounts and finance department.

It should come as no surprise that cybercriminals are taking advantage of yet another natural disaster and are attempting to con people into giving donations. Scammers often take advantage of natural disasters to pull on the heart strings and defraud businesses. Similar scams were conducted in the wake of the recent hurricanes that hit the United States and caused widespread damage.

The California wildfire scam, identified by Agari, is a form of business email compromise (BEC) attack. The emails appear to have been sent by the CEO of a company, with his/her email address used to send messages to company employees. This is often achieved by spoofing the email address although in some cases the CEO’s email account has been compromised and is used to send the messages.

The California wildfire scam contains one major red flag. Instead of asking for a monetary donation, the scammers request money in the form of Google play gift cards. The messages request the redemption codes be sent back to the CEO by return.

The emails are sent to employees in the accounts and finance departments and the emails request that the money be sent in 4 x $500 denomination gift cards. If these are sent back to the CEO, he/she will then forward them on to company clients that have been affected by the California wildfires.

The reason Google play gift cards are requested is because they can easily be exchanged on darknet forums for other currencies. The gift cards are virtually impossible to trace back to the scammer.

The messages are full of grammatical errors and spelling mistakes. Even so, it is another sign that the messages are not genuine. However, scams such as this are sent because they work. Many people have been fooled by similar scams in the past.

Protecting against scams such as this requires a combination of technical controls, end user training, and company policies. An advanced spam filtering solution should be used – SpamTitan for instance – to prevent messages such as these from reaching inboxes. SpamTitan checks all incoming emails for spam signatures and uses advanced techniques such as heuristics, machine learning, and Bayesian analysis to identify advanced and never-before-seen phishing attacks.

End user training is essential for all employees, especially those with access to corporate bank accounts. Those individuals are often targeted by scammers. Policies should be introduced that require all requests for changes to bank accounts, atypical payment requests, and wire transfers above a certain threshold to be confirmed by phone or in person before they are authorized.

A combination of these measures will help to protect businesses from BEC attacks and other email scams.

Stealthy Cannon Trojan Being Distributed Through Lion Air Spear Phishing Campaign

A previously unseen malware variant, dubbed the Cannon Trojan, is being used in targeted attacks on government agencies in the United States and Europe. The new malware threat has been strongly linked to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather information on potential targets, collecting system information and taking screenshots that are sent back to APT28. The Cannon Trojan is also a downloader capable of installing further malware variants onto a compromised system.

The new malware threat is stealthy and uses a variety of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates via email over SMTPs and POP3S.

Once installed, an email is sent over SMTPS through port 465 and a further two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 is not unknown, it is relatively rare. One advantage offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being distributed via spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign appears to provide information on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to view the contents of the document. It is claimed that the document was created in an earlier version of Word and content must be enabled for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently download the Cannon Trojan.

Rather than the macro running and downloading the payload straightaway, as an anti-analysis mechanism, the attackers use the Windows AutoClose tool to delay completion of the macro routine until the document is closed. Only then is the Trojan downloaded. Any sandbox that analyzes the document and exits before closing the document would be unlikely to identify it as malicious. Further, the macro will only run if a connection with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques used by the attackers to obfuscate the macro and hide communications make this threat difficult to detect. The key to preventing infection is blocking the threat at source and preventing it from reaching inboxes. The provision of end user training to help employees identify threats such as emails with attachments from unknown senders is also important.

Enhance Protection Against Zero-Day Malware and Spear Phishing

TitanHQ has developed a powerful anti-phishing and anti-spam solution that is effective at blocking advanced persistent threats and zero-day malware, which does not rely on signature-based detection methods. While dual anti-virus engines offer protection against 100% of known malware, unlike many other spam filtering solutions, SpamTitan uses a variant of predictive techniques to identify previously unseen threats and spear phishing attacks.

Greylisting is used to identify domains used for spamming that have yet to be blacklisted. All incoming emails are subjected to Bayesian analysis, and heuristics are used to identify new threats.

To further protect against phishing attacks, URIBL and SURBL protocols are used to scan embedded hyperlinks. SpamTitan also scans outbound mail to prevent abuse and identify attempted data theft.

For further information on SpamTitan, to book a product demonstration, or to sign up for a free trial of the full product, contact the TitanHQ team today.

Thanksgiving Themed Spam Emails Used to Spread Emotet Malware

There has been an increase in malspam campaigns spreading Emotet malware in recent weeks, with several new campaigns launched that spoof financial institutions – the modus operandi of the threat group behind the campaigns.

The Emotet malware campaigns use Word documents containing malicious macros. If macros are enabled, the Emotet malware payload is downloaded. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is downloaded.

Various social engineering tricks have been used in these campaigns. One new tactic that was identified by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email appear benign.

According to Cofense, the campaign delivers Emotet malware, although Emotet in turn downloads a secondary payload. In past campaigns, Emotet has been delivered along with ransomware. First, Emotet steals credentials, then the ransomware is used to extort money from victims. In the latest campaign, the secondary malware is the banking Trojan named IcedID.

A further campaign has been detected that uses Thanksgiving themed spam emails. The messages appear to be Thanksgiving greetings for employees, and similarly contain a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to aid the deception and include the user’s name. In this campaign, while the document downloaded appears to be a Word file, it is actually an XML file.

Emotet malware has been updated recently. In addition to stealing credentials, a new module has been added that harvests emails from an infected user. The previous 6 months’ emails – which include subjects, senders, and message content – are stolen. This new module is believed to have been added to improve the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent increase in Emotet malware campaigns, and the highly varied tactics used by the threat actors behind these campaigns, highlight the importance of adopting a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide protection against email attacks.

Phishing campaigns target a weak link in security defenses: Employees. It is therefore important to ensure that all employees with corporate email accounts are taught how to recognize phishing threats. Training needs to be ongoing and should cover the latest tactics used by cybercriminals to spread malware and steal credentials. Employees are the last line of defense. Through security awareness training, the defensive line can be significantly strengthened.

As a frontline defense, all businesses and organizations should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is required to provide protection against more sophisticated email attacks.

SpamTitan is an advanced email filtering solution that uses predictive techniques to provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

In addition to scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine learning, and Bayesian analysis to identify emerging threats. Greylisting is used to identify and block large scale spam campaigns, such as those typically conducted by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

A web filter – such as WebTitan – adds an additional layer of protection against web-based attacks by preventing end users from visiting malicious websites where malware is downloaded. A web filter assesses all attempts to access web content, checks sites against blacklists, assesses the domain, scans web content, and blocks access to sites that violate its policies.

For further information on how you can improve your defenses against web-based and email-based attacks and block malware, ransomware, botnets, viruses, phishing, and spear phishing attacks, contact TitanHQ today.

How to Improve the Office 365 Spam Filter

Office 365 has many benefits, so it is no surprise that it is proving so popular with businesses, but one common complaint is the number of spam and malicious emails that sneak past Microsoft’s defenses. If you have a problem with spam and phishing emails, there is an easy solution to improve the Office 365 spam filter.

Office 365 Email Protection

More than 135 million commercial users are now on Office 365. Unfortunately, the popularity of Office 365 has made it a target for hackers. Microsoft has been proactively taking steps to improve the Office 365 spam filter to make it more effective at blocking spam and phishing attempts. Office 365 phishing protections have been improved and more malicious emails are now being blocked; however, even with the recent anti-phish enhancements, many businesses still have to deal with spam, phishing emails, and other malicious messages.

Businesses using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online protection or EOP. EOP does provide a decent level of protection and blocks spam, phishing emails, and malware. Osterman Research confirmed that EOP eliminates 100% of known malware and blocks 99% of spam email but struggles with the last 1%. Many businesses have found that EOP blocks basic phishing attacks but comes up short at blocking more advanced email threats such as spear phishing and advanced persistent threats.

To improve the Office 365 spam filter, it is necessary to upgrade to Advanced Threat Protection, the second level of protection offered with Office 365. The level of protection is much better, although Advanced Threat Protection cannot identify zero-day threats and falls short of many third-party solutions on blocking other advanced threats. A SE Labs study in the summer of 2017 found that even with the additional level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.

The number of cases of hackers exploiting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users has seen an increasing number of businesses looking for a way to improve the Office 365 spam filter further.

An Easy Way to Improve the Office 365 Spam Filter

Businesses that want to further improve the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to consider implementing a third-party anti-spam solution.

Fortunately, there is a solution that will not only improve Office 365 spam filtering, it is quick and easy to implement, requires no software downloads, and no hardware purchases are necessary. In fact, it can be implemented, configured, and be up and running in a few minutes.

SpamTitan is a powerful cloud-based email security solution that has been developed to provide superior protection against spam, phishing, malware, zero-day attacks, and data loss via email.

In contrast to Office 365, SpamTitan uses predictive techniques such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent threats, new malware variants, and new spear phishing methods.

SpamTitan searches email headers, analyzes domains, and scans email content to identify phishing threats. Embedded hyperlinks, including shortened URLs, are scanned in real time and subjected to URL multiple reputation checks, while dual antivirus engines scan and block 100% of known malware.

SpamTitan also incorporates data loss prevention tools for emails and attachments, which are not available with EOP. Users can create tags for keywords and data elements such as Social Security numbers to protect against theft by insiders. SpamTitan also serves as a backup for your mail server to ensure business continuity.

With SpamTitan you get a greater level of protection against spam and malicious emails, a higher spam catch rate (over 99.9%), greater granularity, improved control over outbound email, and better business continuity protections.

If you have transitioned to Office 365 yet are still having problems with spam, phishing, and other malicious emails or if you are an MSP that wants to offer clients enhanced Office 365 email security, contact the TitanHQ team today.

The TitanHQ team will be happy to schedule a product demonstration and help you put SpamTitan through the paces in your own environment in a no-obligation free trial.

How Can MSPs Make Office 365 More Profitable?

Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.

Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.

Benefits for MSPs from Offering Office 365 to Clients

SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.

MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.

MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.

By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.

How MSPs Can Make Office 365 More Profitable

The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.

The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.

One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.

Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support.

There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location.

Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself. Consequently, Office 365 security should be an easy sell.

Office 365 MSP Add-ons from TitanHQ

For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ MSP Alliance Program.

All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable.

To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ MSP Alliance Program team today and take the first step toward making Office 365 more profitable.

New Dharma Ransomware Variant Detected

A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.

The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.

Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.

While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.

Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.

To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.

SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.

For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.

What are the Top Phishing Lures of 2018?

Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.

Phishing is the Biggest Security Threat Faced by Businesses

Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.

Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.

Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.

Top Phishing Lures of 2018

Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.

Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.

In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.

Top Phishing Lures on the Cofense Platform

Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.

Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.

The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.

Rank Phishing Subject/Theme Number of Reported Emails
1 Attached Invoice 4,796
2 Payment Notification 2,267
3 New Message in Mailbox 2,088
4 Online Order (Attachment) 679
5 Fax Message 629
6 Secure Message (MS Office Macro) 408
7 Online Order (Hyperlink) 399
8 Confidential Scanned document (Attachment) 330
9 Conversational Wire transfer (BEC Scam) 278
10 Bill Copy 251

 

Top Phishing Lures on the KnowBe4 Platform

KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.

The most common real-world phishing attacks in Q3 were:

Rank Subject
1 You have a new encrypted message
2 IT: Syncing Error – Returned incoming messages
3 HR: Contact information
4 FedEx: Sorry we missed you.
5 Microsoft: Multiple log in attempts
6 IT: IMPORTANT – NEW SERVER BACKUP
7 Wells Fargo: Irregular Activities Detected on Your Credit Card
8 LinkedIn: Your account is at risk!
9 Microsoft/Office 365: [Reminder]: your secured message
10 Coinbase: Your cryptocurrency wallet: Two-factor settings changed

 

The most commonly clicked phishing lures in Q3 were:

Rank Subject % of Emails Clicked
1 Password Check Required Immediately 34%
2 You Have a New Voicemail 13%
3 Your order is on the way 11%
4 Change of Password Required Immediately 9%
5 De-activation of [[email]] in Process 8%
6 UPS Label Delivery 1ZBE312TNY00015011 6%
7 Revised Vacation & Sick Time Policy 6%
8 You’ve received a Document for Signature 5%
9 Spam Notification: 1 New Messages 4%
10 [ACTION REQUIRED] – Potential Acceptable Use Violation 4%

 

The Importance of Blocking Phishing Attacks at their Source

If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.

Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.

SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.

SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.

Improve Office 365 Email Security with SpamTitan

There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.

Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.

To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.

New Office 365 Threat Uses Windows Components to Install Banking Trojans

A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.

New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity

The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.

The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.

In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.

The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.

These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.

Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.

How to Block this Office 365 Threat with SpamTitan and Improve Email Security

Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.

To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.

SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

Security Solutions for MSPs to Block Office 365 Threats

Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.

TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.

By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.

To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.

Warning Issued After Increase in Phishing Attacks on Publishers and Literary Scouting Agencies

Financial institutions, healthcare organizations and universities have seen an increase in cyberattack in recent months, but there has also been an increase in phishing attacks on publishers and literary scouting agencies.

Any business that stores sensitive information that can be monetized is at risk of cyberattacks, and publishers and literary scouting agencies are no exception. Like any employer, scouting agencies and publishers store sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which carry a high value on the black market. The companies also regularly make wire transfers and are therefore targets for BEC scammers.

However, in a somewhat new development, there have been several reports of phishing attacks on publishers and literary scouting agencies that attempt to gain access to unpublished manuscripts and typescripts. These are naturally extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is published, there will be no shortage of fans willing to pay top dollar for a copy. Theft of manuscripts can result in extortion attempts with ransoms demanded to prevent their publication online.

2018 has seen a significant increase in phishing attacks on publishers and literary scouting agencies. Currently, campaigns are being conducted by scammers that appear to have a good understanding of the industry. Highly realistic and plausible emails are being to publishing houses and agencies which use the correct industry terminology, which suggests they are the work of an industry insider.

One current campaign is spoofing the email account of Catherine Eccles, owner of the international literary scouting agency Eccles Fisher.  Emails are being sent using Catherine Eccles’ name, and include her signature and contact information. The messages come from what appears to be her genuine email account, although the email address has been spoofed and replies are directed to an alternative account controlled by the scammer. The messages attempt to get other literary agencies to send manuscripts via email or disclose their website passwords.

An increase in phishing attacks on publishers on both sides of the Atlantic have been reported, with the threat already having prompted Penguin Random House North America to send out warnings to employees to alert them to the threat.  According to a recent report in The Bookseller, several publishers have been targeted with similar phishing schemes, including Penguin Random House UK and Pan Macmillan.

Protecting against phishing attacks requires a combination of technical solutions, policies and procedures, and employee training.

Publishers and scouting agencies should deploy software solutions that can block phishing attacks and prevent malicious emails from being delivered to their employees’ inboxes.

SpamTitan is a powerful anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is incorporated to detect email spoofing and prevent malicious emails from reaching employees’ inboxes.

End user training is also essential to raise awareness of the risks of phishing. All staff should be trained how to recognize phishing emails and other email threats to ensure they do not fall for these email scams.

If you run a publishing house or literary scouting agency and are interested in improving your cyber defenses, contact the TitanHQ team today for further information on cybersecurity solutions that can improve your security posture against phishing and other email and web-based threats.

Cyberattacks on Universities Rise as Hackers Search for Valuable Research Data

Hackers have been going back to school and entering higher education. Quite literally in fact, although not through conventional channels. Entry is gained through cyberattacks on universities, which have increased over the course of the past 12 months, according to figures recently released by Kaspersky Lab.

Cyberattacks on Universities on the Rise

Credit cards information can be sold for a few bucks, but universities have much more valuable information. As research organizations they have valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as quickly as credit cards and Social Security numbers, but there are certainly buyers willing to pay top dollar for valuable research. Nation state sponsored hacking groups are targeting universities and independent hacking groups are getting in on the act and conducting cyberattacks on universities.

There are many potential attack vectors that can be used to gain access to university systems. Software vulnerabilities that have yet to be patched can be exploited, misconfigured cloud services such as unsecured S3 buckets can be accessed, and brute force attempts can be conducted to guess passwords. However, phishing attacks on universities are commonplace.

Phishing is often associated with scams to obtain credit card information or login credentials to Office 365 accounts, with businesses and healthcare organizations often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so popular is because it is often the easiest way to gain access to networks, or at least gain a foothold for further attacks. Universities are naturally careful about guarding their research and security controls are usually deployed accordingly. Phishing allows those controls to be bypassed relatively easily.

A successful phishing attack on a student may not prove to be particularly profitable, at least initially. However, once access to their email account is gained, it can be used for further phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more direct route. They are likely to have higher privileges and access to valuable research data. Their accounts are also likely to contain other interesting and useful information that can be used in a wide range of secondary attacks.

Email-based attacks can involve malicious attachments that deliver information stealing malware such as keyloggers, although many of the recent attacks have used links to fake university login pages. The login pages are exact copies of the genuine login pages used by universities, the only difference being the URL on which the page is located.

More than 1,000 Phishing Attacks on Universities Detected in a Year

According to Kaspersky Lab, more than 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been targeted. Those universities are spread across 16 countries, although 83/131 universities were in the United States.

Preventing phishing attacks on universities, staff, and students requires a multi layered approach. Technical controls must be implemented to reduce risk, such as an advanced spam filter to block the vast majority of phishing emails and stop them being delivered to end users. A web filtering solution is important for blocking access to phishing websites and web pages hosting malware. Multi-factor authentication is also essential to ensure that if account information is compromised or passwords are guessed, an additional form of authentication is required to access accounts.

As a last line of defense, staff and students should be made aware of the risk from phishing. Training should be made available to all students and cybersecurity awareness training for researchers, lecturers, and other staff should be mandatory.

Spear Phishing Attack Results in $16 Million Anthem Data Breach Settlement

In 2015, Anthem Inc., experienced a colossal data breach. 78.8 million health plan records were stolen. This year, the health insurer settled a class action data breach for $115 million and OCR has now agreed a $16 million Anthem data breach settlement.

It Started with a Spear Phishing Email…

The Anthem data breach came as a huge shock back in February 2015, due to the sheer scale of the breach. Healthcare data breaches were common, but the Anthem data breach in a different league.

Prior to the announcement, the unenviable record was held by Science Applications International Corporation, a vendor used by healthcare organizations, that experienced a 4.9 million record breach in 2011. The Anthem data breach was on an entirely different scale.

The hacking group behind the Anthem data breach was clearly skilled. Mandiant, the cybersecurity firm that assisted with the investigation, suspected the attack was a nation-state sponsored cyberattack. The hackers managed to gain access to Anthem’s data warehouse and exfiltrated a huge volume of data undetected. The time of the initial attack to discovery was almost a year.

While the attack was sophisticated, a foothold in the network was not gained through an elaborate hack or zero-day exploit but through phishing emails.

At least one employee responded to a spear phishing email, sent to one of Anthem’s subsidiaries, which gave the attackers the entry point they needed to launch a further attack and gain access to Anthem’s health plan member database.

The Anthem Data Breach Settlement is the Largest Ever Penalty for a Healthcare Data Breach

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates healthcare data breaches that result in the exposure or theft of 500 or more records. An in-depth investigation of the Anthem breach was therefore a certainty given its scale. A penalty for non-compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules was a very likely outcome as HIPAA requires healthcare organizations to safeguard health data. The scale of the breach also made it likely that it would result in the largest ever penalty for a healthcare data breach.

Before the Anthem data breach settlement, the largest penalty for a healthcare data breach was $5.55 million, which was agreed between OCR and Advocate Health Care Network in 2016. The Anthem data breach settlement was almost three times that amount, which reflected the seriousness of the breach, the number of people impacted, and the extent to which HIPAA Rules were alleged to have been violated.

OCR alleged that Anthem Inc., had violated five provisions of HIPAA Rules, and by doing so failed to prevent the breach and limit its severity. The Anthem data breach settlement was however agreed with no admission of liability.

The regulatory fine represents a small fraction of the total cost of the Anthem data breach. On top of the Anthem data breach settlement with OCR, Anthem faced multiple lawsuits in the wake of the data breach. The consolidated class action lawsuit was settled by Anthem in January 2018 for $115 million.

The class action settlement document indicated Anthem had already paid $2.5 to consultants in the wake of the breach, $31 million was spent mailing notification letters, $115 million went on improvements to security, and $112 million was paid to provide identity theft protection and credit monitoring services to affected plan members.

With the $115 million class action settlement and the $16 million OCR settlement, that brings the total cost of the Anthem data breach to $391.5 million.

At $391.5 million, that makes this the most expensive healthcare phishing attack by some distance and the cost clearly highlights just how important it is to adopt a defense-in-depth strategy to protect against phishing attacks.

Iceland Police Spoofed in Sophisticated Phishing Scam

Police in Iceland have said a highly sophisticated phishing attack is the largest ever cyberattack the country has ever experienced. The campaign saw thousands of messages sent that attempted to get Icelanders to install a remote access tool that would give the attackers full access to their computers.

The software used in this campaign is a legitimate remote access tool called Remcos. Remcos is used to allow remote access to a computer, often for the purpose of providing IT support, for surveillance, or as an anti-theft tool for laptop computers. However, while it was developed for legitimate use, because it gives the administrator full control over the computer once installed, it has significant potential to be used for malicious purposes. Unsurprisingly, Remcos has been used by cybercriminals in several malware campaigns in the past, often conducted via spear phishing campaigns. One notable attack involved the spoofing of the Turkish Revenue Administration, Turkey’s equivalent of the IRS, to get the RAT installed to provide access to victim’s computers.

The use of Remcos for malicious purposes violates the terms and conditions of use. If discovered, the developer can block the customer’s license to prevent use of the software. However, during the time that Remcos is present on a system, considerable harm can be caused – sabotage, theft of sensitive information, installation of malicious software, and file encryption with ransomware to name but a few.

As was the case in Turkey, the phishing campaign in Iceland attempted to fool end users into installing the program through deception. In this case, the emails claimed to have come from the Icelandic Police. The emails used fear to get recipients of the message to click a link in the email and download the remote access tool.

The emails informed the recipients that they were required to visit the police for questioning. Urgency was added by informing the recipient of the message that an arrest warrant would be issued if they failed to respond. Clicking the link in the email directed the user to what appeared to be the correct website of the Icelandic police. The website was a carbon copy of the legitimate website and required the visitor to enter their Social Security number along with an authentication code sent in the email to find out more information about the police case.

In Iceland, Social Security numbers are often required on websites to access official services, so the request would not appear unusual. On official websites, Social Security numbers are checked against a database and are rejected if they are not genuine. In this case, the attacker was also able to check the validity of the SSN, which means access to a database had been gained, most likely an old database that had been previously leaked or the attacker may have had legitimate access and misused the database.

After entering the information, a password protected archive was downloaded which allegedly contained documents with details of the case. The webpage provided the password to unlock the password protected archive, which contained a .scr file disguised as a Word document.

In this case, the RAT was augmented with a VBS script to ensure it ran on startup. The RAT had keylogging and password stealing capabilities and was used to steal banking credentials. After gaining access to banking credentials, the information was sent back to command and control servers in Germany and the Netherlands.

While the campaign looked entirely legitimate, a common trick was used to fool recipients of the email, which number in the thousands. The domain used in the attack closely resembled the official police website, logreglan.is but contained a lower case i instead of the second l – logregian.is.  A casual glance at the sender of the email or the domain name in the address bar would unlikely reveal the domain was not genuine. Further, the link in the email replaced the lower case i with a capital I, which is almost impossible to distinguish from a lower-case L.

The Icelandic police responded quickly to the attack and the malicious domain was taken down the following day. It is unknown how may people fell for the scam.

New Sextortion Scam: Emails Appear to Have Been Sent from User’s Email Account

A new sextortion scam has been detected that attempts to fool the recipient of the message into believing their email account has been compromised and that their computer is under full control of the attacker.

The scammers spoof the user’s email address so that it appears that the message has been sent from the user’s email account – The sender and the recipient names are identical.

A quick and easy check that can be performed to determine whether the sender name displayed is the actual account that has been used to send the email is to click forward. When this is done, the display name is shown, but so too is the actual email address that the message has been sent from. In this case, that check fails making it seem that the user’s email account has actually been compromised.

The messages used in this campaign attempt to extort money by suggesting the hacker has gained access to the user’s computer by means of a computer virus. It is claimed that the virus gives the attacker the ability to monitor the user’s internet activities in real time and use the computer’s webcam to record the user.

The attacker claims that the virus was downloaded to the computer as a result of the user visiting an adult website and that while viewing internet pornography the webcam was active and recording. “Your tastes are so weird,” states the scammer in the email.

The scammer claims that they will synch the webcam footage with the content that the user was viewing and send a copy of the video to all the user’s partner, friends, and relatives. It is claimed that all the user’s accounts have been compromised. The message also includes an example of one of the user’s passwords.

While it is extremely unlikely that the password supplied in the email is valid for any of the user’s account, the message itself will still be chilling for some individuals and will be enough to get them to make the requested payment of $800 to have the footage deleted.

However, this is a sextortion scam where the attackers have no leverage as there is no virus and no webcam footage. However, it is clear that at least some recipients were not willing to take a chance.

According to security researcher SecGuru, who received a version of the email in Dutch and found a similar English language version, the Bitcoin account used by the scammer had received payments of 0.37997578 Bitcoin – $3,500 – in the first two days of the campaign.  Now 7 days after the first payment was made, the earnings have risen to 1.1203 Bitcoin – $6,418 – with 15 individuals having paid.

This scam will no doubt be familiar to viewers of Black Mirror, a recent episode of which covered a very similar sextortion scam.

This tactic is nothing new. Many similar scams have been conducted in the past and many more will be in the future. What makes this campaign more chilling is the apparent hijacking of the email account and the highly effective spoofing.

A similar sextortion scam was conducted in the summer which also had an interesting twist. It used an old password for the account that had been obtained from a data dump. In that case, the password was real, at least at some point in the past, which made the scam seem genuine.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.

Office 365 Phishing Attacks Can Be Difficult to Identify

In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.

There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.

Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Scam

One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.

In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Abused

A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.

Office 365 Phishing Protections are Insufficient

Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.

Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.

How to Make Office 365 More Secure

While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.

Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

Ransomware is Still the Main Malware Threat Warns Europol

Cybercriminals have turned to cryptocurrency mining malware as an easy, low-risk way of making money although ransomware is still the main malware threat according to Europol.

While it was common for large-scale spam email campaigns to be sent to random recipients to spread ransomware, tactics used to infect devices with the file-encrypting malware are changing.

There has been a decline in the use of ‘spray and pray’ spam campaigns involving millions of messages toward targeted attacks on businesses. Organized cybercriminal gangs are researching victims and are conducting highly targeted attacks that first involve compromising a network before manually deploying ransomware.

The cybercriminal group behind SamSam ransomware has been particularly prolific. Companies that have failed to address software vulnerabilities are attacked and access is gained to their networks. The SamSam group also conducts brute force attacks on RDP to gain access to business networks. Once access is gained, ransomware is manually installed on as many computers as possible, before the encryption routine is started across all infected devices. With a large number of devices encrypted, the ransom demand can be much higher – Typically around $50,000 per company. The group has collected at least $6 million in ransom payments to date.

Europol warns that ransomware attacks will continue to be a major threat over the following years, although a new threat is emerging – cryptojacking malware. This form of malware is used to hijack computer processors to mine cryptocurrency. Europol warns that if the rise in the use of cryptojacking malware continues it may overtake ransomware and become the biggest malware threat.

Not only does cryptojacking offer considerable rewards, in many cases use of the malware is not classed as illegal, such as when it is installed on websites. This not only means that cybercriminals can generate considerable profits, but the risk involved in these types of attacks is far lower than using ransomware.

Cybercriminals are still extensively using social engineering techniques to fool consumers and employees into disclosing sensitive personal information and login credentials. Social engineering is also extensively used to trick employees into making fraudulent bank transfers. Phishing is the most common form of social engineering, although vishing – voice phishing – and smishing – SMS phishing are also used. Europol notes that social engineering is still the engine of many cybercrimes.

While exploit kits have been extensively used to silently download malware, Europol notes that the use of exploit kits continues to decline. The main attack vectors are spam email and RDP brute-forcing.

As-a-service cyberattacks continue to be a major problem. DDoS-as-a-service and ransomware-as-a-service allow low-level and relatively unskilled individuals to conduct cyberattacks. Europol recommends law enforcement should concentrate on locating and shutting down these criminal operations to make it much harder for low-level criminals to conduct cyberattacks that would otherwise be beyond their skill level.

With spam email still a major attack vector, it is essential for businesses to implement cybersecurity solutions to prevent malicious emails from being delivered to inboxes and ensure cybersecurity best practices are adopted to make them less susceptible to attack. With phishing the main form of social engineering, anti-phishing training for employees is vital.

RDP attacks are now commonplace, so steps must be taken by businesses to block this attack vector, such as disabling RDP if it is not required, using extremely strong passwords for RDP, limiting users who can login, configuring account lockouts after a set number of failed login attempts, and using RDP gateways.

Cybercrime Losses in Germany Estimated to be €43 Billion

With the largest economy, the United States is naturally a major target for cybercriminals. Various studies have been conducted on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – Europe’s largest economy.

The International Monetary Fund produces a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion represents 4.61% of global GDP.

A recent study conducted by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is taking on the German economy.

The study was conducted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That represents 1.36% of the country’s GDP.

Extrapolate those cybercrime losses in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study placed the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be between 0.79 to 0.89% of GDP.

Small to Medium Sized Businesses Most at Risk

While cyberattacks on large enterprises have potential to be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far easier to target smaller companies with less robust cybersecurity defenses.

Small to medium sized businesses (SMBs) often lack the resources to invest heavily in cybersecurity, and consequently are far easier to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by cybercriminals.

It is not only organized cybercriminal groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to gain access to the advanced manufacturing techniques developed by German firms that give them a competitive advantage. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are an attractive target.

Cybercriminals are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by a quarter of German firms. 11% of German firms report that their communications systems have been tapped.

Attacks are also being conducted to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.

Businesses Must Improve Their Defenses Against Cyberattacks

“With its worldwide market leaders, German industry is particularly interesting for criminals,” said Achim Berg, head of BitKom. Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from gaining access to their systems and data.

According to Thomas Haldenweg, deputy president of the BfV domestic intelligence agency, “Illegal knowledge and technology transfer … is a mass phenomenon.”

Preventing cyberattacks is not straightforward. There is no single solution that can protect against all attacks. Only defense-in-depth will ensure that cybercriminals and nation-state sponsored hacking groups are prevented from gaining access to sensitive information.

Companies need to conduct regular, comprehensive organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be addressed through a robust risk management process and layered defenses implemented to thwart attackers.

One of the main vectors for attack is email. Figures from Cofense suggest that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can help.

TitanHQ is a provider of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To find out more about how TitanHQ’s cybersecurity solutions can help to improve the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team today.

Python-Based PyLocky Ransomware Distributed in Spam Email Campaigns in Europe

A new Python-based form of ransomware has been detected that masquerades as Locky, one of the most widely used ransomware variants in 2016. The new ransomware variant has been named PyLocky ransomware by security researchers at Trend Micro who have observed it being used in attacks in Europe, particularly France, throughout July and August.

The spam email campaigns were initially sent in relatively small batches, although over time the volume of emails distributing PyLocky ransomware has increased significantly.

Various social engineering tactics are being used by the attackers to get the ransomware installed, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is downloaded. The zip file contains PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be converted to standalone executable files.

If installed, PyLocky ransomware will encrypt approximately 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files stored on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then dropped on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are unrelated. Ransom notes are written in French, English, Korean, and Italian so it is probable that the attacks will become more widespread over the coming weeks.

While Python is not typically used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been created. Pyl33t was used in several attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant stand out is its anti-machine learning capabilities, which help to prevent analysis using standard static analysis methods.

The ransomware abuses Windows Management Instrumentation (WMI) to determine the properties of the system on which it is installed. If the total visible memory of a system is 4GB or greater, the ransomware will execute immediately. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an attempt to determine if it is in a sandbox environment.

Preventing attacks requires a variety of cybersecurity measures. An advanced spam filtering solution such as SpamTitan will help to prevent the spam emails being delivered to end users’ inboxes. A web filter, such as WebTitan, can be employed to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to ensure that end users recognize the threat for what it is. Advanced malware detection tools are required to identify the threat due to its anti-machine learning capabilities.

There is no free decryptor for PyLocky. Recovery without paying the ransom will depend on a viable backup copy existing, which has not also been encrypted in the attack.

ICO and IQY Files Used in Spam Campaigns Delivering Marap and Loki Bot Malware

A spam email campaign is being conducted targeting corporate email accounts to distribute Loki Bot malware. Loki Bot malware is an information stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging apps.

In addition to stealing saved passwords, Loki Bot malware has keylogging capabilities and is potentially capable of downloading and running executable files. All information captured by the malware is transferred to the attacker’s C2 server.

Kaspersky Lab researchers identified an increase in email spam activity targeting corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was delivered hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are copies of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, most modern operating systems have the ability to access the contents of the files without the need for any additional software.

In this case, the ICO file contains Loki Bot malware and double clicking on the file will result in installation of the malware on operating systems that support the files (Vista and later).

It is relatively rare for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users attempt to open the files.

The campaign included a wide range of lures including fake purchase orders, speculative enquiries from companies containing product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known companies such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.

Spam Email Campaign Distributing Marap Malware Targets Financial Institutions

A separate and unrelated spam email campaign has been identified that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a downloader capable of downloading a variety of different payloads and additional modules.

Upon installation, the malware fingerprints the system and gathers information such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is installed. If the system is of particular interest, it is earmarked for a more extensive compromise.

Four separate campaigns involving millions of messages were detected by researchers at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document containing a malicious macro. The campaigns appear to be targeting financial institutions.

IQY files are used by Excel to download web content directly into spreadsheets. They have been used in several spam email campaigns in recent weeks to install a variety of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.

Since the majority of end users would not have any need to open ICO or IQY files, these file types should be added to the list of blocked file types in email spam filters to prevent them from being delivered to end users’ inboxes.

WhatsApp Phishing: Attacks Soar as Criminals Take Advantage of Lack of Anti-Phishing Protections

While the majority of phishing attempts are conducted via email, there has been a significant rise in the use of other communications platforms such messaging services, with WhatsApp phishing scams now increasing in popularity amongst phishers.

WhatsApp phishing attacks are common for two main reasons. First is the sheer number of people that are on the platform. In January 2018, the number of monthly users of WhatsApp worldwide reached 1.5 billion, up from 1 billion users six months previously. Secondly, is the lack of anti-phishing measures to prevent malicious messages from being delivered.

Many businesses have implemented spam filtering solutions such as SpamTitan, while personal users are benefiting by significant improvements to spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at identifying phishing emails and other malicious messages and send them to the spam folder rather than delivering them to inboxes.

Messaging services often lack spam filtering controls. Therefore, malicious messages have a much greater chance of being delivered. Various tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, an exceptionally good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is offered.

The messages contain a link that directs the recipient to the phishing website. The link usually contains a preview of the website, so even if a shortlink is used for the URL, the recipient can see some information about the site. A logo may be displayed along with the page title. That makes it much more likely that the link will be clicked.

Further, the message often comes from a known individual – A person in the user’s WhatsApp contact list. When a known individual vouches for the site, the probability of the link being clicked is much greater.

To add further legitimacy to the WhatsApp phishing scams, the websites often contact fake comments from social media sites confirming that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is a winner.

The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.

Gift cards are often given out for taking part in legitimate surveys, so the offer of either a gift card or entry into a free draw is not out of the ordinary. In return, the visitor to the site is required to answer some standard questions and provide information that would allow them to be contacted – their name, address, phone number, and email address for instance.

The information gathered through these sites is then used for further phishing attempts via email, telephone, or snail mail which aim to obtain even more personal information. After completing the questions, the website may claim that the user has one, which requires entry of bank account information or credit card details… in order for prize money to be paid or for confirmation of age.

These WhatsApp phishing scams often have another component which helps to spread the messages much more efficiently to other potential victims. Before any individual can claim their free prize or even submit their details for a prize draw, they must first agree to share the offer with some of their WhatsApp contacts.

If you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a high chance it may not be genuine and is a WhatsApp phishing scam. If an offer seems too good to be true, it most likely is.

AdvisorsBot: A Versatile New Malware Threat Distributed Through Spam Email

Hotels, restaurants, and telecommunications companies are being targeted with a new spam email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being distributed vis spam emails containing Microsoft Word attachments with malicious macros.

Opening an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary role is to perform fingerprinting on an infected device. Information will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are provided to the malware based on the information gathered on the system. The malware records system information, details of programs installed on the device, Office account details, and other information. It is also able to take screenshots on an infected device.

AdvisorsBot malware is so named because the early samples of the malware that were first identified in May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is primarily being conducted on targets in the United States, although infections have been detected globally. Several thousands of devices have been infected with the malware since May, according to the security researchers at Proofpoint who discovered the new malware threat. The threat actors believed to be behind the attacks are a APT group known as TA555.

Various email lures are being used in this malware campaign to get the recipients to open the infected attachment and enable macros. The emails sent to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that appear to be resumes from job applicants.

AdvisorsBot is written in C, but a second form of the malware has also been detected that is written in .NET and PowerShell. The second variant has been given the name PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that downloads a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

These malware threats are still under development and are typical of many recent malware threats which have a wide range of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions performed are determined based on the system on which the malware has been installed. If that system is ideally suited for mining cryptocurrency, the relevant code will be installed. If the business is of particular interest, it will be earmarked for a more extensive compromise.

The best form of defense against this campaign is the use of an advanced spam filtering solution to prevent the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat arrives in their inbox.

Sextortion Phishing Emails Proving Lucrative for Scammers

A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.

On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.

For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.

However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.

While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.

For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.

This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.

It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.

So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.

Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.

Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.

Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.

Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.

Why Are Email Account Compromises Soaring and How Can Email Accounts Be Protected?

The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.

Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.

284% Increase in Email Account Compromises in a Year

The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.

Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?

It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.

By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.

If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.

Once One Account is Breached, Others Will Follow

If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.

Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.

Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.

Email Account Compromises Are Costly to Resolve

Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.

Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.

Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.

How to Prevent Email Account Compromises

Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.

To prevent phishing attacks, companies need to:

  • Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
  • Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
  • Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
  • Implement two-factor authentication to prevent attempts to access email accounts remotely
  • Implement a web filter as an additional control to block the accessing of phishing websites
  • Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
  • Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.

1.4 Million Patients Potentially Affected by UnityPoint Health Phishing Attack

In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.

UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.

That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.

The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.

The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.

A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.

The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.

This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.

The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.

As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.

Cosco Ransomware Attack Affects Americas Arm of Shipping Firm

One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.

The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.

The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.

It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.

The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.

Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware.  While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).

Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.

Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.

To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.

Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.

Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.

Phishing Attacks on National Bank of Blacksburg Result in $2.4 Million Loss

The National Bank of Blacksburg in Virginia has discovered just how important it is to have effective controls in place to protect against phishing. The bank suffered two costly phishing attacks in the space of eight months that have resulted in losses exceeding $2.4 million.

Phishing is the leading tactic used by cybercriminals to gain access to login credentials, steal data, and install malware. Emails are sent to employees with malicious attachments, which if opened, result in the installation of malware. Alternatively, links are sent in emails that direct employees to fraudulent websites where they are fooled into disclosing their login credentials.

The first attack on Blacksburg Bank took place on May 28, 2016. Malware was installed on its systems which gave the attackers access to the STAR Network – The system that manages debit card ATM activity. After gaining access to the STAR Network, the hackers were able to change account balances, remove security measures such as anti-theft and anti-fraud protections, conduct keystroke logging, and authorize withdrawals from customers’ accounts via ATMs.

In the two days that the hackers had access to the system, they were able to make withdrawals at hundreds of ATMs across the country and stole $569,648.24 from customers’ accounts. This was possible without stealing customers cards or using skimmers to create fake bank cards.

The malware was detected on May 30, 2016 and the attack was investigated by the computer forensics firm Foregenix which determined that the malware was installed as a result of an employee being duped by a phishing email.

Eight months later, on January 7, 2017, a similar attack occurred which involved cybercriminals gaining access to the STAR Network. Similarly, access was possible for two days, although in this case approximately $1.8 million was withdrawn from customers’ accounts. Verizon investigated the breach and concluded that access was gained as a result of an employee falling for a phishing scam.

The National Bank of Blacksburg holds an insurance policy against cyberattacks although its insurer, Everest National Insurance Company, has refused to cover the losses. Blacksburg is now suing its insurer for breach of contract.

What these incidents show is just how easy it is for major losses to be suffered as a result of employees falling for phishing scams and the importance of having robust anti-phishing measures in place.

There is no single solution that will provide total protection against phishing, although a good place to start is with an advanced spam filtering solution such as SpamTitan.

SpamTitan uses dual antivirus engines (Bitdefender and ClamAV) that provides superior protection against phishing and block emails containing malware and malware downloaders. The solution performs multiple checks on each incoming email to determine whether it is genuine, spam, or malicious, including standard checks of email headers, a Bayesian analysis on message content, and greylisting. Together, these controls ensure 99.97% of spam emails are detected and blocked, with a false positive rate of just 0.03%. Independent tests at Virus Bulletin have confirmed a 100% malware detection rate.

No anti-spam solution will block 100% of all spam and phishing emails so it is essential for employees to be trained how to recognize phishing emails. While it was once a best practice to provide annual training, with the volume of phishing emails now being sent and the increased sophistication of attacks, an annual training session is no longer sufficient.

Training needs to be ongoing, with regular training sessions scheduled throughout the year and employees conditioned through phishing simulation exercises. With effective spam filtering and employee security awareness training, the majority of phishing attempts can be thwarted.

Average Data Breach Mitigation Costs Now $3.86 Million

In 2017, data breach mitigation costs fell year-on year; however, that appears to be a blip. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute (on behalf of IBM Security) has revealed data breach mitigation costs have risen once again.

The Ponemon Institute conducts the Cost of a Data Breach Study every year. For the 2018 study, the Ponemon Institute conducted interviews with 2,200 IT, data security, and compliance professionals from 477 companies in 15 countries, including the United States, United Kingdom, Germany, France, Canada, Brazil, Japan and Australia. The companies represented in the study came from a wide range of industry sectors. Each of those companies had experienced a data breach in the past 12 months.

Naturally, the larger the breach, the higher the cost of mitigation is likely to be. Breaches involving millions of records would naturally cost more to resolve than breaches of 50,000 records. Catastrophic data breaches – those involving millions of records – are not normally included in the study. This year was the first time that mega data breaches – those involving more than 1,000,000 records – were included, although they were treated separately.

The analysis of the main part of the study involved breaches ranging from 2,500 records to a little over 100,000 records. The average breach size was 24,615 records globally, 31,465 records in the United States, 22,800 records in the UK, and 19,200 records in Japan.

The costs associated with those data breaches was analyzed using the activity-based costing (ABC) methodology. The ABC methodology identified four process-related activities and assigned costs based on actual use. Those activities were Detection and Escalation, Post Data Breach Response, Breach Notifications, and Lost Business Cost. The analysis identified the average total cost of a data breach taking all four activity areas into account.

The study also revealed measures taken prior to the breach, during, and after, that can limit losses or increase data breach mitigation costs.

Average Data Breach Mitigation Costs Have Reached $3.86 Million

A data breach now costs an average of $3.86 million to revolve. Last year, the average cost of a data breach was $3.62 million. Data breach costs have therefore increased by 6.4% in the space of a year.

On average, per capita data breach mitigation costs rose by 4.8%, with a data breach costing, on average, $148 per record. Last year, the global average was $141 per record.

In addition to the rising cost, the severity of the breaches also increased, with the data breaches in this year’s sample impacting 2.2% more individuals on average.

Data breaches cost more to resolve in the United States than any other country. The average data breach mitigation costs in the United States is $7.91 million per breach. The lowest costs were in India, where the average breach cost was $1.77 million. The highest per capita costs were also in the United States at £233 per record.

Hackers and malicious insiders caused the most breaches and they were also the costliest to resolve at $157 per record. System glitches cost an average of £131 per record and breaches caused by human error cost the least at $128 per record.

Data breach costs varied considerably by industry sector, with healthcare data breach mitigation costs the highest by some distance at an average of $408 per record, followed by financial services breaches at $206 per record, services at $181 per record, and pharmaceutical industry breaches at $174 per record. Breaches in the education sector cost an average of $166 per record, retail industry breaches were $116 per record, and the lowest data breach mitigation costs were in the public sector at $75 per record.

The study of mega data breaches revealed a breach of 1 million records costs an estimated $39.49 million to resolve, while a breach of 50 million records costs an estimated $350 million. Since there were only 11 breaches of more than 1 million records in the sample it was not possible to accurately calculate the average cost of these breaches.

What Factors Affect Data Breach Mitigation Costs the Most?

For the study, 22 different factors were assessed to determine how they affected data breach mitigation costs. The most important cost saving measures that can be taken to reduce the cost of a data breach are having an incident response team ($14 less per record), widespread use of encryption ($13.1 less per record), BCM involvement ($9.3 less per record), employee training ($9.3 less per record), participation in threat sharing ($8.7 less per record) and use of an artificial intelligence platform ($8.2 less per record).

The main factors that increased data breach mitigation costs were third party involvement ($13.4 more per record), extensive cloud migration at the time of the breach ($11.9 more per record), compliance failures ($11.9 more per record), extensive use of mobile platforms ($10.0 more per record), lost or stolen devices ($6.5 more per record), and extensive use of IoT devices ($5.4 more per record).

With the cost of data breaches rising, more cyberattacks being conducted, and the likelihood of a breach being experienced now higher, it is essential not only for companies to implement layered security defenses, but also to make sure they are prepared for the worst.

Companies need to assume a breach will be experienced and policies and procedures need to be developed to deal with the breach when it happens. An incident response team should be prepared to spring into action to ensure everyone known what needs to be done when disaster strikes. The sooner a breach is identified and mitigated, the lower the breach mitigation costs will be.

Cryptojacking Attacks Replace Ransomware as Primary Threat

There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.

As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.

Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.

Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.

The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months.  Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.

Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.

Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.

Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.

One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.

It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.

Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.

Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.

Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.

New Rakhni Ransomware Variant Decides Whether to Encrypt Files or Turn Device into a Cryptocurrency Miner

Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.

Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.

This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.

However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.

The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.

The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.

When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.

If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.

If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.

Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.

Children’s Mercy Hospital Phishing Attack Highlights Need for Effective Anti-Phishing Protections

A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.

Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.

Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.

In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.

That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.

The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.

The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.

In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.

The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.

While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.

Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.

In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.

2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.

Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.

An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.

Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.

An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.

The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.

For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.

Largest Data Breach of 2018: 340 Million-Records Exposed Online

A database of U.S. consumer information has been left unsecured online by the marketing firm Exactis. At 340 million records, this is the largest data breach of 2018.

The Largest Data Breach of 2018 by Some Distance

You will probably be unaware of the existence of the Palm Coast, FL-based data broker Exactis, but chances are the firm has heard of you. The firm holds 3.5 billion consumer, business and digital records while its email database contains 500 million consumer emails and 16 million business emails.

One database maintained by the firm contains around 340 million records, including 230 million consumer records and 110 million records of businesses. That database was recently discovered to have been left exposed on the Internet. The database could be accessed without any authentication. Anyone who knew where to look would have been able to access the database. At least one person did.

Security researcher Vinny Troia who runs NightLion Security, a New York consultancy firm, was searching online for instances of Elasticsearch databases. Troia was curious about the security of the databases as they are designed to be easily queried over the Internet. Troia searched for the databases using the search engine Shodan. Shodan is a search engine that allows people to find specific types of computers that are connected to the Internet.

Troia discovered more than 7,000 Elasticsearch databases that were visible on publicly accessible servers with U.S. IP addresses and set about determining which, if any, had data exposed on the Internet. He wrote a script that queried those databases and searched for keywords that would indicate they contained sensitive information – fields such as date of birth.

2 Terabytes of Data Exposed

One database stood out due to the amount of data it contained – around 2 terabytes of data. The database was not protected by a firewall and could be accessed without authentication. The database was discovered to contain huge numbers of detailed records about consumers. Troia noted, “It seems like this is a database with pretty much every U.S. citizen in it… it’s one of the most comprehensive collections I’ve ever seen.”

He discovered the records contained up to 150 data fields, with highly detailed information on consumers including names, addresses, phone numbers, email addresses and descriptions of the person, including information such as the estimated value of their home, hobbies, mortgage provider, ethnic group, whether the individual owns any stock, their religion, if they have made political donations, number of children, people in the household, whether they are smokers, if they own any pets…the list goes on and on.

While the database did not contain Social Security numbers or financial information, the data could be used by scammers in spear phishing campaigns, telephone scams and social engineering attacks. Around half the records contained email addresses, making it particularly valuable to spammers.

Troia said he is certainly not the only person who has searched for Elasticsearch databases, and the database was easy to find using Shodan: A popular search engine with white hat and black hat hackers. It is unknown whether anyone else found the database, but Troia explains that it would not be hard for anyone to find it. He could not be sure how long the database had been exposed online, but said it was at least 2 months.

After identifying an IP address which he believed belonged to the owner, Troia contacted two hosting companies, one of which notified Exactis. Troia also alerted the FBI. Exactis made contact with Troia and the database has now been secured and is no longer accessible.

At 340 million records, this the largest data breach of 2018 and one of the largest breaches ever discovered. The breach is more than twice the size of the Experian data breach of last year, although not on the scale of the Yahoo data breach that contained around 3 billion records. However, the types of information exposed potentially make the breach far more serious than Yahoo’s.

A database containing such detailed information on consumers should not have been left exposed. Safeguards should have been in place to alert the company that security protections had either been turned off or had not been implemented.

This security breach certainly stands out in terms of scale, but it is sadly only one of many that have been identified in recent months involving databases left freely accessible over the Internet.