Phishing & Email Spam

Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.

Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.

Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
  • Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
  • Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
  • Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
  • Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.

Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.

The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.

U.S Hotels Targeted In Malspam Campaign Spreading NetWiredRC RAT

Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.

The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.

If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots.  The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.

The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.

There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.

Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.

The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.

Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source.  SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.

For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.

OneStopIT Choses TitanHQ to Protect Its Customers from Email and Web-Based Threats

TitanHQ has announced it has entered not a new partnership with one of the United Kingdom’s leading Managed Service Providers (MSPs), OneStopIT.

For more than 16 years, OneStopIT has been helping small to medium sized businesses (SMBs) implement enterprise-class technology solutions. The Edinburgh-based MSP is focused on providing process-driven IT solutions to growing organizations at an affordable price.

Through the company’s dealing with UK businesses it has become clear that one of the biggest problem areas is phishing. Phishing attacks on UK businesses are now occurring at record pace and those attacks are costing businesses dearly.

UK businesses need advanced, enterprise-level cybersecurity solutions, but at an affordable SMB-friendly price. To improve protection against phishing and malware attacks, OneStopIT turned to TitanHQ.

TitanHQ has developed powerful cloud-based solutions for the SMB marketplace that incorporate enterprise-grade security features, but at a price that is affordable for even the smallest business. These solutions have been developed to be delivered by MSPs and can be easily incorporated into MSP auto-provisioning, billing, and management systems.

Under the new partnership, OneStopIT will be offering its customers SpamTItan-powered advanced email security and anti-phishing protection, WebTitan-powered DNS-based web filtering, and an ArcTitan-powered email archiving service.

All three solutions have been seamlessly integrated into OneStopIT’s security stack and are now being used to better protect its customers from today’s advanced and sophisticated cyber threats.

“ The proliferation of phishing threats across Office 365 is a real problem for SME’s in the UK and we’re partnering with a key vendor in this space to protect our customers and also give them the OneStopIT premium service they are used to,” said Ally Hollins-Kirk, CEO of OneStopIT.

North Carolina County Loses $1.7 Million to BEC Scam

Cabarrus County in North Carolina is the latest victim of a major Business Email Compromise attack. The scammers impersonated a building contractor that was constructing a new high school in the County and succeeded in redirecting a $2.5 million payment to their account.

One of the contractor’s email accounts was compromised and an email was sent to a contact at the County requesting a change to the usual bank account.

Any request for such a change naturally needed to pass checks, but since the scammers had sent through all the appropriate documentation, the banking information was changed. The scammers then waited until the next regular payment was made. That payment was for $2,504,601.

The missing payment was queried by the contractor, Branch and Associates, and an investigation uncovered the scam. The relevant banks were informed to freeze the accounts to prevent the money from being withdrawn, but despite the quick response, the banks were only able to recover $776,518.40. The scammers had managed to divert $1,728,082.60 to a variety of accounts and had pocketed the funds.

The County was protected by an insurance policy, but it only provided $75,000 of coverage. $1,653,082.60 of the funds had to be covered by the County, in addition to the costs of investigating the attack, implementing additional security measures, and the cost increase of its insurance premiums after making such a large claim.

In this case the transfer was substantially larger than the average fraudulent BEC wire transfer, but transfers of this magnitude are far from unusual. Figures released by the U.S. Financial Crimes Enforcement Network (FinCEN) show there has been a 172% increase in losses to BEC attacks since 2016. Attacks are also increasing in frequency. In 2018, 1,100 BEC attacks were reported by businesses and $310 million per month was lost to BEC attacks.

FinCEN’s report shows businesses in the manufacturing and construction industries are the most commonly targeted and face the greatest risk of attack, although all businesses need to be aware of the threat and should take steps to reduce risk.

Defending against BEC attacks requires a variety of technical and administrative safeguards. There is no single solution that can be implemented which will detect and block all BEC attacks.

BEC scams usually start with a phishing email, so steps should be taken to improve email security. Advanced email security solutions such as SpamTitan can identify and block these BEC threats. SpamTitan also provides protection against the second stage of the attack. In addition to scanning all incoming emails, SpamTitan also scans outbound email for potential threats coming from within the organization.

Not all threats can be blocked, even with highly advanced email security defenses, so it is essential for the workforce to be trained how to identify potential email threats. Policies and procedures should also be developed covering amendments to banking credentials and email requests for bank transfers over a certain size.

Companies that fail to take action to reduce risk could well find their losses included in next year’s FinCEN BEC financial losses report.

If you have not implemented an anti-spam solution, if you are unhappy with your current provider, or if you use Office 365 for email, contact the TitanHQ team today to find out more about improving your security posture and increasing your defenses against BEC attacks.

Business Email Compromise Attacks Cost $310 Million a Month in 2018

New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.

Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.

Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.

More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks

The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.

FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.

BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.

There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.

As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.

If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.

FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.

FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.

How to Improve Defenses Against BEC Attacks

With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.

Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam and anti-phishing solution such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.

For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.

New Office 365 Phishing Scams Detected

Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.

The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.

A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.

If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.

The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.

Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.

This is a professional campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.

Office 365 Admins Targeted

A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.

Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.

The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.

Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.

Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.

There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.

However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.

WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.

Contact TitanHQ today to find out more about SpamTitan and WebTitan for SMBs and MSPs, the different deployment options, pricing information, and to book a product demonstration.

An Easy Way to Block Email Impersonation Attacks on Businesses

Ransomware attacks are soaring and phishing and email impersonation attacks are being conducted at unprecedented levels. Cybersecurity defenses are being tested like never before.

Large enterprises are big targets as they store vast quantities of personal data which can be used for identity theft. Retailers are being attacked to obtain credit/debit card information and attacks on hospitals provide sensitive health data that can be used for medical identity theft.

Small businesses are not such an attractive target, but they do store reasonable amounts of customer data and attacks can still be profitable. A successful attack on Walmart would be preferable, but attacks on SMBs are far easier to pull off. SMBs typically do not have the budgets to invest in cybersecurity and often leave gaps that can be easily exploited by cybercriminals.

One of the most common methods of attacking SMBs is phishing. If a phishing email makes it to an inbox, there is a reasonable chance that the message will be opened, the requested action taken and, as a result, credentials will be compromised or malware will be installed.

The 2018 KnowBe4 Phishing Industry Benchmarking Report shows that on average, the probability of an employee clicking on a malicious hyperlink or taking another fraudulent request is 27%. That means one in four employees will click a link in a phishing email or obey a fraudulent request.

Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organization with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company. The email will use a genuine email address on a known business domain. Without appropriate security controls in place, that message will arrive in inboxes and several employees are likely to click and disclose their credentials or open an infected email attachment and install malware. Most likely, they will not realize they have been scammed.

One method that can be used to prevent these spoofed messages from being delivered is to apply Domain-based Message Authentication, Reporting and Conformance (DMARC) rules. In a nutshell, DMARC consists of two technologies – Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

SPF is a DNS-based filtering control that helps to identify spoofed messages. SPF sets authorized sender IP addresses on DNS servers. Recipient servers perform lookups on the SPF records to make sure that the sender IP matches one of the authorized vendors on the organization’s DNS servers. If there is a match the message is delivered. If the check fails, the message is rejected or quarantined.

DKIM involves the use of an encrypted signature to verify the sender’s identity. That signature is created using the organization’s public key and is decrypted using the private key available to the email server. DMARC rules are then applied to either reject or quarantine messages that fail authentication checks. Quarantining messages is useful as it allows administrators to check to make sure the genuine emails have not been flagged incorrectly.

Reports can be generated to monitor email activity and administrators can see the number of messages that are being rejected or dropped. A sudden increase in the number of rejected messages indicates an attack is in progress.

DMARC is not a silver bullet that will stop all email impersonation and phishing attacks. It is an extra layer of security that can greatly reduce the number of threats that arrive in inboxes.

TitanHQ’s anti-phishing and anti-spam solution – SpamTitan – incorporates DMARC to protect against email impersonation attacks along with advanced anti-malware features, including a Bitdefender-powered sandbox.

For further information securing your email channel and blocking email-based threats, contact TitanHQ today.

Phishing-as-a-Service Opens Flood Gates: Waves of Phishing Emails Expected

You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.

Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.

There is still entry barrier to cross before it is possible to conduct phishing attacks.  Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.

Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.

One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.

Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.

With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.

If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.

It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.

An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.

If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.

TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.

What is DMARC Email Authentication and Why is it Important?

DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?

There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.

DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes.

With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.

If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.

The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.

DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes.

DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.

The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies.  The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.

DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.

If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.

DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. TitanHQ is happy to announce that both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks.

To find out more about improving your email security defenses, contact the TitanHQ team today.

LooCipher Ransomware Campaign Detected

A new strain of ransomware has been identified which has been used in multiple attacks over the past few weeks.

All of the attack vectors used to distribute the ransomware are not yet known, but samples of the ransomware have been distributed via a spam email campaign.

The spam email campaign uses a tried and test format to deliver the ransomware payload. A Word document called Info_BSV_2019.docm is attached to emails with requests that the recipient open the document. In order for the contents to be displayed, the user is told they must enable macros. Enabling macros will launch code that downloads an executable file, which is renamed LooCipher.exe and is executed.

The ransomware will encrypt a standard range of file types, but instead of deleting the original files, they are retained as zero-byte files. Encrypted files are given the extension .lcphr.

The ransomware creates a file on the Windows Desktop called c2056.ini, which includes the unique ID number of the computer, the time limit for paying the ransom, and the Bitcoin wallet address for payment. The ransom note warns that deletion of the ini file will prevent file recovery.

Users are given 5 days to pay the ransom or the key to unlock files will be permanently deleted. The ransom is €300 ($330) in Bitcoin per device. No option is provided to test to see whether a file can be decrypted.

LooCipher ransomware may not be particularly polished, but it has already claimed several victims. Recovery will depend on an organization’s ability to restore files from backups. It is not clear whether the attackers hold valid keys to decrypt encrypted files.

Ransomware attacks have been increasing following a decline in popularity of ransomware with hackers in 2018. There have been high profile attacks on U.S. cities and ransoms and hundreds of thousands of dollars have been paid in ransoms. Ransomware attacks on healthcare organizations have increased, and several new strains of ransomware have emerged.

Recently the Department of Homeland Security warned of the risk of wiper malware attacks by Iranian threat actors, as tensions between the United States and Iran continue to increase.

These malware threats may be delivered by a variety of different methods, but spam email is the delivery vector of choice. Protecting against these malware threats requires an advanced spam filtering solution capable of precision control over incoming email and the ability to scan messages and analyze attachments for malicious code.

SpamTitan uses twin AV engines to identify known malware and a sandbox to analyze suspicious attachments to identify malicious actions and provides superior protection against malware, ransomware, viruses, botnets, and phishing attacks.

To find out more about how you can improve email security with SpamTitan, contact the TitanHQ team today.

U.S. Cybersecurity Agency Warns of Wiper Malware Attacks

Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.

Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.

Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.

Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.

Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.

More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard.  The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.

Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.

As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.

Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.

A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.

Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.

Invaluable Advice for MSPs at DattoCon19 in San Diego from Event Sponsor TitanHQ

The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.

DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.

TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.

The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.

Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.

If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.

TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.

Additional Benefits at DattoCon19

  • New TitanHQ customers benefit from special show pricing.
  • A daily raffle for a free bottle of vintage Irish whiskey.
  • Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.

DattoCon Details

DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23

Contact the TitanHQ team in advance:

  • Rocco Donnino, Executive Vice President-Strategic Alliances, LinkedIn
  • Eddie Monaghan, MSP Alliance Manager, LinkedIn
  • Marc Ludden, MSP Alliance Manager, LinkedIn

Ransomware Attacks on the Rise Once More and Cities are in Attackers’ Crosshairs

The use of ransomware to attack businesses continued to decline throughout 2018 after extensive use of the file-encrypting malware by cybercriminals in 2016 and 2017. In 2018, ransomware fell out of favor with cybercriminals, who turned to other forms of cybercrime to make money.

However, ransomware is seeing something of a resurgence in 2019. The latest Breach Insights Report from Beazley Breach Response Services shows ransomware attacks are increasing once again. In the first quarter of 2019, ransomware attack notifications from its clients increased by 105% from Q1, 2018. Ransom demands are also increasing.

The rise in attacks has continued in Q2. Attacks using MegaCortex ransomware surged in late April. The ransomware variant was first identified in January and was only used in a handful of attacks in the following three months, but in the last week in April, 47 confirmed attacks were reported.

Dharma ransomware attacks have similarly increased. According to Malwarebytes, the past two months have seen a 148% increase in attacks. The threat actors behind Dharma ransomware are now using a variety of methods to distribute their ransomware payload.

The most common method of distribution is phishing emails. Emails contain embedded hyperlinks that direct users to a malicious website where the ransomware payload is downloaded. Email attachments containing malicious scripts are also used to download the ransomware payload.

Attacks are also taking place via remote desktop protocol over TCP port 3389. Brute force attacks are conducted to gain access to a device then ransomware is deployed. Dharma ransomware has also been identified in fake antivirus software programs which are pushed via a variety of websites. Users are tricked into downloading fake AV software after receiving a fake alert about a malware infection that has been detected on the user’s device.

Ransomware has also been used in conjunction with other malware such as Emotet. Emotet was once a banking Trojan but has since morphed into a botnet, capable of stealing login credentials, propagating itself via email on an infected device, and is capable of downloading other malware payloads. Emotet has been used to distribute Ryuk ransomware.

There have been upticks in attacks using other ransomware variants and the popularity of ransomware continues to grow, with some industries targeted more than others. Healthcare organizations are an attractive target as access to patient data is critical for providing medical services. There is a higher probability of ransom demands being paid due to reliance on patient data.

A recent report from Recorded Future has confirmed that attacks on towns, cities, and local government systems are soaring. Its study confirmed that there were 169 attacks on county, city, or state government systems and police and sheriffs’ offices since 2013. There were 38 ransomware attacks in 2017, 53 in 2018, and 22 attacks have already occurred in 2019 and the year is not yet halfway through.

Akron, OH; Albany, NY; Jackson County and Cartersville, GA; and Lynn, MA, have all been attacked this year and the city of Baltimore, MA, has been struggling to recover from its attack for the past two weeks with many city services still disrupted.

The rise in attacks is understandable. The potential rewards from a successful attack are high, many victims have no alternative but to pay, and thanks to ransomware-as-a-service, attacks are easy to pull off and require little in the way of skill.

As long as the attacks continue to be profitable, they will continue. What businesses need to do is to make it much harder for the attacks to succeed and to ensure that if disaster does strike, recovery is possible without having to pay a ransom.

Recovery depends on viable backups of all critical files being available. That means regular backups must be made, those backups need to be tested to make sure files can be restored, and copies need to be stored securely where they cannot also be encrypted.

Remote Desktop Protocol is a weak point that is commonly exploited. If RDP is not required, it should be disabled. If disabling RDP is not an option, strong, complex passwords should be used and access should only be possible using a VPN.

To block web-based attacks, consider implementing a web filtering solution such as WebTitan which prevents users from visiting known malicious websites and downloading executable files types.

One of the primary methods of delivering ransomware is spam and phishing emails. An advanced spam filtering solution should be implemented to block malicious emails and ensure they are not delivered to end users’ inboxes. SpamTitan now incorporates a sandbox, which allows suspicious files to be executed in a secure environment where activities of the files can be safely analyzed for malicious actions. SpamTitan also scans outgoing mail for signs of infection with Emotet.

While these technical controls are important, you should not forget end users. By providing security awareness training and teaching end users how to recognize potential threats, they can be turned into a strong last line of defense.

Fortunately, with layered defenses you can make it much harder for ransomware attacks to succeed and can avoid becoming yet another ransomware statistic.

United States Businesses Targeted in Shade Ransomware Attacks

Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.

Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.

The downloaded files use JavaScript or other scripts to download the Shade ransomware payload. Shade ransomware encrypts a wide range of files and changes the background on the infected computer to alert the user that their files have been encrypted. Ransom notes are also saved to the Desktop with the filename of README1.txt through to README10.txt. Those text files advise the victim to email a code to an email address to receive instructions on how the ransom payment must be made.

An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.

Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.

SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.

The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.

These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.

If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.

Business Email Compromise Losses Doubled to $1.2 Billion in 2018

Malware and ransomware attacks are causing major problems for businesses, but the biggest threat in terms of losses are business email compromise scams.

The 2018 Internet Crime Report from the FBI clearly shows how serious the threat of BEC attacks has become. In 2017, reported losses from BEC attacks reached $675 million. In 2018, losses to BEC scams doubled to reach a staggering $1.2 billion.

It is no surprised that so many cybercriminal gangs are conducting BEC attacks. In contrast to many other forms of cybercrime, BEC scams can be extremely profitable and they require little in the way of technical skill to perform. As with phishing attacks, they often involve an attacker sending an email to trick an individual into making a wire transfer.

The scams often start with a spear phishing email targeting an executive in a company. The aim of the initial phase of the attack is to gain access to that individual’s email account. Once the email account is compromised, emails are then sent to finance department employees or payroll staff requesting a wire transfer be made.

Highly convincing emails are sent, and since they come from a genuine internal email account, the recipient is less likely to question the request.

Large enterprises often make large wire transfers, so a sizable transfer request for tens or hundreds of thousands of dollars may be authorized without question. There have even been cases where much more substantial wire transfers have been made. A town in New Jersey discovered that, as a result of a BEC attack, a transfer of $1 million had been made to a criminal’s account. In that case, the FBI was able to freeze the funds in time, but with many scams, funds are withdrawn before the scam is identified.

In many cases, the first step in the attack is skipped and emails are simply spoofed to make them appear to have been sent from within the organization, from a contractor, or another individual with a relationship with the targeted entity.

The tactics and techniques being used are constantly changing. In addition to requests for wire transfers, cybercriminals often request tax (W2) forms of employees. This year has also seen an increase in gift card related BEC attacks. Instead of requesting wire transfers, requests are made to send gift cards for iTunes and online retailers. Cybercriminals then exchange the gift cards for Bitcoin online.

Confidence fraud and romance scams were the second main cause of losses. $362 million was lost to those scams and investment-related scams resulted in losses of over $252 million.

The real estate sector was extensively targeted in 2018. Criminals have attempted to get deposits and payments for house purchases diverted, often posing as the buyer, seller, real estate agents, or lawyers.

Phishing attacks are also on the rise. In 2018, the FBI’s Internet Crimes Complaint Center (IC3) received 26,379 complaints about phishing, smishing, and vishing, More than $48 million was lost to those scams in 2018.

Many of these scams are either conducted over email or start with a phishing email. It is therefore important for businesses to implement solutions that protect the email gateway and block these attacks at source to prevent malicious messages from reaching end users. It is also essential to provide training to staff to ensure they if they do encounter a phishing email or other scam, they have the skills to identify it as such.

 

Email Campaign Uses CDC Flu Pandemic Warning to Fool Users into Installing GandCrab Ransomware

Cybercriminals are constantly coming up with new scams to convince people to part with their login credentials or install botnets, viruses, malware, or ransomware.

Email is one of the easiest ways to get these scams out to the masses, accompanied with a good hook to get the user to open the message. Various tactics are used to achieve the latter, one of the most common being fear. Scaring people into taking action is very effective. A recently identified campaign is a good example. It uses fear of a flu pandemic to get users to take action.

According to the U.S. Centers for Disease Control and Prevention, flu killed about 80,000 in the 2017 to 2018 season, which was a record year for flu deaths. The previous record in the past three decades was beaten by 24,000.

For any phishing email to stand a good chance of fooling large numbers of people, the emails must be credible. This campaign provides that credibility by spoofing the CDC. The subject lines used in the campaign warn of a flu pandemic, and the email addresses used and the logos in the message body make the messages appear to have genuinely been sent by the CDC.

The message included an attachment – named Flu Pandemic Warning – provides important information that users need to know to prevent infection and stop the disease from spreading. The fear of contracting flu combined with the realistic looking emails make it likely that this campaign will fool many individuals.

That document contains malicious code that downloads and runs GandCrab ransomware v5.2, for which there is currently no free decryptor. Once downloaded, GandCrab ransomware will encrypt files on the infected computer preventing them from being accessed. The average ransom demand is $800 per infected computer.

In order for the malicious code to download the ransomware, the content must be enabled. In the message body, recipients are told that in order to view all the information in the document they must enable content. This prior instruction is intended to get the user to click ‘enable content’ quickly when the document is opened, rather than to stop and think.

All users should be alert to these kind of email scams. Caution should be exercised before opening any email attachment, no matter how urgent the message appears to be. Any unsolicited email should be carefully checked as there will usually be signs that indicates all is not what it seems.

Businesses are particularly at risk and can suffer major losses as a result of ransomware attacks, especially when several employees are fooled by these email scams.

Signature-based email defenses were once effective at blocking malware, but malware developers are constantly releasing new versions that have never before been seen. Signature-based AV software struggles to maintain pace and is not effective against zero-day malware variants and malicious code that downloads the malware.

End user training certainly goes a long way and can help to prevent mass infections, but what is really needed is an advanced anti-phishing solution that blocks phishing emails and email scams at source before they are delivered to inboxes. That is an area where TitanHQ can help.

To protect against email-based attacks, TitanHQ developed SpamTitan – A highly effective anti-phishing and anti-spam solution with advanced features that provide superior protection against phishing and malware attacks.

In addition to dual anti-virus engines, SpamTitan incorporates a wide range of checks to distinguish malicious emails from genuine messages. Recently, Spamtitan has had two new features incorporated: DMARC email authentication and sandboxing. DMARC helps to ensure that spoofed email messages, such as those that appear to have been sent by the CDC, are identified as scams and are blocked. Sandboxing is important for protecting against zero-day malware threats and malicious downloaders.

Potentially malicious attachments are executed and analyzed in a Bitdefender-powered sandbox, where the actions performed by malware and malicious code can be assessed without causing harm. When malicious code is detected it is blocked across all users’ inboxes.

With SpamTitan in place, businesses will be well protected against campaigns such as this. For further information on TitanHQ’s award-winning anti-spam solution, for a product demonstration, or to register for a free trial, contact the TitanHQ team today and take the first step toward making your email channel much more secure.

SpamTitan Named Leading Secure Email Gateway Solution

SpamTitan, TitanHQ’s business email security solution, has been named leader in the Spring G2 Crowd Grid Report for Email Security Gateways.

G2 Crowd is a peer-to-peer review platform for business solutions. G2 Crowd aggregates user reviews of business software and the company’s quarterly G2 Crowd Grid Reports provide a definitive ranking of business software solutions.

The amalgamated reviews are read by more than 1.5 million site visitors each month, who use the reviews to inform software purchases. To ensure that only genuine reviews are included, each individual review is subjected to manual review.

The latest G2 Crowd Grid Report covers email security gateway solutions. Gateway solutions are comprehensive email security platforms that protect against email-based attacks such as phishing and malware. The email gateway is a weak point for many businesses and it is one that is often exploited by cybercriminals to gain access to business networks. A powerful and effective email gateway solution will prevent the vast majority of threats from reaching end users and will keep businesses protected.

To qualify for inclusion in the report, email gateway solutions needed to scan incoming mail to identify spam, malware, and viruses, securely encrypt communications, identify and block potentially malicious content, offer compliant storage through archiving capabilities, and allow whitelisting and blacklisting to control suspicious accounts.

For the report, 10 popular email security gateway solutions were assessed from Cisco, Barracuda, Barracuda Essentials, Proofpoint, Mimecast, Symantec, McAfee, Solarwinds MSP, MobileIron, and TitanHQ. Customers of all solutions were required to give the product a rating in four areas: Quality of support, ease of use, meets requirements and ease of administration.

TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.

TitanHQ’s SpamTitan was named leader based on consistently high scores for customer satisfaction and market presence. 97% of users of SpamTitan awarded the solution 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to others.

SpamTitan scored 94% for quality of support and meeting requirements. The industry average in these two areas was 84% and 88% respectively. The solution scored 92% for ease of use against an industry average of 82%, and 90% for ease of admin against an average value of 83%.

“TitanHQ are honored that our flagship email security solution SpamTitan has been named a leader in the email security gateway category,” said Ronan Kavanagh, CEO, TitanHQ. “Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”

If you want to improve email security without breaking the bank and want a solution that your IT staff will like using, SpamTitan is the ideal choice.

SpamTitan is available on a 100% free trial to allow you to try before committing to a purchase; however, if you have any questions about the solution, contact the TitanHQ team who will be happy to help and can schedule a product demonstration.

Emotet Malware Revives Old Email Conversations Threads to Increase Infection Rates

Emotet malware was first identified in 2014 and its original purpose was to obtain banking credentials and other sensitive information; however, the malware is regularly updated and new functionality is added. Emotet malware is now one of the most prevalent and dangerous malware threats faced by businesses.

The malware can detect whether it is running in a virtual environment and will generate false indicators in such cases. The malware is polymorphic, which means it changes every time it is downloaded. That makes it difficult to detect using the signature-based detection methods employed by standard anti-virus software.

The malware also has worm-like features which allows it to rapidly spread to other networked computers. Emotet is also capable of spamming and forwarding itself to email contacts. As if infection with Emotet is not bad enough, it can also download other malware variants onto infected devices.

Emotet malware is one of the most destructive malware variants currently in use and cleaning up Emotet attacks can be incredibly costly. The Department of Homeland Security has reported that some attacks on state, local, tribal, and territorial governments have cost more than $1 million to resolve.

Emotet malware is primarily distributed via spam email, either through malicious attachments or hyperlinks to websites where the malware is silently downloaded. The lures used in the messages are highly varied and include most of the commonly used phishing lures such as shipping notifications, fake invoices, payment requests, PayPal receipts.

Now the threat actors behind the malware have adopted a new tactic to increase infection rates. Once installed on a device, the malware accesses email conversation threads and forwards the message to individuals named in the thread.

The original email conversation is unaltered, but a hyperlink is added to the top of the message. The link directs the recipient to a webpage where a file download is triggered. Opening the document and enabling macros will see Emotet downloaded. Email attachments may also be added to previous conversation threads in place of hyperlinks.

Since the messages come from a known individual with whom an email conversation has taken place in the past, the probability of the document being opened is greater than if messages come out of the blue or are sent from an unknown individual.

Several cybersecurity firms have identified a campaign using this tactic, including phishing intelligence provider Cofense and security researcher Marcus Hutchins (MalwareTech).

The current campaign uses revived conversations from before November 2018, although more recent conversations may be revived in further campaigns. Any revived old email conversation that contains a link or an attachment could indicate a user has been targeted and that at least one member of the email exchange has been infected with Emotet.

The current campaign is not only extensive, it is also proving to be extremely successful. Spamhaus reports that there have been 47,000 new infections in the past two months alone, while Cofense reports that it has identified more than 700,000 infections in the past 12 months.

Protecting against this dangerous malware requires a powerful anti-spam solution and good security awareness training for staff. SpamTitan’s new features can help to detect malicious emails spreading Emotet malware to better protect businesses from attack.

To find out more about SpamTitan and how the solution can protect your business, give TitanHQ a call today.

Tax-Related Phishing Scams Delivering TrickBot Trojan

Monday April 15 is Tax Day in the United States – the deadline for submitting 2018 tax returns. Each year in the run up to Tax Day, cybercriminals step up their efforts to obtain users’ tax credentials. In the past few weeks, many tax-related phishing scams have been detected which attempt to install information stealing malware.

One of the main aims of these campaigns is to obtain tax credentials. These are subsequently used to file fraudulent tax returns with the IRS. Tax is refunded to accounts controlled by the attackers, checks are redirected, and a range of other methods are used to obtain the payments.

Attacks on tax professionals are commonplace. If access can be gained to a tax professional’s computer, the tax credentials of clients can be stolen, and fraudulent tax returns can be filed in their names. A single successful attack on a tax professional can see the attacker obtain many thousands of dollars in tax rebates.

There has been the usual high level of tax-related phishing scams during the 2019 tax season and businesses of all types have been targeted. It is not only tax credentials that cybercriminals are after. Many tax-themed phishing scams have been conducted which attempt to install malware and ransomware such as the TrickBot banking Trojan.

The TrickBot banking Trojan is a powerful malware variant which, once installed, can give an attacker full control of an infected computer. The malware is primarily an information stealer. A successful installation on one business computer can allow the attackers to move laterally and spread the malware across the whole network.

The primary purpose of the TrickBot trojan is to steal banking credentials which can be used to make fraudulent wire transfers: however, TrickBot is regularly updated with new features. In addition to stealing banking credentials, the malware can steal VNC. RDP, and PuTTY credentials.

The threat actors behind TrickBot are highly organized and well resourced. More than 2,400 command and control servers are used by the cybercriminal gang and that number continues to grow.

The three new TrickBot malware campaigns were detected since late January by IBM X-Force researchers. Spam email messages are carefully crafted to appear legitimate and look innocuous to business users and appear to have been sent by well-known accounting and payroll firms such as ADP and Paychex.

Spoofed email addresses are commonly used, although in these campaigns, the attackers have used domain squatting. They have registered domains that are very similar to those used by the accounting firms. The domains have transposed letters and slight misspellings to make the email appear to have been sent from a legitimate source. The domains can be highly convincing and, in some cases, are extremely difficult to identify as fake.

The emails are well written and claim to include tax billing records, which are included as attached spreadsheets. The spreadsheets contain malicious macros which, if allowed to run, will download the TrickBot Trojan.

To prevent attacks, several steps should be taken. Macros should be disabled by default on all devices. Prompt patching is required to keep all software and operating systems up to date to prevent vulnerabilities from being exploited.

End users should receive security awareness training and should be taught cybersecurity best practices and how to identify phishing emails. An advanced spam and anti-phishing solution should also be implemented to ensure phishing emails are identified and prevented from reaching end users inboxes. Further, all IoCs and IPs known to be associated with the threat actors should be blocked through spam filtering solutions, firewalls, and web gateways.

The latter is made easy with SpamTitan and WebTitan – TitanHQ’s anti-phishing and web filtering solutions for SMBs.

 

Webinar: Discover the Exciting New Features of SpamTitan

Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.

SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.

The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.

The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.

The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.

Advance registration is necessary. You can sign up for the webinar on this link.

Cybercriminals Launch Malware and Phishing Campaigns Using Boeing Crash and Christchurch Massacre as Lures

The past few weeks have seen two major disasters in which hundreds of people lost their lives. 157 people lost their lives in the Ethiopian Airlines Boeing 737 Max crash and the Christchurch mosque massacre saw 50 people killed.

Both events were terrible tragedies that shocked people the world over. Victims and their families have been receiving messages of support on social media and many people have shown their support by making financial donations. More than US$5 million has so far been raised to help the victims of the New Zealand attack.

Unfortunately, cybercriminals are taking advantage. In the past few days, phishing campaigns have been detected that are using the tragedies to infect computers with malware and steal charitable donations.

According to New Zealand’s cybersecurity agency, CERT NZ, multiple campaigns have been detected that are using the Christchurch attack as a lure. Malware has been embedded in video footage of the tragedy which is currently being shared online, including on social media websites.

Phishing attacks are also being conducted which contain links to faked online banking forms that attempt to obtain users banking credentials. One campaign spoofed the Westpac New Zealand bank and emails appeared to have been sent from its domain. Other email campaigns contain pleas for financial assistance and supply bank account details for donations, but the details are for criminal-controlled accounts.

Another campaign has been detected that is using the Ethiopian Airlines Boeing 737 Max crash to spread a remote access Trojan and information stealer. The emails claim to offer information to air travelers about airlines that are likely to also suffer crashes. The emails offer information that has been found on the darkweb by a security analyst. The emails include a JAR file which, it is claimed, has important information for all air travelers on airlines to avoid due to the risk of plane crashes.

Whenever there is a tragedy that is extensively covered in the media cybercriminals try to take advantage. By adopting cybersecurity best practices such as never opening email attachments from unknown senders nor clicking links in emails, these scams can be avoided.

Unfortunately, email spoofing makes it difficult to detect phishing threats. Scam emails often appear genuine and seem to have been sent from a trusted source. To combat the threat to businesses, TitanHQ has recently updated its spam filtering solution, SpamTitan, to provide greater protection from these threats.

SpamTitan now incorporates DMARC to authenticate senders of emails and protect against email impersonation attacks. To provide even greater protection from malware, in addition to dual anti-virus engines, SpamTitan now incorporates a Bitdefender-powered sandbox, where suspicious files can be safely analyzed to determine whether they are malicious.

These additional controls will help to protect businesses and end users from new malware threats and advanced phishing and email impersonation scams.

Sandboxing and DMARC Authentication Added to SpamTitan Email Security Solution

Sandboxing and DMARC Authentication Added to SpamTitan Email Security Solution

This week, TitanHQ has rolled out two new features for its award-winning email security solution SpamTitan: Sandboxing and DMARC email authentication.

TitanHQ developed the technology behind its email security solution more than 20 years ago and over the past two decades SpamTitan has received many updates to improve features for end users and increase detection rates.

SpamTitan already blocks more than 99.9% of spam and malicious emails to prevent threats from reaching end users’ inboxes. The level of protection SpamTitan provides against email attacks has made it the gold standard in email security for the SMB market and managed service providers serving SMBs.

In order to provide even greater protection against increasingly sophisticated email threats, TitanHQ added a new sandboxing feature. The next-generation sandboxing feature, powered by Bitdefender, provides SpamTitan customers with a safe environment to run in-depth analyses of suspicious programs and files that have been delivered via email.

New SpamTitan Sandboxing Service

The sandbox is a powerful virtual environment totally separate from other systems. When programs are run in the sandbox, they behave as they would on an ordinary endpoint and can be assessed for suspicious behavior and malicious actions without causing harm.

Prior to being sent to the sandbox, files are first analyzed using SpamTitan’s anti-malware technologies. Only files that require further analysis make it to the sandbox where they are safely detonated. Tactics used by malware to evade detection and avoid analysis are logged and flagged. Purpose-built, advanced machine learning algorithms they assess the files and check their actions against an extensive array of known threats from a range on online repositories in a matter of minutes.

If the file is confirmed as benign, it can be released. If the file is determined to be malicious, the sandboxing service automatically sends a report to the Bitdefender’s Global Protective Network and all further instances of the threat will then be blocked globally to ensure the file does not need to be analysed again.

The sandbox provides advanced protection against zero-day exploits, polymorphic threats, APTs, malicious URLs, new malware samples that have yet to be identified as malicious, and new threats that have been developed for undetectable targeted attacks.

Incorporation of this feature into SpamTitan gives customers advanced emulation-based malware analysis capabilities without having to purchase a separate sandboxing solution and ensures customers are protected against rapidly evolving advanced threats.

DMARC Email Authentication Added to SpamTitan

Email spoofing is the term given to the use of a forged sender address. Email spoofing is used to increase the likelihood of an email being delivered and opened by an end user. The email address of a known contact, well known company, or government organization is usually spoofed to abuse trust in that individual, brand, or organization.

DMARC authentication is now essential for all businesses and is a powerful control to prevent spoofing attacks. DMARC is used to check email headers to provide further information about the true sender of an email. Through DMARC, the message is authenticated as having been sent from the organization that owns the domain. If authentication fails, the message is rejected.

While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan now incorporates DMARC authentication to provide even greater protection against email spoofing attacks.

Both of these new features have been added in the latest update to SpamTitan and are available to users at no extra cost.

“We have listened to requests from customers to have new features added to SpamTitan, and by far the most requested improvements are anti-spoofing technology and sandboxing,” said Ronan Kavanagh, CEO, TitanHQ. “I’m delighted to say that both of these new features have now been added to provide enhanced security for customers at no extra cost.”

IRS Issues Warning About Tax Phishing Scams

During tax season, tax phishing scams are rife. If cybercriminals can steal personal information such as the information contained on W2 forms, they can use the information to file fraudulent tax returns. Each set of credentials can net cybercriminals thousands of dollars. Attacks on businesses can be even more profitable. If an attack results in the theft of the tax credentials of a company’s entire workforce, hundreds of fraudulent tax returns can be filed.

The IRS works hard to combat fraud, but even so, many of these attacks are successful and fraudulent tax refunds are issued. This week, as part of its efforts to combat tax fraud, the IRS has launched its 2019 Dirty Dozen campaign. The campaign raises awareness of the threat of tax fraud and encourages taxpayers, businesses, and tax professionals to be vigilant.

The campaign features 12 common tax scams that attempt to obtain personal information or access to systems that contain such information. The campaign will see a different scam highlighted for 12 consecutive days. The campaign was launched on March 4 with the biggest threat in tax season: Tax phishing scams.

Common Tax Phishing Scams

Tax phishing scams are constantly evolving and each year several new tax phishing scams are identified. The most common scams and attacks are:

  • Business Email Compromise (BEC) attacks
  • Business Email Spoofing (BES) attacks
  • Email impersonation attacks
  • Malware

BEC attacks involve the use of a genuine business email account to send messages to employees requesting the W2 form information of employees, changes to business account information, requests to reroute direct deposits and make fraudulent wire transfers. The attackers often gain access to a high-level executive’s email account through a spear phishing campaign. BEC is one of the most common business tax phishing scams.

BES attacks are similar, except that no email account has been compromised. The email address of an executive or other employee is spoofed so that emails appears to have been sent from within an organization.

Email impersonation attacks are common during tax season. Scammers impersonate the IRS and use a variety of lures to obtain personal information. Common lures are threats of legal action or fines for outstanding taxes and offers of tax refunds. They often direct users to a website where they are required to enter their personal information. These phishing webpages are also linked to on social media websites. The clients of tax professionals may also be impersonated. Emails often request changes be made to direct deposit accounts or contain requests for sensitive information.

Malware is often used to gain access to the computers of tax professionals, and employees in the payroll and HR departments. Keyloggers are commonly used as they allow the attackers to steal login credentials. Malware can also transfer files containing sensitive information to the attackers’ servers. Malware is often installed via scripts in email attachments – malicious macros for instance – or via drive-by downloads from malicious websites.

New Phishing Scam Targeting Tax Professionals

One of the new tax phishing scams to emerge this year targets tax professionals. First the attackers gain access to tax professionals’ computers, either through spear phishing campaigns or by installing malware. Client tax information is then stolen and fraudulent tax returns are files in the clients’ names. When the IRS processes the refunds, payments are sent to taxpayers’ bank accounts. Those taxpayers then receive a call or an email demanding the return of the funds which have been paid in error. The attackers claim to be from a debt collection agency used by the IRS or the IRS itself.

Don’t Become a Victim of a Tax Phishing Scam

Many taxpayers and businesses fall victim to tax phishing scams each year, especially during tax season when attacks increase; however, by taking some simple steps and being vigilant it is possible to identify scams and keep financial and personal data secure.

Any email, text, or telephone call that requests personal/tax information should be treated as a potential scam. If an email or text message is received that claims to be from the IRS demanding payment of outstanding taxes, an offer of a tax refund, or a threat of legal action, bear in mind that the IRS does not initiate contact via email or text message asking for personal information. If such a message is received, forward the email to phishing@irs.gov and contact the IRS or check your online tax account to find out if there is a genuine problem. Never use the contact information or links in an email and do not open an email attachment in an email that appears to have been sent by the IRS.

Businesses can include information about tax phishing scams in their security awareness training sessions, but departments that are likely to be targeted by cybercriminals – payroll, human resources, finance and accounting Etc.) should receive specific training ahead off the start of tax season. Sending monthly reminders about phishing attacks and other tax scams each month via email is also a good best practice.

Since most attacks start with a phishing email, businesses should ensure that they have an advanced spam filtering solution in place to block phishing and other emails at the gateway before they can be delivered to end users. SpamTitan is an ideal anti-spam solution for businesses and tax professionals to protect against tax phishing scams. The solution blocks more than 99.9% of spam and phishing emails and includes outbound email scanning to ensure that compromised email accounts cannot be used for spamming.

To protect against internet phishing scams, a web filtering solution is ideal. WebTitan prevents end users from visiting phishing websites, including blocking visits to malicious websites via hyperlinks in scam emails. The solution also blocks drive-by malware downloads and other web-based threats.

If you are a tax professional or you run a business and are unhappy with your current anti-spam or web filtering solution provider, or you have yet to implement either of these solutions, give the TitanHQ team a call today for further information on how these solutions can protect your business, details of pricing, and to book a product demonstration.

How to Protect Against Spoofed Email Phishing Scams

Spoofed email phishing scams can be hard for end users to identify. The scams involve sending a phishing email to a user and making the email appear as if it has been sent by a known individual. This could be a known contact such as a supplier, a work colleague, a friend or family member, or a well-known company.

These phishing campaigns abuse trust in the sender and they are highly effective. Many end users are warned never to click on links in emails or open email attachments in messages from unknown senders, but when the sender is known, many users feel that the email is safe.

One of the most effective spoofed email phishing scams involves impersonation of the CEO or a high-level executive such as the CFO. This type of scam is often referred to as a business email compromise scam or BEC attack. A message is sent to an employee in the accounts department requesting an urgent wire transfer be made along with the account details. The attacker may first start an email conversation with the target before the request is made. No employee wants to refuse a direct request from the CEO, so the requested action is often taken.

Over the past few months, sextortion scams have grown in popularity with cybercriminals. Sextortion scams are those which threaten to oust the victim unless a payment is made. This could be disclosing the user’s internet browsing habits (dating sites, adult sites) to a spouse, work colleagues, and family members. There were many of these scams launched following the hacking of the Ashley Madison website when details of users of the site were dumped online.

Several sextortion scams have been detected in the past few months which claim that the sender (a hacker) has gained access to the user’s computer and installed malware that provided access to the webcam, microphone, and internet browsing history. The email message informs the recipient that they have been recorded while viewing adult websites and a video of them has been spliced with the content they were viewing at the time. The attacker threatens to send the video to every one of the user’s contacts on email and social media accounts.

Two recent sextortion campaigns have been detected that spoof the users own email address, so the email appears to have been sent from their own email account. This tactic backs up the claim that the attacker has full control of the user’s device and access to their email contacts. The reality is the email header has just been spoofed. Additionally, the user’s password is included in the message, which has been obtained from a past data breach. The password may not be current, but it may be recognized.

A check of the bitcoin wallet address included in the emails for the blackmail payment shows these scam emails have been highly effective and several victims have paid up to avoid being outed. One campaign netted the attacker $100,000 in one week, another saw payments made totaling $250,000.

These spoofed email phishing scams are not difficult to block, yet many businesses are vulnerable to these types of attacks. Security awareness training for employees is a must. If employees are not taught how to check for spoofed email phishing scams, they are unlikely to recognize threats for what they are. Even so, it is difficult for an average employee to identify every possible phishing attempt, as phishing email simulations show.

What is needed is an advanced spam filtering solution that can detect spoofed email phishing attacks and block the malicious emails at source to prevent messages from being delivered to inboxes. SpamTitan Cloud, for instance, blocks more than 99.9% of spam and phishing emails to keep businesses protected.

If you want to keep your business protected and prevent these all to common spoofed email phishing attacks, give the TitanHQ team a call. A member of the team will be happy to talk about the product, the best set up for your organization, and can arrange to give you a full product demonstration and set you up for a free trial.

 

Recently Disclosed WinRAR Vulnerability Being Actively Exploited in Malspam Campaign

It doesn’t take long after the release of a patch for hackers to take advantage, especially when the vulnerability potentially impacts 500 million users. It is therefore not surprising that at least one hacker is taking advantage of a recently disclosed WinRAR vulnerability.

Oftentimes, vulnerabilities are found in certain versions of software, but this vulnerability affects all WinRAR users and dates back 19 years. The WinRAR vulnerability was identified by researchers at Check Point. WinRAR was alerted and confirmed the vulnerability existed, and promptly issued an updated version of the file compression tool with the vulnerability removed. Details of the vulnerability were disclosed in a Check Point blog post on February 20, 2019.

The WinRAR vulnerability in question was present in a third-party DLL file which was included in WinRAR to allow ACE archive files to be uncompressed. The researchers found that by renaming a .rar archive to make it appear that the compressed file was an ACE archive, it was possible to extract a malicious file into the startup folder unbeknown to the user. That file would then run on boot, potentially giving an attacker full control of the device. The malicious file would continue to load on startup until discovered and removed.

All an attacker would need to do to exploit the WinRAR vulnerability is to convince a user to open a specially crafted .rar archive file attached to an email. Compressed files are often used in malspam campaigns to hide malicious executable files. Since .rar and .zip files are commonly used by businesses to send large files via email, they are likely to be recognized and may be opened by end users.

In this case, if the archive contents are extracted, the user would likely be unaware that anything untoward had happened, as the executable is loaded into the startup folder without giving any indication the file has been extracted. Due to the location of extraction, no further actions are required by the user.

In this case, the executable installs a backdoor, although only if the user has User Account Control (UAC) disabled. That said, this is unlikely to be the only campaign exploiting the WinRAR vulnerability. Other threat actors may develop a way to exploit the vulnerability for all users that have yet to update to the latest WinRAR version.

Many users will have WinRAR installed on their computer but will rarely use the program, so may not be aware that there is an update available. It is possible that a large percentage of users with the program installed have yet to update to the latest version and are vulnerable to attack.

This campaign illustrates just how important it is to patch promptly. As soon as a patch is released for a popular software program it is only a matter of time before that vulnerability is exploited, even just a few days.

Patching all devices in use in an organization can take time. It is therefore important to make sure that all employees receive security awareness training and are taught email security best practices and how to identify potentially malicious emails.

Unfortunately, social engineering techniques can be highly convincing, and many users may be fooled into opening email attachments, especially when the attacker spoofs the sender’s email address and the email appears to come from a known individual. It is therefore essential to have an advanced spam filtering solution in place that is capable of detecting malicious attachments at source, including malicious files hidden inside compressed files, and stop the messages from being delivered to inboxes.

Survey Highlights Healthcare Email Security Weaknesses

The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.

HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.

This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.

Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.

The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.

When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.

Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.

The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.

It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.

At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.

SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.

WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.

For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.

Office 365 Phishing Scam Uses SharePoint Lure

A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint.

The campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.

This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.

A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.

The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.

Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.

Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.

Businesses can take steps to avoid Office 365 phishing scams such as this.

  1. Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
  2. Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
  3. Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
  4. Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
  5. Use an endpoint protection solution that is capable of detecting phishing attacks.
  6. Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.

LockerGoga Ransomware Suspected in Altran Cyberattack

The French engineering firm Altran Technologies has been grappling with a malware infection that hit the firm on January 24, 2019.

Immediately following the malware attack, Altran shut down its network and applications to prevent the spread of the infection and to protect its clients. Technical and computer forensics experts are now assisting with the investigation. The Altran cyberattack has affected operations in some European countries and the firm is currently working through its recovery plan.

A public announcement has been made about the attack although the malware involved has not been officially confirmed. Some cybersecurity experts believe the attack involved a new ransomware variant named LockerGoga which emerged in the past few days.

LockerGoga ransomware was first identified on January 24 in Romania and subsequently in the Netherlands. It was named by MalwareHunterTeam, based on the path used for compiling the source code into an executable.

LockerGoga ransomware does not appear to be a particularly sophisticated malware variant. Security researcher Valthek, who analyzed the malware, claimed the code was ‘sloppy’, the encryption process was slow, and little effort appears to have been made to evade detection. The ransomware appends encrypted files with the .locked file extension.

The ransomware note suggests that companies are being targeted although it is currently unclear how the ransomware is being distributed.

LockerGoga ransomware encrypts a wide range of file types and, depending on the command line argument, may target all files. Since the encryption process is slow, fast detection and remediation will limit the damage caused. Failure to detect the ransomware and take prompt action to mitigate the attack could prove costly. The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption.

The ransomware had a valid certificate that was issued to a UK firm by Comodo Certificate Authority. The certificate has since been revoked.

LockerGoga ransomware is currently being detected as malicious by 46/69 AV engines on VirusTotal, including Bitdefender, the primary AV engine used by SpamTitan.

Allscripts EHR Breach Highlights Need for Improved Ransomware Protections for Healthcare Organizations

The massive Allscripts EHR breach in January 2018 resulted in massive disruption for the company and its clients. Clients were locked out of their electronic health records for several days while the company battled to recover from the attack. Around 1,500 of the company’s clients were affected.

The cost of mitigating the ransomware attack was considerable, and in addition to those costs, the Allscripts EHR breach prompted many clients to take legal action. The costs continue to mount.

The Allscripts EHR breach involved SamSam ransomware, which has plagued the healthcare industry over the past couple of years. The threat actors behind the attacks typically gain access to healthcare networks through RDP vulnerabilities and deploy the ransomware manually after scouting the network. This way, maximum damage can be inflicted, which increases the probability of the ransom being paid.

The Allscripts EHR breach certain stands out as one of the most damaging ransomware attacks of 2018, although it was just one of many healthcare ransomware attacks in 2018 involving many ransomware variants.

According to Beazley Breach Response Services, ransomware attacks more than doubled in September. Many cybercriminals have switched to cryptocurrency mining malware, but the ransomware attacks on healthcare organizations are continuing and show no sign of slowing.

In recent months, there has been a growing trend of combining malware variants to maximize the profitability of attacks. Ransomware is a quick and easy way for cybercriminals to earn money but combining ransomware with other malware variants is much more profitable. Further, if files are recovered from backups and no ransom is paid, cybercriminals can still profit from the attacks.

Several campaigns have been detected recently that combine Trojans such as AZORult, Emotet and Trickbot with ransomware. Attacks with these Trojans have increased by 132% since 2017 according to Malwarebytes. The Trojans steal sensitive information through keylogging, are capable lateral movement within a network, and also serve as downloaders for other malware such as Ryuk and GandCrab ransomware. Once information has been stolen, the ransomware payload is deployed.

The Allscripts EHR breach was somewhat atypical. It is far more common for ransomware to be delivered via email than brute force attacks on RDP. The campaigns combining Emotet, Trickbot, and AZORult with ransomware are primarily delivered by email.

In addition to ransomware attacks, phishing attacks are rife in healthcare. Email was the most common location of exposed protected health information in 2018. Email security is a weak point in healthcare defenses.

The number of successful ransomware and phishing attacks in healthcare make it clear that email security needs to improve. An advanced spam filter to block malicious emails, improved end user training is required to teach employees how to recognize email threats, intrusion detection systems need to be deployed, along with powerful anti-virus solutions. Only by implementing layered defenses to block email attacks and other attack vectors will healthcare organizations be able to reduce the risk of ransomware attacks.

Latest Ursnif Trojan Campaign Highlights Need to Improve Anti-Phishing Defenses

A new Ursnif Trojan campaign has been detected that uses a new variant of the malware which uses fileless techniques to avoid detection. In addition to the banking Trojan, GandCrab ransomware is also downloaded.

Increase in Banking Trojan and Ransomware Combination Attacks

Ransomware attacks can cause considerable disruption to businesses, although a good backup strategy can allow businesses to recover quickly in the event of a successful attack without having to pay the ransom demand.

However, there has been a significant increase in phishing attacks that deliver not one but two malware variants – ransomware to extort money from companies but also an information stealer to obtain sensitive information such as login and banking credentials. Malware variants used in these attacks also have the capability to download other malware variants and gather system data and process information for use in further attacks.

These phishing campaigns allow hackers to maximize the profitability of attacks and make the attack profitable even if the business does not pay the ransom.

There have been several examples of these attacks in recent months. Earlier in January, warnings were issued about the combination of Ryuk ransomware with the Trickbot and Emotet Trojans – Two malware variants that are used in wire fraud attacks. Ryuk ransomware has been extensively used in attacks on U.S. healthcare providers. The combination with the banking Trojans makes the attacks far more damaging.

Now another campaign has been detected using different malware variants – The Ursnif Trojan and the latest version of GandCrab ransomware.

What Does the Ursnif Trojan Do?

The Ursnif Trojan is one of the most active banking Trojans currently in use. The main functions of the malware is to steal system information and bank account credentials from browsers. The latest variants of the Ursnif Trojan have also been used to deploy other malware variants such as GandCrab ransomware.

According to security researchers at Carbon Black, who identified the latest campaign, the Ursnif Trojan now uses fileless execution mechanisms to make detection more difficult. Instead of downloading and writing files to the hard drive – which can be detected – a PowerShell script downloads a payload and executes it in the memory. That payload then downloads a further file and injects it into the PowerShell process, ultimately resulting in the downloading of the ransomware.

When code is loaded in the memory, it often does not survive a reboot, although the latest variant of Ursnif has persistence. This is achieved by storing an encoded PowerShell command inside a registry key and subsequently launching the command via the Windows Management Instrumentation Command-line (WMIC).

Once information has been collected from an infected system, it is packaged inside a CAB file and sent back to the attackers C2 via encrypted HTTPS. This makes data exfiltration difficult to detect.

The Ursnif Trojan campaign uses email as the attack vector with infection occurring via a Word document attachment that contains a VBA macro. If the attachment is opened and macros are enabled (automatically or manually), the infection process will be triggered.

How Businesses can Protect Against Attacks

Due to the difficulty detecting the malware attack once it has started, the best way to protect against this attack is by improving anti-phishing defenses. It is important to prevent the malicious emails from being delivered to inboxes and to ensure that employees are trained how to identify the messages if they make it past email defenses. The former can be achieved with a powerful spam filtering solution such as SpamTitan.

Along with security awareness training for employees to condition them not to open emails from unknown senders or open attachments and enable macros, businesses can mount an effective defense against the attack.

Why SMB Cybersecurity Protections Need to be Improved

SMB cybersecurity protections do not need to be advanced as those of large enterprises, but improvements need to be made to ensure smaller businesses are protected. The risk of a cyberattack is not theoretical. While large businesses are having their defenses regularly tested, small to medium sized businesses are also being attacked. And alarmingly often.

Large businesses may store much higher volumes of valuable data, but they also tend to invest heavily in the latest cybersecurity technologies and have dedicated teams to oversee security. Cyberattacks are therefore much harder to pull off. SMBs are much easier targets. Cyberattacks may be less profitable, but they are easier and require less effort.

SMB Cyberattacks are Increasing

A 2017 SCORE study confirmed the extent to which hackers are attacking SMBs. Its study of macro-based malware showed there had been at least 113,000 attacks on SMBs in 2017 and 43% of those attacks were on SMBs. SMBs suffered at least 54,000 ransomware attacks in 2017 and online banking attacks were highly prevalent in the SMB sector.

The 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute, painted an even bleaker picture for SMBs. The study suggests SMBs face the same cybersecurity risks as larger businesses and are being attacked almost as often. In its study, 67% of SMB respondents reported having experienced a cyberattack in the past 12 months and 58 had suffered a data breach. Alarmingly, almost half of respondents (47%) said they had little or no understanding about how SMB cyberattacks could be prevented.

The study revealed 60% of successful cyberattacks were the result of employee negligence, hackers were behind 37% of breaches, and for 32% of cyberattacks the cause could not be established.

The high number of successful cyberattacks makes it clear that SMB cybersecurity needs to be improved. Unfortunately, many SMBs simply don’t have the budget to pay for expensive cybersecurity solutions and a lack of skilled staff is also an issue. So, given these restraints, where should SMBs start?

Where to Start with SMB Cybersecurity

Improving SMB cybersecurity does not necessarily mean hiring skilled cybersecurity staff and spending heavily on state-of-the-art cybersecurity solutions. The best place to start is by ensuring basic cybersecurity best practices are adopted. Highly sophisticated cyberattacks are becoming more common, but many successful attacks are the result of basic cybersecurity failures.

These include the failure to implement password policies that enforce the use of strong passwords, not changing all default passwords, or not using a unique password for each account. Implementing 2-factor authentication is a quick way to improve security, as is the setting of rate limiting to lock accounts after a set number of failed login attempts.

Many successful cyberattacks start with a phishing email. An advanced spam filtering solution is therefore essential. This will ensure virtually all malicious messages are blocked and are not delivered to end users. A web filter also offers protection against phishing by preventing employees from visiting phishing websites. It will also block web-based attacks and malware downloads. Both of these SMB cybersecurity solutions can be implemented at a low cost. It costs just a few dollars per year, per employee, to implement SpamTitan and WebTitan.

A little training goes a long way. Employees should be provided with cybersecurity training and should be taught how to identify email and web-based threats. There are plenty of free and low-cost resources for SMBs to help them train their employees. US-CERT is a good place to start.

Good backup policies are an essential part of SMB cybersecurity. In the event of a cyberattack or ransomware attack, this will prevent catastrophic data loss. A good strategy to adopt is the 3-2-1 approach. Three copies of backups, on two different types of media, with one copy stored securely off-site. Also make sure backups are tested to ensure file recovery is possible.

Once the basics have been covered, it is important to conduct a security audit to discover just how secure your network and systems are. Many managed service providers can assist with security audits and assessments if you do not have sufficiently skilled staff to perform an audit inhouse.

Improvements to SMB cybersecurity will carry a cost but bear in mind that an ounce of security is worth a pound of protection and investment in cybersecurity will prove to be much less expensive than having to deal with a successful cyberattack.

How Does Business Email Get Hacked?

Barely a day goes by without an announcement being made about an email account compromise, especially in the healthcare industry, but how does business email get hacked? What are the main ways that email account access is gained by unauthorized individuals?

Four Ways Business Email Gets Hacked

There four main ways that business email gets hacked, although fortunately there are simple steps that can be taken to improve email security and reduce the risk of an email account compromise at your business.

Phishing Attacks

The easiest way for a hacker to gain access to a business email account is to ask the account holder for their password. This method is incredibly simple, costs next to nothing, and is very effective. Phishing, like fishing, uses a lure to achieve its aim. An attacker only needs to craft an email with a plausible reason for divulging a password.

The attack could be as simple as spoofing an email from the IT department that requests the user change his or her password for security reasons. A link is supplied in the email that directs the user to a site where they have to enter their password and a replacement. Office 365 phishing scams are now common. A user is directed to a spoofed website where they are presented with a standard Office 365 login box, which they need to enter to open a shared file for example.

The lures are diverse, although there is usually a valid reason for providing login credentials, urgency, and often a threat – The failure to take action will result in harm or loss.

Brute Force Attacks

An alternative method of hacking a business email account is for the attacker to attempt to guess a user’s password. This is a much more long-winded approach that can require thousands of attempts before the password is guessed. This technique is automated and made easier by poor password choices and the failure to change default passwords. Passwords obtained in previous breaches can be used, which will catch out people who use the same passwords for multiple platforms. Information about a person can also be found on social media – A partner’s name, child’s name, pet name, or dates of birth – Information that is commonly used to create passwords.

Man-In-The-Middle Attacks

A man-in-the-middle attack involves an attacker intercepting information such as a password when it is sent between two parties. Information can be intercepted in unencrypted emails or when a user logs into a web-based platform via their browser. Man-in-the-middle attacks are common on unsecured public Wi-Fi networks and evil twin Wi-Fi hotspots – Hotspots that mimic a genuine hotspot provider, such as a coffee shop or hotel. Any information transmitted via that hotspot can be easily intercepted.

Writing Down Passwords

Many businesses have implemented password polices that require the use of strong and difficult to remember passwords. As a result, some employees write their passwords down on post-it notes, tape a password to their computer, or keep a note under their keyboard where any visitor to an office could discover it.

How to Stop Business Email Getting Hacked

These methods of gaining access to business email accounts are easy and inexpensive to block through low-cost cybersecurity solutions, policies and procedures, and staff training.

For businesses, the most important control to implement to protect against phishing is an advanced spam filter. A spam filter inspects all incoming emails for common spam signatures and malicious links and blocks messages before they are delivered to end users. Some spam filters also inspect outgoing email, which helps to prevent a breached email account from being used for further phishing attacks on contacts.

Even the best spam filters will not block every single phishing email so security awareness training for staff is essential. Regular training sessions should be provided – at least twice annually – and these should be augmented with more regular reminders about security and newsletters about the latest threats. Phishing simulations are useful for testing the effectiveness of training and to condition employees how to respond to email threats.

Brute force attacks are best prevented with good password policies that prevent weak passwords from being set. To prevent employees from writing passwords down, consider paying for a password manager or allowing the use of long passphrases, which are easy to remember but difficult to guess. Ensure two-factor authentication is enabled and rate limiting is applied to block login attempts after a set number of failed password guesses.

Man-in-the-middle attacks can be prevented in a number of ways. Remote workers should be provided with a VPN to access work networks and email. Some web filters, WebTitan for instance, can be used to protect remote workers online and prevent man-in-the-middle attacks and can also to prevent users from visiting malicious websites, such as those used for phishing.

If you want to improve email security, TitanHQ can help. Contact the team today for information on spam filters to block phishing attacks and to find out more about the benefits of web filtering.

Easy to Implement Anti-Phishing Solutions for MSPs

To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.

Phishing is the Number One Cyber Threat Faced by SMBs

Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.

Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised.  Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.

The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.

Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.

Easy to Implement Anti-Phishing Solutions for MSPs

There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.

MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?

Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.

Advanced Spam Filtering

Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.

SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and release of messages from quarantine. Reports can be generated per domain and those reports can be automatically sent to clients. The solution can be fully rebranded to take MSP logos and color schemes, and the solution can be hosted in a private cloud.

Security Awareness Training and Testing

While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.

DNS-Based Web Filtering

Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.

A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.

WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.

For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanHQ Alliance program.

Novel Phishing Scam Uses Custom Web Fonts to Evade Detection

A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing page appear as plaintext.

Many phishing web pages obfuscate their source code to make it harder for automated security solutions to uncover malicious actions and make the phishing pages appear harmless. As such, the phishing sites are not blocked and users may be fooled into supplying their credentials as requested. The phishing web pages used in this scam will display what appears to be a genuine website when the page is rendered in the browser. Users will be presented with a spoofed web page that closely resembles the standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. If credentials are entered, they will be harvested by the scammer and used to gain access to the users’ bank account.

In this case, a substitution cipher is used to obfuscate the source code. To security solutions, the text is encoded, which makes it difficult to determine what that code does. This tactic has been used in previous phishing campaigns, with the substitution cipher applied using JavaScript. While users may be fooled, automated security solutions can detect the JavaScript fairly easily and can block access to the web page.

The latest campaign uses custom fonts – termed woff files – which are present on the page and hidden through base64 encoding.  These custom fonts are used to implement the cipher and make the source code appear as plaintext, while the actual source code is encrypted and remains hidden.  The substitution is performed using CSS on the landing page, rather than JavaScript. This technique has not been seen before and is much harder to detect.

The substitution cipher results in the user being displayed the correct text when the page is rendered in the browser, although that text will not exist on the page. Solutions that search for certain keywords to identify whether a site is malicious will therefore not find those keywords and will not block access to the page. This technique substitutes individual letters such as abcd with alternate letters jehr for example using woff and woff2 fonts. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.

As an additional measure to avoid detection, the logos that have been stolen from the targeted bank are also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on a genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics (SVG) files, the logos and their source do not appear in the source code of the page and are hard to detect.

These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails. A web filtering solution is also important to prevent users from visiting phishing pages, either through general browsing, redirects via malvertising, or blocking users when they click embedded hyperlinks in phishing emails.

To find out more about cybersecurity solutions that can protect against phishing attacks, contact the TitanHQ team today.

Does 2-Factor Authentication Stop Phishing Attacks?

2-factor authentication is an important safeguard to prevent unauthorized account access, but does 2-factor authentication stop phishing attacks?

What is 2-Factor Authentication?

2-Factor authentication is commonly used as an additional protection measure to prevent accounts from being accessed by unauthorized individuals in the event that a password is compromised.

If a password is disclosed in a phishing attack or has otherwise been obtained or guessed, a second authentication method is required before the account can be accessed.

Two-factor authentication uses a combination of two different methods of authentication, commonly something a person owns (device/bank card), something a person knows knows (a password or PIN), and/or something a person has (fingerprint, iris scan, voice pattern, or a token).

The second factor control is triggered if an individual, authorized or otherwise, attempts to login from an unfamiliar location or from a device that has not previously been used to access the account.

For instance, a person uses their laptop to connect from a known network and enters their password. No second factor is required. The same person uses the same device and password from an unfamiliar location and a second factor must be supplied. If the login credentials are used from an unfamiliar device, by a hacker for instance that has obtained a username and password in a phishing attack, the second factor is also required.

A token or code is often used to verify identity, which is sent to a mobile phone. In such cases, in addition to a password, an attacker would also need to have the user’s phone.

Does 2-Factor Authentication Stop Phishing Attacks?

So, does 2-factor authentication stop phishing attacks from succeeding? In many cases, it does, but 2-factor authentication is not infallible. While it was once thought to be highly effective at stopping unauthorized account access, opinion is now changing. It is certainly an important additional, low-cost layer of security that is worthwhile implementing, but 2-factor authentication alone will not prevent all phishing attacks from succeeding.

There are various methods that can be used to bypass 2-factor authentication, for instance, if a user is directed to a phishing page and enters their credentials, the hacker can then use those details in real-time to login to the legitimate site. A 2FA code is sent to the user’s device, the user then enters that code into the phishing page. The attacker then uses the code on the legitimate site.

This 2-factor authentication bypass is somewhat cumbersome, but this week a phishing tool has been released that automates this process. The penetration testing tool was created by a Polish researcher named Piotr Duszynski, and it allows 2FA to be bypassed with ease.

The tool, named Modlishka, is a reverse proxy that has been modified for handling login page traffic. The tool sits between the user and the target website on a phishing domain. When the user connects to the phishing page hosting this tool, the tool serves content from the legitimate site – Gmail for instance – but all traffic passes through the tool and is recorded, including the 2FA code.

The user supplies their credentials, a 2-factor code is sent to their phone, and that code is entered, giving the attacker account access.

It is an automated version of the above bypass that only requires a hacker to have a domain to use, a valid TLS certificate for the domain, and a copy of the tool. No website phishing templates need to be created as they are served from the genuine site. Since the tool has been made available on Github, the 2FA bypass could easily be used by hackers.

Additional Controls to Stop Phishing Attacks

To protect against phishing, a variety of methods must be used. First, an advanced spam filter is required to prevent phishing emails from reaching inboxes. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails.

Fewer than 0.1% of emails may make it past the spam filter, but any one could result in an account compromise. Security awareness training should therefore be provided to employees to help them identify suspicious emails.

Unfortunately, people do make mistakes and phishing emails can be highly realistic, so it is wise to also implement a web filter.

A web filter will block attempts to connect to known phishing sites and can assess sites in real time to help determine their authenticity. If the checks fail, the user will be prevented from accessing the site.

These anti-phishing controls are now essential cybersecurity measures for businesses to protect against phishing attacks, and are all the more important since 2FA cannot be relied upon to protect against unauthorized access once a password has been compromised.

You can find out more about SpamTitan and WebTitan by contacting TitanHQ.

Suspected Use of Ryuk Ransomware in Newspaper Cyberattack

The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.

The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.

All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.

Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.

The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.

The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.

The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.

While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.

Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.

New Netflix Phishing Scam Prompts FTC to Issue Warning

A new Netflix phishing scam has been detected that attempts to fool Netflix subscribers into disclosing their login credentials and other sensitive information such as Social Security numbers and bank account numbers.

This Netflix phishing scam is similar to others that have been intercepted over the past few months. A major campaign was detected in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now launching large-scale phishing attacks on a monthly basis.

The number of recent Netflix scams and the scale of the campaigns has prompted the U.S. Federal Trade Commission (FTC) to issue a warning to raise awareness of the threat.

The latest campaign was detected by an officer in the Ohio Police Department. As with past campaigns, the attackers use a tried and tested method to get users to click on the link in the email – The threat of account closure due to issues with the user’s billing information.

In order to prevent closure of the user’s Netflix account a link in the email must be clicked. That will direct the user to the Netflix site where login credentials and banking information must be entered. While the web page looks genuine, it is hosted on a domain controlled by the attackers. Any information entered on that web page will be obtained by the threat actors behind the scam.

The emails appear genuine and contain the correct logos and color schemes and are almost identical to the official emails sent to users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.

Netflix Phishing Scam

Image Source: FTC via Ohio Police Department

There are signs that the email is not what it seems. The email is incorrectly addressed “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email directs users is similarly suspect. However, the scam is sure to fool many users who fail to carefully check emails before taking any action.

Consumers need to exercise caution with email and should carefully check messages before responding, no matter how urgent the call for action is. It is a good best practice to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.

If the email is determined to be a scam, it should be reported to the appropriate authorities in the country in which you reside and also to the company the scammers are impersonating. In the case of Netflix phishing scams, emails should be sent to phishing@netflix.com.

While this Netflix phishing scam targets consumers, businesses are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account information. Businesses can reduce the risk of data and financial losses to phishing scams by ensuring all members of the company, from the CEO down, are given regular security awareness training and are taught cybersecurity best practices and are made aware of the latest threats.

An advanced spam filtering solution is also strongly recommended to ensure the vast majority of these scam emails are blocked and do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing emails and 100% of known malware.

For further information on anti-phishing solutions for businesses, contact the TitanHQ team today.

Major San Diego School District Phishing Attack Discovered

A major San Diego School District phishing attack has been discovered. The phishing attack stands out from the many similar phishing attacks on schools due to the extent of accounts that were compromised, the amount of data that was potentially obtained, and the length of time it took for the data breach to be detected.

According to a recent breach announcement, the login credentials of around 50 district employees were obtained by the attacker. It is not unusual for multiple accounts to be breached in school phishing attacks. Once access is gained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was initially thought, although 50 sets of compromised credentials is particularly high.

Those accounts were compromised over a period of 11 months. The San Diego School District phishing attack was first detected in October 2018 after staff alerted the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was occurring and there may have been a data breach.

The investigation revealed the credentials obtained by the attacker provided access to the district’s network services, which included access to the district’s database of staff and student records. The school district is the second largest in California and serves over 121,000 students each year. The database contained records going back to the 2008/2009 school year. In total, the records of more than 500,000 individuals were potentially obtained by the hacker. Given the length of time that the hacker had access to the network, data theft is highly probable.

The data potentially obtained was considerable. Student information compromised included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact information, and Social Security numbers. Compromised staff information also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.

Data could be accessed from January 2018 to November 2018. While it is typical for unauthorized access to be immediately blocked upon discovery of a breach, in this case the investigation into the breach was conducted prior to shutting down access. This allowed the identity of the suspected hacker to be determined without tipping off the hacker that the breach had been detected. The investigation into the breach is ongoing, although access has now been blocked and affected individuals have been notified. Additional cybersecurity controls have now been implemented to block future attacks.

School district phishing attacks are commonplace. School districts often lack the resources of large businesses to devote to cybersecurity. Consequently, cyberattacks on school districts are much easier to pull off. Schools also store large volumes of sensitive data of staff and students, which can be used for a wide range of malicious purposes. The relative ease of attacks and a potential big payday for hackers and phishers make schools an attractive target.

The San Diego School District phishing attack is just one of many such attacks that have been reported this year. During tax season at the start of 2018, many school districts were targeted by phishers seeking the W-2 forms of employees. It is a similar story every year, although the threat actors behind these W-2 phishing attacks have been more active in the past two years.

In December this year, Cape Cod Community College suffered a different type of phishing attack. The aim of that attack was to convince staff to make fraudulent wire transfers. At least $800,000 was transferred to the attackers’ accounts in that attack.

These attacks clearly demonstrate the seriousness of the threat of phishing attacks on school districts and highlights the importance of implementing robust cybersecurity protections to protect against phishing.

If you want to improve your defenses against phishing, contact the TitanHQ team today for further information on anti-phishing solutions for schools.

Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

campaign is to obtain users’ Office 365 passwords.

The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.

The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.

While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.

The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.

Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.

Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.

SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.

Irish Phishing Study Shows Millennials’ Confidence in Security Awareness is Misplaced

According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.

Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.

Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.

A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.

Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.

Irish Phishing Study Findings

The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.

In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups.  Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.

Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.

It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.

Phishing Protection for Businesses

The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.

The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.

Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.

To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.

How to Improve Office 365 Security

In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.

Hackers are Targeting Office 365 Accounts

It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.

One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.

Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.

When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.

So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.

Enforce the Use of Strong Passwords

Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.

The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.

Implement Multi-Factor Authentication

Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.

Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.

Enable Mailbox Auditing in Office 365

Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.

Improve Office 365 Security with a Third-Party Spam Filter

As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.