Phishing & Email Spam

Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.

Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.

Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
  • Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
  • Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
  • Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
  • Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.

Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.

The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.

New Reverse Proxy Phishing-as-a-Service Helps Low-Skilled Hackers Bypass MFA

When multifactor authentication is set up on accounts, attempts to access those accounts using stolen credentials will be prevented, as in addition to a correct username and password, another factor must be provided to authenticate users. Phishing attacks may allow credentials to be stolen, but that does not guarantee accounts can be accessed. More companies are implementing multifactor authentication which means phishing attacks need to be more sophisticated to bypass the protection provided by multifactor authentication.

One of the ways that multifactor authentication can be bypassed is by using a reverse proxy. In a phishing attack, an email is sent to a target and a link is provided to a malicious website hosting a phishing form that spoofs the service of the credentials being targeted – Microsoft 365 for example. Instead of just collecting the login credentials and using them to try to remotely access the user’s account, a reverse proxy is used.

The reverse proxy sits between the phishing site and the genuine service that the attacker is attempting to access and displays the login form on that service. When the credentials are entered, they are relayed in real-time to the legitimate service, and requests are returned from that service, such as MFA requests. When the login process is successfully completed, a session cookie is returned which allows the threat actor to access the genuine service as the victim. The session cookie can also contain the authentication token. In these attacks, once the session cookie has been obtained, the victim is usually presented with a notification telling them the login attempt has failed or they are directed to another site and will likely be unaware that their credentials have been stolen and their account is being accessed.

These attacks allow the victim’s account to be accessed for as long as the session cookie remains valid. If it expires or is revoked, the attacker will lose access to the account. To get around this and gain persistent access, account details may be changed or other authentication methods will be set up.

These types of phishing attacks are much more sophisticated than standard phishing attacks, but the extra effort is worth the investment of time, money, and resources. Many advanced persistent threat actors use reverse proxies in their phishing campaigns and have developed their own custom reverse proxies and tools.  There are, however, publicly available kits that can be used in phishing campaigns such as Modlishka, Necrobrowser, and Evilginx2. These kits can be used at a cost and allow MFA to be bypassed, although they can be complicated to set up and use.

Now a new phishing-as-a-Service (PaaS) platform has been identified – EvilProxy – that is being pushed on hacking forums. EvilProxy allows authentication tokens to be stolen from a range of vendors including Microsoft, Apple, Twitter, Facebook, Google, and more, according to Resecurity which recently reported on the phishing kit.

EvilProxy lowers the bar considerably and makes conducting reverse proxy phishing attacks far simpler. The service includes instructional videos, provides a user-friendly graphical interface, and even supplies templates of cloned phishing pages for stealing credentials and auth tokens. Through the graphical interface, threat actors can set up and manage their phishing campaigns with ease. EvilProxy comes at a cost, starting at $150 for 10 days up to $400 for a month. While the service is not cheap, the potential rewards can be considerable. EvilProxy allows low-skill threat actors to gain access to valuable accounts, which could be used or sold on to other threat actors such as ransomware gangs.

Multifactor authentication is strongly recommended as it will block the majority of attacks on accounts; however, it can be bypassed by using reverse proxies. Protecting against reverse proxy phishing attacks requires a defense-in-depth approach. An email security solution – SpamTitan for example – should be implemented to block the initial phishing email. A web filter – WebTitan – should be used to block attempts to visit the malicious websites used in these man-in-the-middle attacks. Security awareness training is important for training employees on how to recognize and avoid phishing threats, and employers should conduct phishing simulation tests as part of the training process. TitanHQ’s SafeTitan platform allows businesses to conduct regular training and phishing simulations with ease.

What is Callback Phishing?

Phishing attacks are mostly conducted via email but there has been a major increase in hybrid phishing attacks over the past 12 months, especially callback phishing. Here we explain what callback phishing is, why it poses such a threat to businesses, and why threat actors are favoring this new approach.

What is Callback Phishing?

Email phishing is used for credential theft and malware distribution, but one of the problems with this type of phishing is most businesses have email security solutions that scan inbound emails for malicious content. Phishing emails and malicious files distributed via email are often identified as such and are rejected or quarantined. Some threat actors conduct voice phishing, where an individual is contacted by telephone, and attempts are made to trick them into taking an action that benefits the scammer using a variety of social engineering tactics.

Callback phishing is a type of hybrid phishing where these two methods of phishing are combined. Initially, an email is sent to a targeted individual or company that alerts the recipient to a potential problem. This could be an outstanding invoice, an upcoming payment or charge, a fictitious malware infection or security issue, or any of a long list of phishing lures. Instead of further information being provided in an attachment or on a website linked in the email, a telephone number is provided. The recipient must call the number for more information and to address the issue detailed in the email.

The phone number is manned by the threat actor who uses social engineering techniques to trick the caller into taking an action. That action is usually to disclose credentials, download a malicious file, or open a remote desktop session. In the case of the latter, the remote desktop session is used to deliver malware that serves as a backdoor into the victim’s computer and network.

This hybrid approach to phishing allows threat actors to get around email security solutions. The only malicious element in the initial email is a phone number, which is difficult for email security solutions to identify as malicious and block. That means the emails are likely to reach their targets.

Major Increase in Callback Phishing Attacks

Callback phishing was adopted by the Ryuk ransomware threat group in 2019 to trick people into installing BazarBackdoor malware, in a campaign that was dubbed BazarCall/BazaCall. Typically, the lure used in these attacks was to advise the user about an upcoming payment for a subscription or the end of a free trial, with a payment due to be automatically taken unless the trial/subscription is canceled by phone.

The Ryuk ransomware operation is no more. The threat actors rebranded as Conti, and the Conti ransomware operation has also now shut down; however, three threat groups have been formed by members of the Conti ransomware operation – Silent Ransom, Quantum, and Zeon – and all have adopted callback phishing as one of the main methods for gaining initial access to victims’ networks for conducting ransomware attacks. These three groups impersonate a variety of companies in their initial emails and trick people into believing they are communicating with a genuine company. The aim is to get the user to establish a remote desktop session. While the user is distracted by the call, a second member of the team uses that connection to install a backdoor or probe for ways to attack the company, without the user being aware what is happening.

Callback phishing is also used by other threat groups for credentials theft and malware distribution, often by impersonating a cybersecurity firm and alerting the user to a security threat that needs to be resolved quickly. These attacks see the user tricked into installing malware or disclosing their credentials. According to cybersecurity firm Agari, phishing attacks increased by 6% from Q1, 2022 to Q2, 2022, and over that same time frame hybrid phishing attacks increased by an incredible 625%.

How to Protect Against Callback Phishing Attacks

As is the case with other forms of phishing, the key to defending against attacks is to implement layered defenses. Email security solutions should be implemented that perform a range of checks of inbound emails to identify malicious IP addresses. Email security solutions such as SpamTitan incorporate machine learning mechanisms that can detect emails that deviate from those normally received by an organization. Multi-factor authentication should be implemented on accounts to block attempts to use stolen credentials.

The best defense against callback phishing is to provide security awareness training to the workforce. Employees should be told about the social engineering tactics used in these attacks, the checks everyone should perform before responding to any email, and the signs of callback phishing to look out for. Callback phishing simulations should also be conducted to gauge how susceptible the workforce is to callback phishing. A failed simulation can be turned into a training opportunity to proactively address the lack of understanding.

TitanHQ offers a comprehensive security awareness training platform for businesses – SafeTitan – that covers all forms of phishing and the platform included a phishing simulator for conducting phishing tests on employees. For more information, give the TitanHQ team a call today.

BEC Attacks on Businesses are Increasing: How To Improve Your Defenses Against These Damaging Attacks

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.

BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.

Anatomy of a BEC Attack

BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.

With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.

A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.

How to Improve Your Defenses Against BEC Attacks

Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.

Use an Email Security Solution with Outbound Scanning

An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.

Implement Robust Password Policies and MFA

Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.

Provide Security Awareness Training to the Workforce

Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.

Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.

Set Up Communication Channels for Verifying Transfer Requests

Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.

Speak to TitanHQ about Improving Your Defenses Against BEC Attacks

TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.

Twilio SMS Phishing Attack Highlights Importance of Security Awareness Training on all Forms of Phishing

Phishing is mostly conducted via email; however, a recent data breach at the cloud communication company Twilio demonstrates that phishing can be highly effective when conducted using other popular communication methods, such as SMS messages.

An SMS phishing attack – known as SMiShing – involves sending SMS messages with a link to a malicious website with some kind of lure to get people to click. Once a click occurs, the scam progresses as an email phishing attack does, with the user being prompted to disclose their credentials on a website that is usually a spoofed site to make it appear genuine. The credentials are then captured and used by the attacker to remotely access the victims’ accounts.

Twillio provides programmable voice, text, chat, video, and email APIs, which are used by more than 10 million developers and 150,000 businesses to create customer engagement platforms. In this smishing attack, Twilio employees were sent SMS messages that appeared to have been sent by the Twilio IT department that directed them to a cloned website that had the Twilio sign-in page. Due to the small screen size on mobile devices, the full URL is not displayed, but certain keywords are added to the URLs that will be displayed to add realism to the scam. The URLs in this campaign included keywords such as SSO, Okta, and Twilio.

According to Twilio EMEA Communications director, Katherine James, the company detected suspicious account activity on August 4, 2022, and the investigation confirmed that several employee accounts had been accessed by unauthorized individuals following responses to the SMS messages. The attackers were able to access certain customer data through the Twilio accounts, although James declined to say how many employees were tricked by the scam and how many customers had been affected.

Twilio was transparent about the data breach and shared the text of one of the phishing emails, which read:

Notice! [redacted] login has expired. Please tap twilio-sso-com to update your password!

The text messages were sent from U.S. carrier networks. Twilio contacted those companies and the hosting providers to shut down the operation and take down the malicious URLs. Twilio said they were not the only company to be targeted in this SMS phishing campaign, and the company worked in conjunction with those other companies to try to shut the operation down; however, as is common in these campaigns, the threat actors simply switch mobile carriers and hosting providers to continue their attacks.

The smishing attack and data breach should serve as a reminder to all businesses of the risk of smishing. Blocking these types of phishing attacks can be a challenge for businesses. The best starting point for improving your defenses is to provide security awareness training for the workforce. Security awareness training for employees usually has a strong emphasis on email phishing, since this type of phishing is far more common, but it is important to also ensure that employees are trained on how to recognize phishing in all its forms, including smishing, social media phishing, and voice phishing – vishing – which takes place over the telephone.

The easiest way to do this is to work with a security vendor such as TitanHQ. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – with an extensive range of training content on all aspects of security, including smishing and voice phishing. The training content is engaging, interactive, and effective at improving cybersecurity understanding, and SafeTitan is the only security awareness training platform that delivers training in real-time in response to the behavior of employees. The platform also includes a phishing simulator for automating simulated phishing tests on employees.

For more information about improving security awareness in your organization, contact TitanHQ today.

Predictive Threat Detection Capabilities Enhanced in SpamTitan Plus

TitanHQ has announced an update has been made to its flagship anti-phishing solution, SpamTitan Plus. The new enhancements have been added to the predictive phishing detection capabilities of SpamTitan Plus to help users block personalized URL attacks.

Phishing attacks on businesses have become much more sophisticated and new tactics are constantly being developed to evade standard email security solutions. While commercial email security solutions perform well at identifying and blocking spam emails, achieving detection rates in excess of 99%, blocking phishing emails is more of a challenge and many phishing threats sneak past email security solutions and are delivered to inboxes.

One of the ways that cyber threat actors bypass email security solutions is by creating personalized URLs for their phishing emails. One of the methods used by email security solutions for blocking phishing URLs is a real-time blacklist of known malicious URLs and IP addresses. If an email is sent from an IP address that has previously been used to send spam or phishing emails, the IP address is added to a blacklist and all emails from that IP address will be blocked. The URLs in phishing campaigns are set up and massive email runs are performed. When those URLs are detected as malicious, they are also added to a blacklist and will be blocked by email security solutions.

However, it is becoming increasingly common for personalized URLs to be used. These URLs can be personalized for the targeted organizations at the path and parameter level, and since a unique URL is used in each attack, standard anti-phishing measures such as blacklists are ineffective at detecting these URLs as malicious. That means the emails containing these malicious URLs are likely to be delivered to inboxes and can only be blocked after they have been delivered. That typically means an employee needs to report the email to their security team, and the security team must then act quickly to remove all phishing emails in that campaign from the email system. That process takes time and there is a risk that the links in the emails could be clicked, resulting in credential theft or malware infections. Most of the phishing detection feeds that are used by email security solutions do not gather the necessary intelligence to be able to inform customers of the level at which a phishing campaign should be blocked. SpamTitan Plus, however, does have that capability.

“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing,” said Ronan Kavanagh, CEO of TitanHQ. “At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals.”

SpamTitan Plus

SpamTitan Plus is an AI-driven anti-phishing solution that is capable of blocking even the newest zero-day phishing threats. The solution has better coverage than any of the current market leaders and provides unparalleled time-of-click protection against malicious hyperlinks in phishing emails, with the lowest false positive rate of any product. SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints worldwide, which sees the solution block 10 million new, never-before-seen phishing and malicious URLs a day.

The solution protects against URL-based email threats including malware and phishing, performs predictive analyses to identify suspicious URLs, URLs are rewritten to protect users, real-time checks are performed on every click, and the solution includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in unique phishing URL detections, 1.6x faster phishing detections than the current market leaders, and 5 minutes from initial detection of a malicious URL to protecting all end user mailboxes.

For more information about the best phishing solution for businesses, give the TitanHQ team a call today. Current users of SpamTitan Plus already have these new capabilities added, at no additional cost.

Cybersecurity Companies Impersonated in Convincing Callback Phishing Campaign

A new phishing campaign is being conducted that abuses trust in cybersecurity companies. The campaign uses scare tactics to get company employers to pick up the phone and speak to the cybersecurity vendor about a recently detected data breach and potential workstation compromise.

It is becoming increasingly common for phishing scams to involve initial contact via email with requests to make a call. This tactic is often used in tech support scams, where victims are convinced they have a malware infection or another serious security issue on their device, and they are tricked into downloading malicious software such as Remote Access Trojans (RATs).

RATs give the attackers access to the user’s computer, and that access can be abused by the attacker or the access can be sold to other threat groups such as ransomware gangs. Affiliates of ransomware-as-a-service operations may use this technique to conduct attacks and are then paid a percentage of any ransom payments they generate.

In this campaign, the impersonated companies are very well-known providers of enterprise security solutions, such as CrowdStrike, and the emails are very well written and convincing. They claim that a data breach has been detected that affected the part of the cybersecurity provider’s network associated with the customer’s workstation and warns that all workstations on the network may have been compromised. As such, the cybersecurity company is conducting an audit.

The emails claim that the cybersecurity vendor has reached out to the IT department, which has instructed the vendor to contain individual users directly. The emails claim that the audit is necessary for compliance with the Consumer Privacy Act of 2018 (CCPA) and other regulations and that the agreement between the targeted individual’s company and the cybersecurity vendor allows it to conduct regular audits and security checks. A phone number is provided for the individual to make contact, and the email includes the correct corporate logo and genuine address of the cybersecurity vendor.

CrowdStrike reports that a similar scam has been conducted by the Wizard Spider threat group, which was responsible for Ryuk ransomware attacks. That campaign delivered BazarLoader malware, which was used to deliver the ransomware payload.

This type of phishing attempt is known as callback phishing. This technique can be effective at bypassing email security solutions since the emails contain no malicious content – There are no hyperlinks and no file attachments. This scam highlights the importance of conducting security awareness training on the workforce to help employees identify and avoid phishing scams.

How TitanHQ Can Help

TitanHQ provides a range of security solutions for blocking phishing attacks, including SpamTitan Email Security, WebTitan DNS Filtering, and the SafeTitan Security Awareness and Phishing Simulation Platform.

SafeTitan has an extensive library of interactive, gamified, and engaging training content for improving security awareness of the workforce, including phishing and the full range of cyberattacks that employees are likely to encounter. The training is delivered in easily assimilated modules of no more than 8 to 10 minutes, and training can be delivered in real-time in response to risky user behaviors to nip bad security practices in the bud. The platform also includes hundreds of phishing templates for conducting and automating phishing simulations on the workforce, to gain insights into the individuals who are susceptible to phishing attacks and any knowledge gaps.

For more information on improving your defenses against phishing attacks, review our solutions in the links at the top of this page or give the team a call. Products are available on a free trial and demonstrations can be arranged on request.

Social Media Phishing Attacks are on the Rise

Phishing can take many forms and while email is the most common vector used in these scams, other types of phishing such as voice phishing (vishing), SMS phishing (Smishing), and social media phishing increasing. In particular, there has been a recent spike in social media phishing attempts.

The threat from email phishing can be greatly reduced with an email security solution; however, these solutions will do nothing to block vishing, smishing, and social media phishing attempts. Businesses can improve their defenses by also using a DNS filtering solution. DNS filters block attempts to visit malicious websites and work in tandem with email security solutions to block email phishing and can also block the web-based component of smishing attacks and social media phishing to a certain extent. Unfortunately, since the social media networks where phishing takes place are not malicious websites, it will not prevent people from encountering phishing attempts.

This is why security awareness training is so important. Security awareness training gives employees the skills they need to recognize and avoid phishing attempts, no matter where the phishing attack is conducted. By training the workforce on security threats, risky behaviors can be eradicated, and employees can be taught the signs of phishing to look out for. The SafeTitan Security Awareness Training platform also delivers training in real-time, in response to risky behaviors by employees. This ensures training is delivered instantly when risky behavior is detected and training is likely to have the greatest benefit.

Social Media Phishing

Two social media phishing campaigns have recently been identified by researchers at Malwarebytes, the goal of which is to obtain the credentials for social media accounts. If the credentials are disclosed, the attacker can access the victim’s account and use it to conduct further attacks on the victim’s followers. If the credentials for a corporate social media account are stolen, attacks could be conducted on all the company’s followers. These attacks abuse the trust customers have in the company. The two campaigns have been conducted on Twitter and Discord users. Both use social engineering to trick people into disclosing their account credentials.

Twitter Phishing Campaign

In the Twitter campaign, the scammer sends a direct message to the user informing them that their account has been flagged for hate speech and threatens an immediate suspension of the account unless action is taken. The user is told that they must authenticate the account via the Twitter Help Center, a link for which is provided in the message. The link directs the user to a phishing page that spoofs Twitter where they are asked to log in. If they do, their credentials will be captured.

Discord Phishing Campaign

The Discord campaign sees a message sent from either a contact of the victim using a compromised Discord account or from strangers. The account owner is accused of disseminating explicit photographs and the sender says they are going to block the account until an explanation is provided. A link is provided to a server where the recipient has allegedly been named and shamed. If the message recipient tries to respond to the message, their message will not be sent as they will have been blocked, increasing the likelihood of their clicking the link to the server.

Victims are required to log in via a QR code and once they have attempted that they are locked out of their accounts, which are then under the full control of the scammer. The scammer is then free to use the legitimate account to continue their scam on all the victims’ contacts. Social media scams such as these try to scare or shame users into responding. This tactic can be very effective, even if the user has never said a bad word on Twitter or sent an explicit photograph to anyone on Discord.

Other Social Media Phishing Campaigns

Phishing can – and does – occur on all social media platforms. One scam that has proven successful targets Instagram users and offers them the verified Instagram badge. In order to receive the badge, they are required to log in to verify their identity, naturally via a malicious link. Doing so will allow the scammer to take full control of the user’s Instagram account.

It is a similar story on LinkedIn. One of the most common scams involves impersonating a company and sending a message to an individual about a job offer, or a message suggesting they have been headhunted. Fake connection requests are also common. In this scam, the user is provided with a link to a scam site that spoofs LinkedIn and again is conducted to harvest credentials.

On Facebook, phishing scams are rife but often they seem innocuous. If you use Facebook, you will no doubt have seen countless posts asking site users to determine their band name, porn star name, pirate name, etc., by providing information such as the month and year of birth.  Posts asking what was your first car? Where did you grow up? What was your favorite teacher’s name? and many more do not seek credentials, but the information disclosed can be used to answer security questions that are asked in order to recover accounts. These scams also make brute force attacks to guess passwords so much easier.

Dangers of Social Media Phishing

The loss of access to a social media account may not be the end of the world and is likely far better than having a bank account emptied, but the damage caused can be considerable. Many small businesses rely on social media for publicity and generating sales, and the loss of an account or scamming of customers can be devastating. The passwords used for social media accounts are often reused across multiple platforms. Scammers often conduct credential stuffing attacks on other platforms and accounts using the same password. Fall victim to a social media phishing scam and many other accounts could be compromised.

Blocking social media phishing attacks can be a challenge. You should also ensure that two-factor authentication is enabled on social media accounts, consider restricting who can send direct messages to your account, and who can view your profiles. If you encounter a scam, be sure to report it.

For businesses, employees with access to corporate social media accounts should be given specific training on social media phishing to ensure they can recognize and avoid phishing scams. The SafeTitan Security Awareness Training platform makes this simple and helps businesses instantly correct risky behaviors through the automated delivery of a relevant training course in real-time. The platform has a wealth of engaging, gamified training content and a phishing simulation platform for testing resilience to phishing attacks.

For more information on SafeTitan and improving your phishing defenses through the use of an email security solution and DNS filtering, give the TitanHQ team a call today.

Microsoft’s Automatic Blocking of Macros Has Been Temporarily Rolled Back

Microsoft previously announced a new security feature that would see VBA macros automatically blocked by default, but there has been a rollback in response to negative feedback from users.

Phishing emails are commonly used for malware delivery which contain links to websites where the malware is hosted or by using malicious email attachments. Word, Excel, Access, PowerPoint, and Visio files are commonly attached to emails that include VBA macros. While there are legitimate uses for VBA macros, they are often used for malware delivery. When the documents are opened, the macros would run and deliver a malware loader or sometimes the malware payload directly.

Office macros have been used to deliver some of the most dangerous malware variants, including Emotet, TrickBot, Qakbot, Dridex. To improve security, in February 2022, Microsoft announced that it would be blocking VBA macros by default. If macros are blocked automatically, it makes it much harder for this method of malware delivery to succeed.

With autoblocking of macros, users are presented with a security alert if a file is opened that includes a VBA macro. When opening a file with a VBA macro, the following message is displayed in red:

“SECURITY RISK: Microsoft has blocked macros from running because the source of this file is untrusted.”

The user would not be able to click the warning to override the blocking, instead, they would be directed to a resource that provides further information on the risk of enabling macros. They would have the option of ignoring the warning but would be strongly advised not to. Previously, a security warning was displayed in a yellow warning box that says, “Security Warning: Macros have been disabled.” The user would be presented with a prompt to Enable Content, and thus ignore the warning.

Microsoft had rolled out this new security feature, but recently Windows users started to notice that the new security warning was no longer being displayed, instead, Microsoft appeared to have rolled back to its previous system without announcing it was doing so.

Microsoft did confirm that it is rolling back this security feature and that an update announcing that has been planned; however, it had not been announced before the rollback started. The process has been heavily criticized, not for the rollback itself (although there has been criticism of that), but for starting the rollback without first making an announcement.

Microsoft said the rollback was due to negative feedback it had received, but it is not known at this stage which users had complained. It is suspected that the change posed a problem for individuals who commonly use VBA macros, and the automatic blocking made the process of running macros cumbersome. Most SMB users, however, do not deal with macros frequently, so the rollback means a reduction in security.

It took several days for Microsoft to confirm that the rollback is temporary and that it was necessary to make changes to improve usability. Microsoft said it is still committed to blocking macros by default for users. So, while this is a U-turn, it is just a temporary one.

While automatically blocking macros is important to improve security, it is still strongly recommended to implement a robust email security solution, as macros are not the only way that malware is delivered via email. Also, blocking macros will do nothing to stop phishing emails from being delivered.

With SpamTitan Email Security, phishing and malware threats can be easily blocked. For more information, give the TitanHQ team a call.

Copyright Infringement Notices used in Phishing Emails for Delivering Lockbit 2.0 Ransomware

Cybercriminals are constantly changing tactics and lures in their phishing campaigns, so it is no surprise to see a new technique being used by affiliates of the Lockbit ransomware-as-a-service operation. A campaign has been identified by researchers at AhnLab in Korea that attempts to deliver a malware loader named Bumblebee, which in turn is used to deliver the LockBit 2.0 ransomware payload.

Various lures are used in phishing campaigns for delivering malware loaders, with this campaign using a warning about a copyright violation due to the unauthorized use of images on the company’s website. As is common in phishing emails, the emails contain a threat should no action be taken – legal action. Emails that deliver malware loaders either use attached files or contain links to files hosted online. The problem with attaching files to emails is they can be detected by email security solutions. To get around this, links are often included. In this case, the campaign uses the latter, and to further evade detection, the linked file is a password-protected archive. This is a common trick used in malware delivery via email to prevent the file from being detected as malicious by security solutions, which are unable to open the file and examine the contents. The recipient of the message is provided with the password to open the file in the message body.

The password-protected zip file contains a file that masquerades as a PDF file, which the user is required to open to obtain further information about the copyright violation. However, a double file extension is used, and the attached file is actually an executable file, which will deliver the Bumblebee loader, and thereafter, LockBit 2.0 ransomware.

These types of phishing attacks are all too common. Believable lures are used to trick people into taking the requested action, a threat is included should no action be taken, and multiple measures are used to evade security solutions. Any warning about a copyright violation must be taken seriously but as with most phishing emails, there are red flags in this email that suggest this is a scam. Security-aware employees should be able to recognize the red flags and while they may not be able to confirm the malicious nature of the email, they should report such messages to their IT department or security team for further investigation. However, in order to be able to identify those red flags, employees should be provided with security awareness training.

Through regular training employees will learn the signs of phishing emails, can be conditioned to always report the emails to their security team, and can be kept abreast of the latest tactics used in phishing emails for malware delivery. It is also recommended to conduct phishing simulations to test whether employees are being fooled by phishing attempts. If employees fail phishing simulations it could indicate issues with the training course that need to be addressed, or that certain employees need to be provided with additional training. Through regular security awareness training and phishing simulations, businesses can create a human firewall capable of detecting phishing attempts that bypass the organization’s email and web security defenses.

TitanHQ can provide assistance in this regard through the SafeTitan Security Awareness Training and Phishing Simulation Platform – Further information on the solution can be found here.

How Phishing Emails Led to The Theft of $23.5 Million from the U.S. Department of Defense

Phishing is commonly used to gain access to credentials to hijack email accounts for use in business email compromise (BEC) attacks. Once credentials have been obtained, the email account can be used to send phishing emails internally, with a view to obtaining the credentials of the main target. Alternatively, by spear phishing the target account, those steps can be eliminated.

If the credentials are obtained for the CEO or CFO, emails can be crafted and sent to individuals responsible for wire transfers, requesting payments be made to an attacker-controlled account. A common alternative is to target vendors, in an attack referred to as vendor email compromise (VEC). Once access is gained to a vendor’s account, the information contained in the email accounts provides detailed information on customers that can be targeted.

When a payment is due to be made, the vendor’s email account is used to request a change to the account for the upcoming payment. When the payment is made to the attacker-controlled account, it usually takes a few days before the non-payment is identified by the vendor, by which time it may be too late to recover the fraudulently transferred funds. While BEC and VEC attacks are nowhere near as common as phishing attacks, they are the leading cause of losses to cybercrime due to the large amounts of money obtained through fraudulent wire transfers. One attack in 2018 resulted in the theft of $23.5 million dollars from the U.S. Department of Defense.

In this case, two individuals involved in the scam were identified, including a Californian man who has just pleaded guilty to six counts related to the attack. He now faces up to 107 years in jail for the scam, although these scams are commonly conducted by threat actors in overseas countries, and the perpetrators often escape justice. The scam was conducted like many others. The BEC gang targeted DoD vendors between June 2018 and September 2018 and used phishing emails to obtain credentials for email accounts. An employee at a DoD vendor that had a contract to supply Aviation JA1 Turbine fuel to troops in southeast Asia for the DoD received an email that spoofed the U.S. government and included a hyperlink to a malicious website that had been created to support the scam.

The website used for the scam had the domain dia-mil.com, which mimicked the official dla.mil website, and email accounts were set up on that domain to closely resemble official email accounts. The phishing emails directed the employee to a cloned version of the government website, login.gov, which harvested the employee’s credentials. The credentials allowed the scammer to change bank account information in the SAM (System for Award Management) database to the account credentials of the shell company set up for the scam. When the payment of $23,453,350 for the jet fuel was made, it went to the scammers rather than the vendor.

Security systems were in place to identify fraudulent changes to bank account information, but despite those measures, the payment was made. The SAM database is scanned every 24 hours and any bank account changes are flagged and checked. The scammers learned of this and made calls to the Defense Logistics Agency and provided a reason why the change was made and succeeded in getting the change manually approved, although flags were still raised as the payment was made to a company that was not an official government contractor. That allowed the transfer to be reverted. Many similar scams are not detected in time and the recovery of funds is not possible. By the time the scam is identified, the scammers’ account has been emptied or closed.

The key to preventing BEC and VEC attacks is to deal with the issue at its source to prevent phishing emails from reaching inboxes and teach employees how to identify and avoid phishing scams. TitanHQ can help in both areas through SpamTitan Email Security and the SafeTitan security awareness training and phishing simulation platform. Businesses should also implement multifactor authentication to stop stolen credentials from being used to access accounts.

New TTPs Help Emotet Regain its Place as the Top Malware Threat

It took 10 months for the operators of the Emotet botnet to return after their botnet infrastructure was shut down in an international law enforcement operation, and then just a further 3 months for Emotet malware to regain its position as the most widely deployed malware.

According to Check Point, in March 2022, Emotet reestablished itself as the most widely distributed malware. Emotet has emerged like a phoenix from the flames, and infections have been soaring, with March seeing an astonishing increase in infections. Check Point says as many as 10% of all organizations globally were infected with Emotet in March, which is twice the number of infections the firm recorded in February.

Emotet first appeared in 2014 and was initially a banking Trojan; however, the malware has evolved considerably. Like many other banking Trojans, modules have been added to give the malware new functionality and today the malware is operated under the malware-as-a-service model, with access to Emotet-infected devices sold to other cybercriminal operations, which in the past has included the TrickBot operators and ransomware gangs.

In November 2021, 10 months after the botnet’s infrastructure was taken down, security researchers started reporting the resurrection of Emotet. The TrickBot operators helped to rebuild the Emotet botnet by using their malware to download Emotet as a secondary payload, and in the past couple of months, massive spamming campaigns have been launched to distribute Emotet which have proven to be highly successful. Emotet is also a self-propagating malware and the emails used to distribute it are convincing. One of the Emotet spam email campaigns being tracked by Kaspersky has been scaled up considerably, increasing 10-fold in just one month. That campaign is being used to distribute Emotet and the linked malware QBot. In February, Kaspersky intercepted 3,000 emails. In March, 30,000 emails were intercepted.

Like previous campaigns distributing Emotet, business email threads are hijacked and replies are sent to those messages that contain malicious hyperlinks or attachments. Since the messages come from trusted senders and appear to be responses to genuine messages, the chance of them attracting a click is high. This campaign highlights the importance of having an email security solution than conducts scans of outbound as well as inbound mail. Security Awareness training is also important to condition the workforce to constantly be on the lookout for potential threats, even when emails appear to have been sent internally from corporate accounts or other trusted senders.

Some of the spam email campaigns have revealed new tactics, techniques, and procedures (TTPs) are being tested to distribute the malware. This April, Microsoft started blocking macros in Office files downloaded from the Internet by default. This is a problem for threat actors that have previously relied on macros in Excel spreadsheets and Word documents to download their malware, so it is no surprise to see the Emotet operators changing their tactics to get around this.

One campaign has been identified that uses XLL files – a type of dynamic link library (DLL) file – rather than Excel and Word files. XLL files increase the functionality of Excel, and using these files gets around the problem of VBA macros being blocked. Emotet is known for large spamming campaigns; however, this campaign was conducted on a small scale, possibly to test its effectiveness. Should the campaign prove successful, it will likely be scaled up. In this campaign, the emails are linked to OneDrive, and if the link in the email is clicked, the XLL file is downloaded in a password-protected .zip file. The password to unlock the .zip file is provided in the message body.

Emotet is also being distributed via Windows shortcut files (.LNK). The Emotet operators have used this tactic in the past in combination with VBS code; however, this campaign does away with the VBS code, and instead, the .LNK files are used to directly execute PowerShell commands that download the Emotet payload.

Is likely that the operators will switch to new variants that have lower detection rates by AV engines, as has been done many times in the past, which is why it is important to have an email security solution that is not reliant on signature-based detection mechanisms. Behavioral analysis is vital for detecting these new variants. An email security solution with email sandboxing will help to protect against new malware variants that have not had their Signatures uploaded into AV engines.

LinkedIn is Now the Most Impersonated Brand in Phishing Attacks

LinkedIn has jumped to the top of the list of the most impersonated brands in phishing attacks, now accounting for 52% of all phishing attacks involving brand impersonation – a 550% increase from the 8% in the previous quarter, according to Check Point.

LinkedIn phishing scams take various forms, although one of the most common is a fake request from an individual to connect on the platform. The phishing emails include the official LinkedIn logo and are indistinguishable from the genuine LinkedIn communications that they spoof. If the user clicks on the Accept button, they are directed to a phishing webpage that is a carbon copy of the genuine LinkedIn page aside from the domain.

The increase in LinkedIn phishing attacks is part of a trend in attacks targeting social media credentials. While these credentials do not provide an immediate financial return, social media account credentials are valuable to cybercriminals as they allow them to conduct highly effective spear phishing attacks. If a corporate social media account is compromised, trust in the company can be abused to distribute malware and links can be added to direct followers to malicious websites.

Failed delivery and shipping notifications are still a common theme in phishing emails targeting businesses and consumers. Around 22% of phishing attacks in Q1, 2022 involved the impersonation of shipping and delivery companies. The package delivery firm DHL is the second most spoofed brand accounting for 14% of brand impersonation attacks. Many of these shipping and delivery phishing emails are conducted to distribute malware, usually through the downloading of fake documents that include malicious code that installs malware such as remote access Trojans.

Phishing is the number one threat faced by businesses. Most successful cyberattacks start with a phishing email, with stolen credentials or malware providing cybercriminals with the foothold they need in a corporate network to launch an extensive attack. Phishing attacks are cheap and easy to conduct and they target employees, who can easily be fooled into installing malware or disclosing their credentials.

This month, a healthcare data breach was reported by Christie Clinic in the United States that involved a hacker gaining access to a single email account. That account was used in a business email compromise attack to divert a large vendor payment. Business email compromise attacks are the main cause of losses to cybercrime according to the Federal Bureau of Investigation. In this breach, the compromised email account contained the personal data of more than half a million patients. Cyberattacks such as this only require one employee to respond to a phishing email for a costly data breach to occur.

Also this month, a new malware distribution campaign has been identified that attempts to install the Meta information stealer, which is capable of stealing passwords stored in browsers and cryptocurrency wallets. The malware is delivered via phishing emails with Excel spreadsheet attachments, which include malicious macros that download and install malware via HTTPS from GitHub. In this campaign, the lure used to trick recipients into opening the file claims to be a notification about an approved transfer of funds to Home Depot, the details of which are detailed in the attached spreadsheet. In order to view the contents of the spreadsheet, the user is told they must enable content to remove DocuSign protection. Enabling content allows the macros to run.

An advanced spam filtering solution such as SpamTitan will help to ensure that inboxes are kept free of phishing emails and any emails containing malicious scripts or attachments are not delivered. SpamTitan includes dual antivirus engines to ensure malware is identified and sandboxing to catch malware variants that bypass signature-based detection mechanisms.

While a spam filter used to be sufficient for blocking phishing emails, the sophisticated nature of phishing attacks today and the sheer volume of phishing emails being sent, mean some phishing emails will inevitably arrive in inboxes. For this reason it is also important to provide regular security awareness training to the workforce. TitanHQ can help in this regard through SafeTitan security awareness training and phishing simulations. SafeTitan is the only behavior-driven security awareness solution that delivers security awareness training in real-time. The solution is proven to significantly improve resilience to phishing attacks.

Scary Browser-in-the-Browser Phishing Attack Steals Credentials Using Realistic SSO Popups

Phishing remains the top cybersecurity threat to businesses. Phishing scams can be realistic and difficult for people to identify for the scams that they are. The sender field is often spoofed to make it appear that the emails have been sent by known individuals or trusted companies, the body of the messages often contains well-known branding, and templates are used for messages that are carbon copies of the genuine emails they impersonate.

The emails may contain malicious attachments if the aim is to install malware, and malicious hyperlinks if credential harvesting is the goal. The hyperlinks direct users to a website where they are asked to enter their credentials – a web page that is difficult to distinguish from the genuine web page being spoofed. As if those messages were not convincing enough, there is now a new Chrome phishing toolkit that makes credential theft even easier.

Most Internet users will be familiar with websites that use Single Sign-on popups to authenticate users. Rather than requiring website users to register an account, they can authenticate using an existing Google, Apple, or Facebook account. This way of logging in is popular, as users do not need to create and remember another set of login credentials. There is, however, a problem with this approach, and that is that single sign-on popups are easy to spoof in Chrome.

As previously mentioned, phishing scams can be convincing, but there are often red flags and the biggest flag is the URL of the website used for phishing. If you are expecting to sign in to Facebook for example, and you are directed to what is clearly not a Facebook-owned domain, the phishing scam can be easily identified.

The latest toolkit does not produce this red flag. The single sign-on popup generated on the webpage looks exactly the same as the genuine popup being spoofed, including the URL. If an individual is directed to one of these fake phishing forms, it is highly unlikely that they would be able to identify it as malicious and their credentials will be stolen.

A phishing email could be sent advising the recipient that a file has been shared with them, inviting them to log in to Dropbox for instance. The link is clicked, and the user will be directed to the website and will be presented with the login box which includes the address bar with the URL of the login form. For example, if you attempt to log in with your Google account, the URL will start with accounts.google.com/. The phishing toolkit uses pre-made templates that are fake, but incredibly realistic. These Chrome popup windows allow a custom address URL and title to be displayed.

This toolkit was created by the security researcher dr. d0x, who made them available on GitHub. They allow any would-be hacker to quickly and easily create a highly convincing SSO pop-up window, which could be added to any website and be used for a browser-in-the-browser phishing attack. This attack method is nothing new, as fake SSO pop-up windows have been created in the past, but previous attempts have not been particularly convincing, as they do not exactly replicate the genuine pop-ups. The popups have previously been used on fake gaming websites to harvest credentials from the unwary. This kit is different as it is so convincing, and could easily be used to steal credentials and even 2FA codes.

Critical Infrastructure Organizations Targeted by Ransomware Gangs

2019 was a particularly bad year for ransomware attacks, and while there was a reduction in the use of ransomware in 2020, attacks increased sharply in 2021, with the education sector and government organizations the most attacked sectors, although no industry sector is immune to attacks.

There is growing concern about the increase in attacks on critical infrastructure organizations, which are an attractive target for ransomware gangs. According to the data from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), 14 of the 16 critical infrastructure sectors in the United States reported ransomware attacks in 2021, including the defense industrial base, emergency services, healthcare, food and agriculture, information technology, and government facilities. Cybersecurity agencies in the United Kingdom and Australia have also said critical infrastructure has been targeted.

Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks

This week, a warning has been issued by the Federal Bureau of Investigation (FBI), the U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) about ransomware attacks using AvosLocker ransomware.

AvosLocker was first identified as a threat in late June 2021 and despite being a relatively new threat, poses a significant risk. Attacks using the ransomware increased in the latter half of 2021, with spikes in attacks occurring in November and December. Variants of AvosLocker ransomware have now been developed to attack Linux as well as Windows systems.

As is now common, the attackers engage in double extortion and demand payment for the keys to decrypt files and to prevent the release of stolen data. The gang operates a data leak site where a sample of stolen data is uploaded and made accessible to the public. The gang says it then sells the stolen data to cybercriminals if payment is not made. AvosLocker is one of a handful of ransomware operations that also makes contact with victims by phone to encourage them to pay the ransom. The gang is known to issue threats of Distributed Denial of Service (DDoS) to further pressure victims into paying the ransom.

AvosLocker is a ransomware-as-a-service operation where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate. Consequently, the attack vectors used in attacks depend on the skillsets of the affiliates. Common vulnerabilities are known to be exploited to gain initial access to networks, including vulnerabilities associated with Proxy Shell and unpatched vulnerabilities in on-premises Microsoft Exchange Servers. However, over the past year, spam email campaigns have been a primary attack vector.

Email Filtering Vital for Defending Against Ransomware Attacks

Spam email is a common attack vector used by ransomware gangs. Spam email campaigns are effective and provide low-cost access to victim networks. Phishing and spam campaigns either use malicious attachments or embedded hyperlinks in emails, along with social engineering techniques to convince end users to open the attachments or click the links.

The primary defense against these attacks is email filters. Email filters scan all inbound emails and attachments and prevent malicious messages from being delivered to inboxes. Since cyber actors are constantly changing their lures, social engineering methods, and strategies to bypass email security solutions, it is vital to have an email security solution in place that can respond to changing tactics.

Email security solutions that use artificial intelligence and machine learning to identify and block threats outperform solutions that rely on antivirus engines and blacklists of known malicious IP addresses. SpamTitan incorporates artificial intelligence in addition to blacklists, dual antivirus engines, and sandboxing to identify malicious emails, and has comprehensive threat intelligence feeds to identify new threats rapidly. SpamTitan also provides time-of-click protection against malicious hyperlinks in emails to ensure users are well protected against phishing, malware, ransomware, and other email threats.

Don’t Neglect Security Awareness Training for the Workforce

It is also important to provide security awareness training to all members of the workforce from the CEO down. The FBI and the U.S. Treasury Department recommended in the latest alert to “Focus on cyber security awareness and training,” and “Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).” TitanHQ can help in this regard with SafeTitan – “The only behavior-driven security awareness solution that delivers security training in real-time.”

For more information on improving your defenses against ransomware and other cyber threats, give the TitanHQ team a call to inquire about email filtering, web filtering, and security awareness training for your workforce.

Lapsus Ransomware Gang Ups the Ante with Impresa and NVIDIA Attacks

The Lapsus ransomware gang has arrived on the scene and has already claimed several high-profile targets, with victims including Impresa – the largest media conglomerate in Portugal, Brazil’s Ministry of Health (MoH), the Brazilian telecommunications operator Claro, and most recently, the Santa Clara, CA-based GPU vendor NVIDIA.

The Lapsus ransomware gang – also referred to as Lapsus$ – is a relatively new threat actor and is making a reputation for itself in an already crowded ransomware market. Most ransomware gangs now practice double extortion, where prior to encrypting files they exfiltrate sensitive data and threaten to publish the data if the ransom is not paid. Triple extortion tactics are now becoming common, where threats are also issued to notify shareholders, partners, and customers about attacks. The Lapsus gang has taken things a step further still and is boasting about its attacks and causing major embarrassment for victims.

In January, the Lapsus ransomware gang attacked the Brazilian car rental firm Localiza, which is one of the largest car rental firms in South America. In addition to stealing data and encrypting files, the gang redirected the company’s website to an adult website and publicly announced that the company is now a porn site. The redirection was only in place for a few hours, but it was enough to damage the company’s reputation.

Also in January, Impresa was targeted. Impresa is the owner of SIC and Expresso, the largest TV channel and weekly newspaper in Portugal. The attack targeted Impresa’s online IT servers resulting in company websites being taken offline and the temporary loss of Internet streaming services. The gang defaced the company’s websites by adding their ransom note and claimed they had taken control of Impresa’s Amazon Web Services account. The gang then used the hijacked Expresso Twitter account and sent a tweet stating, “Lapsus$ is officially the new president of Portugal.” The gang also gained access to its newsletter and sent phishing emails to subscribers informing them in the emails that the President of Portugal had been murdered.

On February 25, NVIDIA experienced a cyberattack that saw parts of its IT infrastructure taken offline for a couple of days. NVIDIA announced that it was investigating a security incident, and then the Lapsus gang said it was behind the attack and issued a threat to leak around 1TB of data. The gang published screenshots indicating they had leaked password hashes for NVIDIA employees, source code, and highly sensitive proprietary company information.

There was some good news – the Lapsus gang then experienced its own ‘ransomware’ attack. There have been reports in the media that NVIDIA hacked back and gained access to the attackers’ virtual machine and encrypted its data, although security research Marcus Hutchins offered an alternative view, suggesting this could have been due to the gang installing Nvidia’s corporate agent on their virtual machine and then triggering a data loss prevention policy.

In addition to demanding a ransom, the Lapsus ransomware gang also demanded NVIDIA remove its lite hast rate (LHR) limitations on its GeForce 30 series firmware – which halve the hash rate when it detects the GPUs are being used for mining Ethereum – and also requested NVIDIA commits to completely open source their GPU drivers forever. If the demands are not met, the gang said it will release the complete silicon, graphics, and computer chipset files for its most recent GPUs.

While many ransomware gangs are focused purely on extortion, the Lapsus gang appears to like the limelight and brags about their attacks, which makes attacks by the gang even more serious for victims due to the brand and reputation damage they cause.

The extent of the attack vectors used by the gang is not known, but they appear to have used phishing emails to gain access to some victims’ networks, including the attack on Impresa. Phishing is a popular attack vector in ransomware attacks. Around half of all ransomware attacks start with a phishing email, according to a recent Statista survey. Employees respond to phishing emails and disclose their credentials, which give the attackers the foothold in the network they need for a deeper compromise.

Businesses could be lulled into a false sense of security with the disbanding of major ransomware operations and arrests of key gang members. The REvil ransomware gang may be no more, and DarkSide has been shut down, but other ransomware gangs are more than happy to plug the gap. Lapsus only announced its presence on the scene at the start of the year but is already growing into a major threat.

The best defense against Lapsus ransomware attacks and other cyberattacks is to adopt a defense-in-depth strategy. That should include an advanced spam filtering solution to block email phishing attacks, content filtering to prevent employees from visiting malicious websites, multi-factor authentication on all email accounts and local/cloud apps, ensuring patches and software updates are applied promptly, and providing ongoing security awareness training to the workforce to help employees identify and avoid phishing and social engineering attempts.

TitanHQ can help organizations improve their defenses against the full range of cyberattacks by providing advanced cybersecurity solutions for SMBs, enterprises, and Managed Service Providers, including spam filtering, DNS filtering, email encryption, email archiving, and security awareness training.

LinkedIn Phishing Attacks Soar as Scammers Take Advantage of “The Great Resignation”

Microsoft may be the most impersonated brand in phishing attacks, but the impersonation of LinkedIn is also common and there has been a massive increase in phishing attacks spoofing the professional networking platform in recent weeks.

LinkedIn is an ideal brand to impersonate in phishing attacks and now is the perfect time to be running phishing campaigns due to the Great Resignation. For those unaware of the term, the Great Resignation is a phenomenon where record numbers of employees quit their jobs. The term was coined in May 2021 by Professor Anthony Klotz of Texas A&M University, who predicted that when the pandemic ends there will be a mass exodus of people leaving their jobs.

While there were mass layoffs as a result of the pandemic, many workers who retained their jobs chose not to leave due to the uncertainty of the job market, but now many workers who are not living from paycheck to paycheck are reconsidering their positions. There has certainly been an upward trend in workers voluntarily leaving their jobs since the start of 2021, indicating the great resignation has begun.

LinkedIn is used by job seekers to identify contacts, network, research companies, and find new employment opportunities. A phishing email that spoofs LinkedIn and indicates a potential employer has been reading a user’s profile, shows a message has been sent through the platform, or advises the user about a new job opportunity is likely to be clicked.

LinkedIn phishing campaigns are helped by the regular email communications from LinkedIn advising users of the platform of the number of searches they appeared in, new messages, and alerts about jobs. That means that users of the platform are used to receiving regular communications from the platform, so if a phishing email is received that looks exactly like a LinkedIn communication, there is likely to be less scrutiny of the email that there would be of an email from a platform that rarely communicates with users via email.

The latest LinkedIn phishing campaign uses HTML templates that include the LinkedIn logo and the color scheme used in official LinkedIn communications. The emails also have the same footer as genuine email communications from the platform, including the correct address and unsubscribe option. The display name is spoofed to make it appear as if the emails are official communications; however, closer inspection will reveal the emails have been sent from webmail addresses.

The phishing emails include subject lines such as “Who’s searching for you online”, “You Have 1 New Message,” and “You appeared in 4 searches this week,” exactly mirroring official LinkedIn emails and they also reference well-known companies such as American Express and Tesla to make it appear that the user is being headhunted by a major corporation. The emails have an HTML button to click that will direct the user to a website where LinkedIn credentials are harvested.

LinkedIn phishing campaigns can be highly effective, but as with all phishing scams, there are ways of blocking the attacks. The first is to ensure that an advanced email security solution is deployed to block the phishing emails at the gateway to prevent them from being delivered to inboxes. SpamTitan Plus uses machine learning techniques and predictive analysis to identify suspicious URLs in emails and provides time-of-click protection. If a link is found to be unsafe, a user will be presented with a block page containing additional information and further options.

SpamTitan Plus has 100% coverage of all current market-leading anti-phishing feeds, a 1.5X increase in unique phishing URL detections, and 1.6X faster phishing detections than the current market leaders, with 10 million net new, previously undiscovered phishing URLs added to the solution every single day.

It is also important to provide security awareness training to the workforce to teach employees how to identify phishing emails and to encourage following email security best practices. TitanHQ has created SafeTitan security awareness training to help train the workforce to be security titans. SafeTitan provides behavior-driven security awareness training tailored for the behaviors of individual employees, includes an extensive library of training courses, videos, and quizzes, and provides real-time intervention training combined with simulated phishing attacks. The solution is proven to reduce employee susceptibility to phishing attacks by up to 92%.

For more information on SpamTitan Plus and SafeTitan security awareness training, give the TitanHQ team a call and take the first step toward improving your defenses against phishing attacks.

BEC Scammers Use Virtual Meeting Platforms to Trick Employees into Making Fraudulent Wire Transfers

Business Email Compromise (BEC) is the leading cause of financial losses to cybercrime. The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 19,369 complaints about BEC scams in 2020, resulting in adjusted losses of $1.87 billion. While BEC crime ranked number 10 based on victim count, it topped the list in terms of the losses sustained by victims, with three times as much lost to the scams as the second-biggest loss to cybercrime – Confidence/romance fraud.

Business Email Compromise scams usually start with a phishing attack to gain access to email credentials. The attackers seek the credentials of the CEO, CFO, or another executive, and either target those individuals directly with spear phishing emails or compromise the email accounts of lower-level employees and use their email accounts to send phishing emails to the targeted individuals. Once the right credentials have been obtained, the executive’s email account is used to send messages to individuals responsible for wire transfers to trick them into making substantial wire transfers to attacker-controlled bank accounts. While these scams require planning and research, the time spent setting up the scams is well spent, as BEC attacks are often successful.

While BEC scams are usually conducted via email, BEC scammers are increasingly using virtual meeting platforms such as Microsoft Teams and Zoom in their scams. The scammers have taken advantage of the increase in remote working due to the pandemic and the popularity of virtual meeting platforms for communication and collaboration.

Once the scammers have access to the CEO’s email account, they identify their next target and send a request for a virtual meeting. When the target connects to the meeting, the scammer explains that they are having problems with their audio and video, so the meeting proceeds with the scammer on text chat. Oftentimes they will insert a picture of the CEO for added realism. The scammer then provides a reason for the out-of-band request, then asks the employee to make a wire transfer, either in the meeting or after the meeting via email.

The FBI has recently issued a warning to businesses about the increase in the use of virtual meetings for BEC scams, having observed an increase in the use of these platforms for BEC scams between 2019 and 2021. Scammers are also compromising employee email accounts and are inserting themselves into work meetings to gather information about the day-to-day processes at businesses. Since the scammers use genuine email accounts to connect, and audio/visual problems are relatively common, they are able to gather information and steal funds without being detected. The scammers also use compromised CEO email accounts to send emails to employees claiming they are stuck in a virtual meeting and unable to arrange an important wire transfer and ask an employee to initiate the transfer on their behalf.

There are several steps that businesses can take to improve their defenses against BEC attacks. Defending against these attacks should start with an advanced email security solution to block the phishing attacks that allow scammers to gain access to email accounts. SpamTitan has industry-leading detection of phishing URLs in emails and can prevent employees from visiting the web pages where credentials are harvested.

Security awareness training is important as some malicious emails bypass all spam filters. Employees need to be trained on how to identify scam emails. Security awareness training is concerned with creating a ‘human firewall’ to augment technical defenses and should make employees aware of BEC scams and how to identify scam emails from internal email accounts. TitanHQ has recently launched a new security awareness platform called SafeTitan to help businesses with training. SafeTitan is the only behavior-driven security awareness platform that provides real-time training to deal with threats targeting employees.

It is also recommended to implement policies and procedures that require secondary channels or two-factor authentication to verify requests for any changes to account information or atypical requests for bank transfers.

Phishing Campaign Uses CSV Email Attachments to Deliver BazarBackdoor Malware

If you provide security awareness training to the workforce, you will no doubt have highlighted the risk of opening Microsoft Office email attachments, especially when sent from unknown individuals. Microsoft Office files can include macros, which if allowed to run, can silently deliver malicious payloads. Comma-separated values (CSV) files are often not viewed as malicious, as they are simple text files, but a campaign has been identified by security researcher Chris Campbell that uses CSV files to deliver BazarBackdoor malware.

BazarBackdoor is a fileless malware that is believed to have been created by the threat actors behind the TrickBot banking Trojan. BazarBackdoor is used as the first stage of an attack that provides threat actors with remote access to an infected device, which can be leveraged to conduct more extensive compromises and deliver other malicious payloads. BazarBackdoor is fileless malware, which makes it difficult to detect. It resides in the memory, does not touch the hard drive, and does not leave a footprint.

Throughout the pandemic, BazarBackdoor has been delivered using COVID-19-themed and business-related lures via embedded hyperlinks in emails. The links direct users to a web page where they are tricked into downloading and running an executable file. The landing pages often claim to be web-hosted PDF, Word, or Excel files. When the file is downloaded and executed, it delivers BazarBackdoor malware. The latest campaign is a departure from the typical method of malware delivery and is one that could easily fool users as CSV files are often viewed as benign.

CSV files are often used to transfer data between different applications, such as databases and spreadsheets. A CSV file contains text separated by commas, with each comma denoting a new column and each line denoting a new row. Since a CSV file is a text file, it cannot contain any macros and cannot, by itself, execute any malicious code; however, that does not mean CSV files are entirely benign, as this latest campaign demonstrates.

The issue is not the CSV file itself, but a feature of Microsoft Excel that allows CSV files to be used in a malicious way. Excel supports Dynamic Data Exchange (DDE), which is a message-based protocol for sharing data between applications running under Windows systems. DDE can be used to execute commands that have their output inputted into an open spreadsheet, including CSV files.

The CSV files used in this campaign are like any other, with data separated by commas; however, the file includes a WMIC call that launches a PowerShell command. If the CSV file is opened using Excel – on most devices CSV files are associated with Excel – DDE uses WMIC to create a PowerShell process, which opens a remote URL that uses PowerShell to download a .jpg file, which is saved as a DLL file and executed using rundll32.exe. The DLL file installs BazarLoader, which in turn downloads and executes BazarBackdoor. If the CSV file is opened in Excel, two warnings will be generated, but users may ignore those warnings, and it would appear many have done so.

Since BazarBackdoor and other fileless malware are difficult to detect, the key to protecting against campaigns such as this is to block the threat before the malware can be delivered, which requires a combination of technical measures and end user training.

The lures and techniques used to deliver malware via phishing emails are diverse and new methods are constantly being developed to fool end users and email security solutions. While the use of Office files for delivering malware is common, other files can also be used so it is important to teach employees to be wary of any email file attachment and to never ignore any security warnings. An advanced email security solution is required to identify malicious email attachments, but antivirus engines alone will not block threats such as this. Email security solutions that include sandboxing are important. Suspicious email attachments are opened in the sandbox and are subjected to in-depth analysis. It is also recommended to also use a web filter to block access to malicious websites and control the files that can be downloaded to users’ devices.

If you want to improve your defenses against email- and web-based cyber threats, give the TitanHQ team a call. TitanHQ has developed advanced, effective, and easy-to-use cloud-based cybersecurity solutions for SMBs, enterprises, and managed service providers to protect against all email- and web-delivered threats. You may be surprised to discover how little it costs to implement these solutions and ensure malware and phishing threats never trouble your business.

How to Protect Against Redline Malware and Other Email Malware Threats

Cyberattacks are now being reported at an incredible rate, with many of those attacks having devastating consequences for small- and medium-sized businesses. According to Cybersecurity Ventures, around 60% of small- to medium-sized companies go out of business within 6 months of suffering a data breach. Cyberattacks are becoming much more sophisticated, but oftentimes these incredibly damaging attacks are not conducted by highly skilled hackers. The bar for conducting these attacks can be incredibly low, which means anyone with a modicum of skill can conduct attacks and profit. One of the ways that would-be hackers can start conducting attacks is by taking advantage of the many ransomware-as-a-service and malware-as-a-service offerings on hacking forums and darknet marketplaces. Take Redline malware for example.

Redline malware is a commodity information stealer that is easily obtained on hacking and cybercrime forums. The malware costs between $100-$200, and payment can be made anonymously using cryptocurrencies. At such a low price it is available to virtually anyone, and conducting attacks requires little effort or skill.

The Redline stealer was first identified in March 2020 and soon became one of the most prevalent malware threats with the number of attacks continuing to grow. Redline malware has been used in attacks on a wide range of businesses, with the manufacturing and healthcare sectors two of the most commonly attacked sectors.

Redline malware has been updated several times since it first emerged, with new features added such as the ability to exfiltrate credentials, steal cryptocurrency wallets, FTP authentication data, passwords stored in browsers, and gather information about the infected system. It is also capable of loading remote payloads and uses a SOAP API for C2 communication. One successful attack could see the attacker recover the purchase cost many times over.

Like many other malware variants, the most common method of delivery is email. Emails are broadcast using huge mailing lists, which can also be purchased at a low cost on cybercrime forums.  Alternatively, more targeted campaigns can be conducted on specific businesses, with the emails often having a much higher chance of success due to the personalization of the emails.

The emails usually contain a malicious hyperlink and use social engineering techniques to trick employees into clicking. When the link is clicked, the binary file is downloaded and installed on the user’s device. While antivirus software should identify and block the malware threat, there have been many cases where AV engines have failed to detect the malware.

Redline malware will obtain a list of processes running on an infected device, including the security solutions in place. Attackers can interact with the malware remotely and view information about the infected system, can create and download remote files, silently run commands on an infected machine, and steal highly sensitive information. One of the biggest threats is the ability to steal data from browsers, including passwords stored in the Chrome, Edge, and opera browsers.  Most browsers encrypt stored passwords, but Redline malware can programmatically decrypt the password store in Chromium-based browsers, provided they are logged in as the same user. Redline malware runs as the user that infected the device and can steal that user’s passwords from their password file.

Not everyone stores their passwords in their browser, but there is still a threat. When the browser suggests storing a password and the request is refused, a record is kept about that refusal so a further request will not be suggested next time the user visits that particular website. That record can be stolen from the browser, so the attacker will discover what accounts the user has and can then conduct phishing campaigns to obtain the passwords or use credential stuffing attacks. Much of the data stolen in redline malware attacks can easily be monetized on cybercrime forums.

Malware-as-a-service has opened up cyberattacks to a much broader range of individuals, but ultimately the attacks depend on employees being tricked into clicking links in emails or opening infected email attachments. Blocking those emails is the best approach to blocking the malware threats, which is where SpamTitan is invaluable.

SpamTitan Plus includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in phishing URL detections and 1.6x faster phishing detections than the current market leaders. 10 million net new, previously undiscovered phishing URLs are identified every day, and it takes just 5 minutes from a phishing URL being detected to all end users’ inboxes being protected. Time-of-click verification of links in emails involves multiple dynamic checks of redirects and there are dual anti-virus engines and a Bitdefender-powered sandbox to identify any malicious files attached to emails.

If you want to protect against malware and phishing attacks and ensure your company does not suffer an incredibly damaging cyberattack and data breach, give the TitanHQ team a call for more information on SpamTitan.

Study Sheds Light the Employees Most Likely to Fall for Phishing Scams

Phishing is the attack vector of choice for many cybercriminals. Attacks are easy to perform, they are often successful, and they provide the foothold in business networks that is required for more extensive compromises. The best defense against phishing is to implement a technological solution – a spam filter – to prevent phishing emails from reaching inboxes. If phishing emails are blocked at the email gateway, they will not arrive in inboxes where they can fool employees.

End-user training is also important, as no spam filter will block all malicious emails. A recent large-scale study has been conducted to determine whether end-user training and phishing warnings are effective, how vulnerability to phishing attacks evolves over time, which employees are most likely to fall for a phishing scam, and whether employees can actually play an important role in phishing email detection, The results of the survey are interesting and provide insights into susceptibility to phishing attacks that can be used by businesses to develop effective employee training programs.

The study was conducted on 14,733 participants by researchers at ETH Zurich and over a period of 15 months and involved another company sending phishing email simulations to see who opened the messages and who clicked on links in the emails. The employees that were tested had no knowledge that simulations were being conducted to make the simulations closely mirror real-world phishing attacks.

Book a free SafeTitan Security Awareness Training demonstration with an expert.
Book Free Demo

There were notable differences in susceptibility to phishing attacks with different age groups, with younger employees more likely to respond to the phishing emails than all other age groups. 18- and 19-year-olds were by far the most likely age group to fall for phishing emails, with the over 60s the least likely. From ages 20 to 59, the percentage of dangerous actions taken in response to phishing emails increased for each age group, with 20- to 29-year olds the least likely to take dangerous actions.

Individuals who are not required to use computers for their day-to-day jobs might be considered to be most at risk of falling for a phishing scam, but that was not the case. Infrequent computer users were the least likely to fall for the scams followed by frequent users, with individuals who use specialized software for repetitive tasks the most susceptible to phishing emails.

In this study, men and women were found to be equally susceptible to phishing emails across the entire study. This contrasts with several other studies that suggest there is a gender bias, with women less likely to fall for phishing scams than men. However, there were differences between the genders when combined with the frequency of computer use data. Men who use specialist software to automate tasks were the most likely to fall for phishing emails, followed by women who used specialist software, then women who are frequent users of computers, and men who are infrequent users. Female infrequent users were the least likely to fall for phishing scams.

The study confirmed the findings of several others in that some individuals are prone to respond to phishing emails. After responding to one simulated phishing email they would go on to respond to more. 30.62% of individuals who clicked on one phishing email were repeated clickers, and 23.91% of individuals who took dangerous actions such as enabling macros in email attachments did it on more than one occasion. These findings show the importance of conducting phishing email simulations to identify weak links who can receive additional training.

Behaviour driven security awareness platform that delivers security training in real-time.
Book Free Demo

Phishing simulations are often conducted by businesses to test the effectiveness of their training programs, but one notable finding was that voluntary training when a simulated phishing email attracted a response was not effective. In fact, not only was this not effective, it appeared to make employees even more susceptible to phishing emails.

Another interesting finding related to adding warnings to emails. When warnings about potential phishing emails, such as emails coming from an external email address, were included in emails, employees were less likely to be duped. However, the lengthier the warning, the less effective it is. Detailed warnings were less likely to be read and acted upon.

When a phishing email reporting option was added to the mail client, employees often reported phishing emails. This feature involved a phishing email button that sent a warning to the IT team. There did not appear to be any waning of reporting over time, with employees not appearing to suffer from reporting fatigue. A few reports would be submitted within 5 minutes of an email arriving, around 30% of reports were within 30 minutes, and over 50% came within 4 hours. The reports could give IT security teams time to take action to remove all instances of phishing emails from the mail system or send warnings to employees.

Free SafeTitan Security Awareness Training demonstration with an expert. Ask any questions.
Book Free Demo

What the study clearly demonstrated is that even employees who are adept at identifying phishing emails are likely to fall for one eventually, so while security awareness training is important, having an effective spam filtering solution is vital. Even individuals who were regularly exposed to phishing emails were eventually duped into clicking a phishing link or taking a dangerous action. Across the entire study, 32.1% of employees clicked on at least one dangerous link or opened a potentially dangerous email attachment.

Personal and Health Information of 398K Patients Exposed in Mon Health Phishing Attack

Healthcare data carries a high value on the black market as it can be monetized in a variety of ways. One of the main methods used to gain access to the healthcare networks where patient data are stored is phishing emails. Phishing emails are also a leading vector for malware delivery, and initial access brokers often target healthcare providers with phishing emails to steal credentials, then provide access to healthcare networks to ransomware gangs.

This month, a major phishing attack was reported by Morgantown, WV-based Monongalia Health System (Mon Health) which affected two of its hospitals. Hackers sent phishing emails to Mon Health employees, with the responses to those messages providing the hackers with the credentials they needed to access corporate email accounts. Those email accounts contained the personal and protected health information of patients and employee information. Notification letters have recently been sent to 398,000 individuals affected by the attack.

While healthcare data is valuable, this phishing attack was conducted for another reason, although it is possible healthcare data were stolen by the attackers. This attack was what is commonly referred to as a business email compromise (BEC) attack.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

BEC attacks can involve the theft of sensitive data but they are most commonly conducted to trick individuals responsible for making wire transfers into making fraudulent transfers to attacker-controlled accounts or to change payroll details to get direct deposits of salaries paid into the attacker’s account.

BEC attacks often start with a phishing email. Once access is gained to an employee’s account, phishing emails are sent to other employees to compromise more accounts. When the required accounts are compromised, the account owner is impersonated and an email is sent to an individual responsible for wire transfers that requests a change to bank account information on file.

In this attack, the attackers gained access to a contractor’s email account that was used to change payment details. Since the email requesting the payment details change came from a legitimate and trusted email account, the change was made and the attack went undetected. The BEC attack was detected when a payment issue was reported, and it was confirmed that the payment had left Mon Health’s account.

Mon Health is far from the only U.S. healthcare organization to suffer an attack such as this. Also this month, Florida Digestive Health Specialists started notifying 212,000 patients about an email breach that occurred in December 2020. Again, the attack was conducted to try to divert payments to an attacker-controlled account. In this case, the process of checking every email and attachment for sensitive patient data took 11 months.

These attacks risk the loss of funds through fraudulent transfers, but even if patient data are not stolen, the Health Insurance Portability and Accountability Act (HIPAA) requires patients to be notified, and usually, it is necessary to offer complimentary credit monitoring and identity theft protection services to affected patients. Those costs, in addition to the investigation and mitigation measures, can be substantial.

Once an employee email account has been compromised it can be difficult to detect and block an attack, and recovering funds after they have been transferred may not be possible unless the fraudulent wire transfer is detected quickly. The key to blocking these attacks and preventing losses is to prevent the phishing emails from reaching employee inboxes, to provide training to the workforce to help employees identify phishing emails that are delivered, and to implement multifactor authentication on email accounts to make it harder for stolen credentials to be used to access accounts.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

SpamTitan Gateway and SpamTitan Cloud are two excellent choices for businesses looking to improve their defenses against phishing attacks. The solutions block more than 99.97% of spam and phishing emails from reaching inboxes, and also include outbound scanning to help identify compromised mailboxes. SpamTitan Plus, a new phishing solution released this month, takes protection to another level. SpamTitan Plus includes all major phishing feeds and has faster and better detection of malicious URLs in emails than any of the current market-leading anti-phishing solutions.

If you want to improve your defenses against phishing and BEC attacks, give the TitanHQ team a call for further information on the SpamTitan suite of products.

Hijacked Email Threads with Malicious Links to Fake PDF Files Used to Distribute the Emotet Trojan

The Emotet botnet was one of the largest ever seen and certainly one of the most dangerous. Phishing emails were used to infect devices with Emotet malware, which added the devices to the botnet. The operators of Emotet then sold access to other threat actors such as ransomware gangs. The botnet was shut down by an international law enforcement effort and the cleanup operation saw the malware removed from all infected devices. While that severely disrupted the Emotet operation for several months, the botnet is now back with a vengeance.

The TrickBot Trojan was one of the malware variants downloaded by Emotet, but it was used in the early stages of rebuilding the Emotet botnet, with the two malware operations completely reversing roles. The Emotet botnet has been rapidly rebuilt and is being used once again to infect victims’ devices with malware Qbot. Emotet is no longer relying on TrickBot to infect devices.

Emotet is once again being distributed by hijacking email threads and sending messages that appear to a reply to a previous conversation. While this method has previously seen malicious attachments added to those threads, according to Bleeping Computer a new tactic is now being used. A malicious hyperlink is inserted into the message threads that appears to be a link to a PDF file hosted on a remote server. In one example, “Please see attached and thanks” was inserted along with a hyperlink in response to a previous conversation.

If the link is clicked, the user is directed to what appears to be a shared document on Google Drive, where the user is asked to click the link to preview the PDF file. However, clicking the link attempts to open an appinstaller file hosted on Microsoft Azure. The user is required to accept the appinstaller prompt, which appears to be attempting to install an Adobe PDF component with permissions to use all system resources.

The package has a valid certificate and includes the Adobe PDF logo, but it will install a malicious appxbundle that will infect the user’s device with the Emotet Trojan. Emotet will then download other malicious payloads, which often lead to a ransomware attack. The Cryptolaemus group, which tracks and reports on Emotet activity, says the new URL-based lures are being used in addition to the standard Emotet tactics of distributing the malware using .zip and .docx email attachments.

The Emotet botnet has been rebuilt at a tremendous pace and there has been a massive increase in Emotet activity in the past few days. Malwarebytes detected a major spike in activity on November 26 and abuse.ch reported an even bigger spike on December 1, when 447% more malicious sites were being used to distribute the malware than in early November. Emotet has once again grown into a significant threat and its infrastructure has been upgraded to make it even more resilient and prevent any further takedown attempts by law enforcement. It is looking like the Emotet botnet is back and stronger than it was before the takedown.

So how can businesses protect against Emotet? End user training is important, but the tactics used by the Emotet gang are effective and fool many users into starting the infection process. The key to protection is to block the phishing emails that are the initial attack vector and that requires an advanced spam filtering solution.

TitanHQ has recently launched a new product – SpamTitan Plus – with significantly improved protection against malicious links which, coupled with dual antivirus protection and sandboxing, can protect against phishing and malware threats delivered by email.

To find out more about how TitanHQ solutions can protect your business against malware, phishing, and ransomware attacks, give the TitanHQ team a call.

UK Omicron Phishing Campaign Takes Advantage of New WHO Variant of Concern

A new Omicron phishing scam has been detected in the UK that spoofs the NHS and attempts to steal personal and financial information using a free COVID Omicron PCR test as a lure. The campaign is likely to be one of many taking advantage of fears about the latest SARS-CoV-2 variant of concern.

COVID-19 phishing scams have been a regular feature of the pandemic, so it is no surprise that the latest turn of events has triggered a wave of new phishing emails. The emergence of Omicron, a variant of concern that has the potential to escape the protections provided by COVID-19 vaccines, has naturally alarmed scientists and the general public alike and has created an opportunity for phishers.

Phishers use fear and urgency in their phishing scams to convince people to take an action that they would otherwise not do. The emergence of the Omicron variant has already generated fear, and the phishers are providing a solution. The Omicron phishing campaign was detected in the United Kingdom and impersonates the National Health Service (NHS). The emails offer a newly developed COVID-19 PCR test that is able to detect infection with the Omicron variant. The campaign is being conducted via email and text message, but this approach could easily be conducted by telephone.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

One of the intercepted phishing emails tells the recipient that “NHS scientists have warned that the new Covid variant omicron spreads rapidly, can be transmitted between fully vaccinated people, and makes jabs less effective,” echoing the current fears of scientists. The email goes on to say, “However, as the new covid variant (Omicron) has quickly become apparent, we have had to make new test kits as the new variant appears dormant in the original tests.”

In order to receive the new test, the victim must click on a hyperlink in the email and will be directed to a webpage that spoofs the NHS patient portal. They are asked to enter their personal information, including their name, address, date of birth, contact telephone numbers, and email address. The NHS is a free healthcare service; however, the scammers request payment to cover postage costs. In order to pay the £1.24 delivery charge, the phishing page asks for bank account/credit card information and mother’s maiden name.

As is common in phishing campaigns, emails also include a threat. In a section titled, “What happens if you decline a COVID-19 Omicron test?”, victims are told that they will be required to isolate. While the emails contain red flags, such as multiple spelling and grammatical errors, the NHS branding and email address used to send the messages – contact-nhs[@]nhscontact.com – may be enough to convince people that the request is legitimate.

The success of this Omicron phishing scam depends on people taking action without carefully considering what they are being asked to do. While Omicron is a genuine cause of concern, always stop and think about any request for sensitive information via email, text message, social media messages, or phone calls. Official messages from the NHS will be free of spelling mistakes and the NHS will never ask for payment for sending COVID-19 tests.

While this Omicron phishing scam targets individuals, many COVID-19 phishing campaigns have targeted businesses and attempt to either obtain credentials or deliver malware. Businesses need to ensure they implement an anti-phishing solution that is capable of identifying and blocking phishing emails.

Even greater protection against phishing attacks. Book a free SpamTitan Plus demo.
Book Free Demo

TitanHQ has developed a suite of cybersecurity solutions to protect businesses from cyberattacks such as phishing, with the latest solution – SpamTitan Plus – providing even greater protection against phishing attacks. SpamTitan Plus includes additional measures to improve malicious URL detection along with time-of-click protection to prevent employees from visiting the malicious websites linked in phishing emails.

If you want to improve protection against phishing attacks and the full range of email threats, contact TitanHQ today for more information on the best phishing solution to meet the needs of your business.

Warning Issued About Brand Phishing Attacks and the Widespread Availability of Scampage Tools

The Federal Bureau of Investigation (FBI) has issued a warning about an increase in spear phishing campaigns impersonating big name brands. Brand phishing is incredibly common and is an effective way of getting individuals to disclose sensitive information such as login credentials or install malware.

Brand phishing abuses trust in a brand. When individuals receive an email from a brand they know and trust, they are more likely to take the action requested in the email. Brand phishing emails usually include the logo of the targeted brand, and the emails use the same message formats as genuine communications from those brands. Links are usually included to malicious web pages that are often hidden in buttons to hide the true destination URL.

If a user clicks the link, they are directed to an attacker-controlled domain that similarly uses branding to fool the victim and make them think they are on the genuine website of the spoofed brand. These webpages include forms that harvest sensitive data. Alternatively, malicious files may be downloaded, with social engineering techniques used to trick victims into opening the files and installing malware.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Cyber threat actors are offering scampage tools on underground marketplaces to help other cybercriminals conduct more effective phishing campaigns. These scampage tools are offered under the product-as-a-service model and allow individuals to conduct convincing phishing campaigns, even people who do not possess the skills to conduct phishing campaigns. With phishing opened up to would-be cybercriminals, the threat to individuals and businesses increases.

The FBI says the scampage tools now being offered can recognize when individuals use their email address as their login ID for a website. Websites require a unique username to be provided when creating an account, and many use an individual’s email address as their username by default.

The scampage tools can identify when a user has set their email address as their username, and when that is detected, they will be directed to a scampage for the same email domain. The user is required to enter their password to log in, which will allow the threat actor to obtain the password and access the victim’s email. With access to the email account, attackers can intercept 2-factor authentication codes, thus bypassing this important control mechanism. With 2FA codes, the attacker will be able to gain access to accounts and make changes, including updating passwords to lock users out of their accounts or change security rules before the owner of the account can be notified.

“Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers,” said the FBI in its public service announcement. “Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

To counter the threat, businesses should implement an advanced spam filtering solution to block phishing emails and prevent them from being delivered to employee inboxes. Password policies should be created that require strong passwords to be set, and checks performed to ensure commonly used or weak passwords cannot be set on accounts. Employees should be told to never reuse passwords on multiple accounts and to ensure that all business accounts have unique passwords. Security awareness training should be provided to the workforce to teach email security best practices and train employees on how to identify phishing emails and other scams.

Given the increase in the use of scampage tools, if there is the option, users should set a unique username for an account that is not associated with their primary email address. 2-factor authentication should be configured, and where possible, a software-based authenticator program should be used or a USB security key as the second factor. Alternatively, provide a mobile number for a 2FA code and avoid using a primary email address to receive 2FA codes. If an email address is required, it is best to use an alternative email account.

LinkedIn Phishing Attacks on the Rise

There has been an increase in LinkedIn phishing scams of late that attempt to trick professionals into installing malware, disclosing their login credentials, or providing sensitive information that can be used to create convincing spear phishing emails.

Watch Out for LinkedIn Phishing Attacks!

Many professionals rely on LinkedIn for getting new business and finding employment. The professional networking platform has proven to be incredibly popular and, being business-related, notifications from the platform are less likely to be turned off, as they often are with social media networks such as Facebook.

A notification from LinkedIn could be a prospective client, a potential job opportunity, or an opportunity to grow your network but LinkedIn notifications may not be what they seem.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

Common LinkedIn Phishing Scams

LinkedIn phishing attacks can take many forms and are conducted to achieve a variety of objectives. One common denominator in LinkedIn phishing emails is the use of LinkedIn logos and color schemes to make it appear that the notifications are genuine.

One of the most common scams involves messages that appear to have been sent via the professional networking platform from an individual looking to do business with a company. The emails include buttons that appear at face value to direct a user to LinkedIn, yet the destination URL is different. The landing page displays the LinkedIn login box, which has been scraped from the genuine website. The scam aims to steal LinkedIn credentials, which can be used to hijack accounts and conduct scams on the user’s connections. These scams can be identified quite easily by checking the destination URL in the message before clicking. If a link is clicked, always check the URL in the address bar before attempting to log in to ensure you are on the genuine LinkedIn website.

There has been an uptick in another type of LinkedIn phishing scam of late. Standard LinkedIn email templates, such as information about the number of profile views a user has received and the number of searches they have appeared in are common. As with the previous scam, while the messages look genuine, the hyperlinks in the messages do not direct the user to the LinkedIn website, instead they direct them to URLs hosting phishing kits. The landing pages use a variety of ruses to get the user to disclose sensitive information. One common scam is an online survey that asks a series of questions to obtain information that can be used to create convincing spear phishing emails.

Scammers often create fake profiles in an attempt to trick platform users into thinking they are conversing with a genuine user. These profiles tend to be used in targeted attacks for cyberespionage purposes. These attacks often see the scammer engage in conversations with the targets to build trust, before tricking them into visiting a malicious website or opening an emailed document that installs malware. These scams can be more difficult to identify than the previous two scams, although there are clues that this is a scam. Always check the profile of any potential connection. Fake profiles often have incomplete or inconsistent information, suspiciously low numbers of connections, and odd connections given the individual’s claimed job. Even if the profile appears genuine, you should always be wary of any links or documents that are shared.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

A Spam Filtering Solution Could be Your Savior!

Some of the scams are easy to identify, but many are very realistic and have convincing lures that can be difficult to distinguish from genuine emails. These scams fool many people into disclosing sensitive information or installing malware, even individuals who believe they are security-aware and would not be fooled by phishing scams. Vigilance is the key to identifying the scams but an advanced spam filtering solution will ensure that you are not troubled by these scam emails and phishing attempts.

Businesses that rely on the basic spam protections provided with the Microsoft 365 license should consider investing in a more advanced spam filtering solution, as many phishing emails bypass the Exchange Online Protection (EOP) mechanisms provided free with Microsoft 365 accounts.  For greater protection, consider a spam filtering solution such as SpamTitan, which augments Microsoft 365 defenses and will better protect you against phishing attacks.

For more information about SpamTitan and how it can protect you and your employees from phishing attacks, botnets, viruses, malware, and ransomware attacks, give the TitanHQ team a call or sign up for the free trial and find out for yourself the different SpamTitan makes.

TrickBot Infrastructure Being Used to Rebuild the Emotet Botnet

At the start of 2021, a Europol and Eurojust-led operation involving law enforcement agencies in 8 countries successfully took down the infamous Emotet botnet. The botnet consisted of an estimated 1.6 million devices worldwide that had been infected with the Emotet Trojan.

The Emotet Trojan first appeared in 2014 and was originally a banking trojan, although it evolved into a malware downloader that was rented out to cybercrime gangs under the malware-as-a-service model. The botnet was used to give those threat actors a foothold in victims’ environments and allowed them to install malware such as IcedID, QakBot, and TrickBot. Those malware variants were then used to deliver ransomware such as Conti and Ryuk.

Emotet posed a massive threat to businesses worldwide prior to its takedown. In addition to being a malware distribution tool, the botnet was used to launch Distributed Denial of Service (DDoS) attacks and largescale spamming campaigns against high-profile targets around the world.

The Emotet botnet was controlled by a network of hundreds of servers worldwide. The takedown, which occurred on January 27, 2021, saw its infrastructure taken over by law enforcement. On April 25, 2021, law enforcement in Germany launched a cleanup operation that added a module that removed the Emotet Trojan from victims’ systems. 2 individuals were arrested who were suspected of involvement in maintaining the botnet, and in the weeks and months that followed no Emotet activity was detected. However, that has now changed.

The Emotet Botnet is Back

Law enforcement took control of the command-and-control infrastructure of Emotet and removed the Emotet Trojan from all infected devices, and while that was sufficient to kill the botnet, it was not enough to prevent its return. Researchers at GData, Advanced Intel, and Cryptolaemus have all discovered instances where the TrickBot Trojan has delivered an Emotet loader.

The Emotet botnet operators have previously worked with the threat actors behind the Trickbot Trojan, using their botnet to grow the TrickBot botnet. That process is now happening in reverse. A new version of the loader and Emotet Trojan have been created and it appears that the Emotet botnet is being reconstructed from scratch.

At this stage, there are relatively few devices infected with Emotet but that is not likely to remain the case for long. Around 246 devices are known to have had the Emotet Trojan installed, and they are being used as its command-and-control infrastructure at present.

Emotet was known for conducting malspam campaigns to grow the botnet, and spamming campaigns have already been detected using several different lures and a variety of attachments. Spam emails spreading Emotet have used Word files and Excel spreadsheets with malicious macros, and to prevent analysis by email security solutions, some emails have used password-protected zip files. Some of the lures detected by security researchers in the first campaigns include notifications about canceled dental insurance, Cyber Monday and Black Friday sales, notifications about canceled meetings, and requests for political party donations.

How to Protect Against Infection with Emotet

Protecting against Emotet involves implementing measures that also protect against TrickBot infections. Since both Emotet and TrickBot are extensively delivered via malspam emails, implementing an advanced email security solution is a good place to start.

One of the most effective tactics used by the Emotet gang was hijacking message threads. This involves sending replies to previous message conversations and adding a malicious hyperlink or infected email attachment. Since the messages were sent from email accounts known to the recipient, links were often clicked, and attachments opened.

Security awareness training often teaches employees to be suspicious of unsolicited messages from unknown individuals. It is important to make employees aware that malicious emails may also come from known individuals and to warn employees that hijacked message threads are used to deliver malware. Security awareness training can be effective, but it is nowhere near as effective as technical solutions that block malicious messages.

Security can be improved by choosing an email security solution with outbound email scanning. This feature will scan outgoing messages to detect compromised email accounts, allowing security teams to take prompt action to isolate infected devices. You should also ensure that your email security solution includes sandboxing in addition to antivirus engines, as the latter can only detect known malware variants. Attachments that pass standard AV scans are sent to a sandbox where they are subjected to in-depth analysis to identify malicious actions.

These features and many more are included in SpamTitan from TitanHQ. SpamTitan is effective at blocking the full range of email-based threats and is easy to implement and use. If you want to improve your defenses against dangerous email threats such as TrickBot, IcedID, QakBot, and Emotet without breaking the bank, give the TitanHQ team a call for more information about SpamTitan.

SpamTitan is available on a free trial and product demonstrations can be arranged on request.

Warning of Phishing Attacks on Users of Robinhood Trading Platform

The stock trading platform Robinhood has announced a major breach of the personal data of 7 million of its customers, who now face an elevated risk of phishing attacks.

Phishing attacks on businesses are incredibly common. While phishing can take many forms, the most common method involves sending emails to company employees and using social engineering tactics to get them to take a specific action. That action is often to click on a malicious hyperlink in the email that directs them to a website where they are asked to provide sensitive information such as their login credentials.

Phishing can also occur via SMS messages, instant messaging platforms, or social media networks. While it is less common for phishing to occur over the telephone – termed vishing – this method actually predates email phishing attacks. Vishing attacks are more labor-intensive and are a form of spear phishing, where a small number of individuals are targeted.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

Vishing Attack Allowed Attacker to Obtain 5 Million Email Addresses

It was a vishing attack that allowed a threat actor to obtain the personal data of Robinhood customers. The threat actor called a Robinhood customer service employee and used social engineering techniques over the phone to get the employee to disclose sensitive information. The information obtained allowed the threat actor to access its customer service system, through which it was possible to obtain a limited amount of data of a portion of its customer base.

It is unclear what tactics the threat actor used, although, in these types of attacks, tech support scams are common. This is where a threat actor impersonates the IT department and tricks an employee into disclosing credentials under the guise of a software update or a fix for a malware infection.

Regardless of the lure, the threat actor was able to access its system and stole a list of 5 million customer email addresses, a list of the full names of 2 million individuals, and the names, dates of birth, and zip codes of 310 individuals.

No financial information or Social Security numbers are believed to have been obtained in the attack, but the Robinhood data breach is still serious for affected individuals who now face an elevated risk of phishing attacks.

Robinhood said after the customer lists were exfiltrated, a ransom demand was received. Robinhood did not say whether the ransom was paid, only that the cybersecurity firm Mandiant was investigating, and the incident has been reported to law enforcement.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

Risk of Phishing Attacks in Wake of Robinhood Data Breach

Attacks such as this where an attempt is made to extort money from a company after sensitive data are stolen are commonplace. If a company refuses to pay, the attack is monetized by selling the stolen data. Even if a ransom is paid, there is no guarantee that data will not be sold. A list of the email addresses of users of a trading platform would be highly sought after by cybercriminals, who could craft convincing phishing emails to obtain sensitive data to allow users’ accounts to be accessed.

There have been many cases where email addresses have been used in phishing campaigns that reference the breach itself, spoofing the company that was attacked although all manner of lures could be used. There is a fair probability that phishing campaigns will be conducted using the stolen data, so users of the Robinhood platform should be on high alert.

Robinhood has advised customers to be wary of any emails that claim to be from the company and said it would never send a hyperlink in an email to access an account, instead users should only trust Robinhood messages that are sent within the app. For further protection, 2-factor authentication should be enabled, and users of the app should be cautious when opening any email messages, and to be particularly wary about any message that requests sensitive information or includes a hyperlink or email attachment, especially if it is an unsolicited email from an unknown sender.

TodayZoo Phishing Kit Being Used in Extensive Phishing Campaigns Targeting Microsoft 365 Credentials

Phishing involves sending emails that try to trick the recipients into taking a specific action, which could be to send sensitive data via email, open an infected email attachment, or click a link to a malicious website.

Phishing campaigns require little effort or skill to conduct. Lists of email addresses can easily be purchased on hacking forums or can be scraped from websites using widely available programs. Malware does not need to be developed, as this can be purchased through many malware-as-a-service operations. Phishing campaigns that direct individuals to a malicious website where credentials are harvested require those websites to be set up to trick users and capture credentials, but even that process is made simple with phishing kits.

Phishing kits can easily be purchased on hacking forums. These kits contain files that can be uploaded to compromised or owned websites that will collect and transmit credentials when they are entered. Phishing kits are usually sold on hacking forums for a one-time payment and typically contain everything required to start conducting phishing campaigns, including scripts, HTML pages, images, and often phishing email templates. Phishing kits allow individuals without much knowledge of how to conduct a phishing campaign to easily start running their own campaigns.

New Phishing Kit Being Used in Extensive Series of Phishing Campaigns

There are many phishing kits currently available on hacking forums, but a new one has recently been discovered that appears to have been developed using at least six other phishing kits. The new phishing kit, which Microsoft calls TodayZoo, combines the best features of other available phishing kits and is believed to have been developed by an individual who has decided to get into the phishing kit market by plagiarizing others.

The TodayZoo kit has been active since at least December 2020 and is known to have been used in an extensive series of phishing campaigns to steal Microsoft 365 credentials. The TodayZoo phishing campaigns detected so far impersonate Microsoft, with the emails using lures such as password resets, and fake notifications about faxes and shared scanned documents.

The messages direct the recipients to a webpage hosting the phishing kit that similarly impersonates Microsoft, with victims told they must log in with their Microsoft 365 credentials to either reset their password or view the fake faxes or documents. If credentials are entered, the phishing kit captures the information and transmits it to the person running the campaign.

A large part of the TodayZoo phishing kit has been taken from the DanceVida kit, with Microsoft’s analysis revealing it also includes code from the Botssoft, FLCFood, Office-RD117, WikiRed, and Zenfo phishing kits.

So not only are phishing kits purchased for conducting campaigns, but those also kits themselves can be copied and customized and used by individuals to launch their own phishing-as-a-service operations.

Phishing Prevention Requires a Defense in Depth Approach

Phishing kits lower the bar for conducting phishing campaigns, and along with malware-as-a-service and ransomware-as-a-service offerings, allow low-level threat actors to start conducting their own campaigns with ease. These services are fueling the increase in cyberattacks on businesses. Fortunately, there are low-cost cybersecurity solutions that businesses can use to block these phishing and malware campaigns.

Unfortunately, there is no silver bullet. It is no longer sufficient given the level of the threat to rely on one method of blocking attacks. A defense-in-depth approach is required, which means implementing multiple layers of protection. If one of those layers fails to block a threat, others are there to provide protection.

Phishing protection should start with a spam filter. Spam filters conduct a range of checks on all incoming emails and will block more than 99% of spam and phishing emails. TitanHQ’s email security solution, SpamTitan, has been independently tested and shown to block in excess of 99.9% of spam and phishing emails. SpamTitan also includes dual anti-virus engines to detect malicious attachments, and a sandbox to subject attachments that pass AV controls to an in-depth analysis. SpamTitan uses blacklists of malicious IP addresses, performs a range of checks on the message body and headers, and incorporates machine learning technology to detect messages that deviate from standard messages ensuring the spam filter improves over time.

A web filter is another important security measure that should be included in a defense-in-depth strategy to block phishing and malware attacks. A web filter works in tandem with a spam filter but blocks the web component of the attacks. When a user clicks a link in an email that directs them to a phishing website, that attempt is blocked. A web filter also allows users to block certain file downloads from the Internet, such as those commonly associated with malware.

Antivirus software should be installed on all endpoints as additional protection against malicious file downloads, and security awareness training should be regularly provided to the workforce. In the event of credentials being obtained in a phishing attack, multifactor authentication can prevent those credentials from being used to gain access to accounts. With these measures in place, businesses will be well protected.

For further information on spam filtering, web filtering, and to find out more about SpamTitan and WebTitan, give the TitanHQ team a call today. Both solutions are available on a 100% free trial to allow you to evaluate the products in your own environment to see how effective they are and how easy they are to use before committing to a purchase.

Squirrelwaffle Malware Loader Being Distributed in Spam Emails

A new malware variant dubbed Squirrelwaffle has been identified which is being distributed via spam emails. Squirrelwaffle was first identified in September 2021, with the number of spam emails distributing the malware increasing throughout the month and peaking at the end of September.

The takedown of the Emotet botnet in January 2021 left a gap in the malware-as-a-service market, and several new malware variants have since emerged to fill that gap. Emotet was a banking Trojan that was used to distribute other malware variants to Emotet-infected machines, with Squirrelwaffle having similar capabilities. Squirrelwaffle allows the threat group to gain a foothold in compromised devices and networks, which allows other malware variants to be delivered.

Investigations of the malspam campaign have revealed it is currently being used to distribute Qakbot and Cobalt Strike, although the malware could be used to download any malware variant. The spam emails that deliver Squirrelwaffle include a hyperlink to a malicious website which is used to deliver a .zip file that contains either a .doc or .xls file. The Office files have a malicious script that will deliver the Squirrelwaffle payload.

The Word documents use the DocuSign signing platform to lure users to activate macros, claiming the document was created using a previous version of Microsoft Office Word which requires the user to “enable editing” then click “enable content” to view the contents of the file. Doing so will execute code that will deliver and execute a Visual Basic script, which retrieves the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is delivered as a DLL which is then executed when downloaded and will silently download Qakbot or Cobalt Strike, which both provide persistent access to compromised devices.

As was the case with the Emotet Trojan, Squirrelwaffle can hijack message threads and send malspam emails from infected devices. Since replies to genuine messages are sent from a legitimate email account, a response to the message is more likely. This tactic proved to be highly effective at distributing the Emotet Trojan. The campaign is mostly conducted in English, although security researchers have identified emails in other languages including French, German, Dutch, and Polish.

The similarities with Emotet could indicate some individuals involved in that operation are attempting a return after the law enforcement takedown, although it could simply be an attempt by unrelated threat actors to fill the gap left by Emotet. Currently, the malware is not being distributed in anywhere near the volume of Emotet but it is still early days. Squirrelwaffle may turn out to be the malware distribution vehicle of choice in the weeks and months to come.

To counter the threat, it is vital for email security measures to be implemented to block the malspam at source and ensure the malicious messages are not delivered to inboxes. Since message threads are hijacked, a spam filtering solution that also scans outbound emails– SpamTitan for example – should be used. Outbound scanning will help to identify compromised devices and prevent attacks on other individuals in the organization and address book contacts. SpamTitan also incorporates sandboxing, which works in conjunction with antivirus engines. Suspicious attachments that bypass the AV engines are sent to the sandbox for in-depth analysis.

As part of a defense-in-depth strategy, other measures should also be deployed. A web filter is a useful tool for blocking C2 communications, endpoint security solutions will help to protect against Squirrelwaffle downloads, and regular security awareness training for the workforce is recommended to teach cybersecurity best practices and train employees how to identify malicious emails.  Employees should be told to never click links or open attachments in unsolicited emails or messages and to be wary of messages from unknown accounts. It is also important to explain that some malware variants can hijack message threads, so malicious emails may come from colleagues and other address book contacts.

TA505 is Conducting Large Scale Phishing Campaigns that Deliver a RAT via Weaponized Excel Files

The threat group known as TA505 (aka Hive0065) is known for conducting large-scale phishing campaigns but has not been active since 2020. Now phishing campaigns have been detected that indicate the threat group is conducting attacks once again, with the first mass-phishing campaigns by the group detected in September 2021.

The initial campaigns were small and consisted of a few thousand phishing emails, but as the month progressed larger and larger campaigns were conducted, with phishing campaigns conducted by the group now consisting of tens of thousands of messages. The geographic range has also been increased beyond North American where the gang was initially concentrating its attacks.

Social engineering techniques are used to convince victims to open email attachments or visit links and view shared files, with a variety of lures used by the gang in its phishing attacks. Emails intercepted from the latest campaigns claim to provide insurance claims paperwork, situation reports, media release requests, health claims, and legal requests. Many of the campaigns so far have targeted employees in financial services.

One of the hallmarks of the group is using Excel file attachments in emails that contain malicious macros which deliver a Remote Access Trojan (RAT), the downloading and execution of which gives the group control over victims’ devices. The group is also known to use HTML files that link to malicious websites where the malicious Excel files are downloaded.

While the attacks often start with a file attachment, later in the attack process a Google feedproxy URL is used with a SharePoint and OneDrive lure that appears to be a file share request, which delivers the weaponized Excel file.

The initial infection stage involves the downloading of a Microsoft installer package, which delivers either a KiXtart or REBOL malware loader, which pulls a different MSI package from the C2 server, which then installs and executes the malware. TA505 is known to use the FlawedGrace RAT, which first appeared in 2017, and the latest campaign delivers a new variant of this malware using a malware loader dubbed MirrorBlast. According to an analysis of MirrorBlast by Morphisec labs, the malware will only run in 32-bit versions of Microsoft Office as there are compatibility issues with ActiveX objects.

Macros are disabled by default in Microsoft Excel as a security measure, so social engineering techniques are used in the attacks to convince victims to enable macros. Macros are more commonly used in Excel files than Word files, and end users may not be as suspicious of Excel macros as Word macros.

Email security solutions are capable of detecting files containing Excel macros, especially email security solutions with sandboxing. In an attempt to bypass those measures and ensure the emails are delivered, TA505 uses lightweight, legacy Excel 4.0 XLM macros rather than the newer VBA macros, which has seen many of the messages bypass email security gateways.

TA505 is a highly creative threat group that regularly changes its attack techniques to achieve its goals, with the gang known to have conducted campaigns to deliver the Dridex banking Trojan, Locky and Jaff ransomware, and the Trick banking Trojan.

The group is known for conducting high-volume phishing campaigns that have targeted a range of different industry sectors and geographical areas.

TA505’s tactics, techniques, and procedures are expected to continue to evolve so it is vital for organizations to ensure email security defenses are implemented to block the emails. Security awareness training should also be provided to the workforce and employees should be made aware of the latest tricks and tactics used by the gang, including raising awareness of the use of Excel files with macros in phishing emails.

5 Ways to Protect Against Healthcare Phishing Attacks

The healthcare industry has long been targeted by cybercriminals looking to gain access to sensitive patient data, which is easy to sell on the black market to fraudsters such as identity thieves. In recent years hackers have turned to ransomware. They gain access to healthcare networks and encrypt data to prevent patient information being accessed and issue a ransom demand to the keys to decrypt files. Since the start of 2020, these two goals have been combined. Hackers have been gaining access to healthcare networks, then exfiltrate data prior to deploying ransomware. If the ransom is not paid, the data is leaked online or sold on. Patient data may even be sold even if the ransom is paid.

Both of these attack types can be achieved using phishing. Phishing allows threat actors to steal credentials and raid email accounts and use the credentials for more extensive attacks on the organization. Phishing emails can also trick healthcare employees into downloading malware that gives attackers persistent access to the network.

Protecting against phishing attacks is one of the most important ways to prevent data breaches and stop ransomware attacks, but there is no single measure that can be implemented that will provide total protection. Here we explain 5 steps that healthcare organizations should take to protect against healthcare phishing attacks. These include measures required by the HIPAA Security Rule so can help to ensure you achieve and maintain compliance.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

5 Measures to Protect Against Healthcare Phishing Attacks

Each of the measures we have listed below is important and will work with the others to significantly improve your security posture; however, the first measure is the most important of all as it will stop the majority of phishing emails from being delivered to employee inboxes.

Spam Filtering

To achieve Security Rule compliance, HIPAA regulated entities must implement technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. A spam filter is one of the most important technical safeguards to protect against email-based attacks such as phishing. Spam filters will generally block in excess of 99% of spam and phishing emails and 100% of known malware.

Any inbound email must pass through the spam filter where it will be subjected to a variety of checks. These include antivirus scanning to block malware, checks against blacklists of known malicious IP and email addresses, and frameworks such as SPF, DKIM, and DMARC to identify and block email impersonation attacks. Advanced spam filters such as SpamTitan include additional malware protection through the use of a sandbox. Email attachments are executed in this safe environment and are checked for potentially malicious actions. This measure helps to identify previously unknown malware and ransomware variants.

SpamTitan also uses techniques such as Bayesian analysis to determine the probability of an email being spam or malicious. Greylisting is also used, which involves the initial rejection of a message with a request to resend. Spam servers do not tend to respond to these requests, so the lack of response or delay is a good indicator of spam.

SpamTitan also incorporates machine learning techniques, ensuring spam filtering improves over times. Thresholds can also be set for individual users, user groups, departments, and organization-wide, to give the greatest protection to accounts that are most likely to be targeted.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

2-Factor or Multi-Factor Authentication

2-factor or multi-factor authentication is another technical safeguard to protect against phishing attacks. 2FA/MFA blocks the next stage of a phishing attack, where credentials for an account have already been obtained by an attacker, either through phishing, brute force attacks or other methods.

In addition to a password, a second factor must be provided before an individual is authenticated. This is often a token on a verified device. When an attempt is made to use a password to access the account from an unfamiliar device, location, or IP address, another factor must be provided before access is granted. This is typically a code sent to a mobile phone. 2-factor authentication will block more than 99.9% of automated attempts to gain access to an account according to Microsoft.

Security Awareness Training

Security awareness training is concerned with educating the workforce about threats such as phishing and teaching them how to recognize and avoid those threats. In security awareness training, employees are taught how to identify phishing emails and social engineering scams and are taught cybersecurity best practices to eradicate risky behaviors. Employees are targeted by phishers and not all phishing emails will be blocked by a spam filter. By training the workforce, and providing regular refresher training sessions, employees will get better at identifying and avoiding threats.

The HHS’ Office for Civil Rights explained in guidance for the healthcare industry that teaching employees how to recognize phishing is part of the requirements for HIPAA compliance. Financial penalties have been imposed for organizations that have not provided security awareness training to the workforce.

Conduct Phishing Email Simulations

Training for the workforce will raise awareness of threats, but it is important to test whether training has been assimilated and if it is being applied in real world situations. By setting up a phishing simulation program, security teams will be able to gauge how effective training has been. A failed phishing simulation can be turned into a training opportunity, and employees who regularly fail phishing email simulations can be provided with further training.

Phishing email simulation programs use real-world phishing examples on employees to see how good they are at identifying phishing emails. They can be used to gain an understanding of the types of phishing emails that are being opened and which links are being clicked. This information can be used to improve security awareness training programs.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Sign Up to Receive Threat Intelligence

Another important step to take to protect against phishing attacks is to stay up to date on the latest threats. The tactics, techniques, and procedures (TTP) of hackers and phishers is constantly evolving, and being aware of the latest TTPs will help healthcare organizations mitigate the threats.

Stay up to date by reading the threat alerts published by agencies such as CISA, the FBI, NSA, and HC3, and consider signing up an information sharing and analysis center to receive timely cyber threat intelligence updates. Knowing about new phishing campaigns targeting the sector will allow steps to be taken to block those threats, whether that is a cybersecurity newsletter for staff, implementing new spam filter rules, or other proactive steps to reduce risk.

Common Phishing Threats You Should be Aware of

Phishing is one of the most common ways that cybercriminals gain access to networks to steal credentials and sensitive data, deploy malware, and conduct ransomware attacks. Phishing is most commonly conducted via email and uses deception and ‘social engineering’ to trick people into disclosing sensitive information or running code that downloads malicious software.

Phishing emails often impersonate trusted individuals or companies. The email addresses used to send these messages can appear legitimate, and the messages often include the logos and layouts of the genuine communications they spoof. The emails often include a hyperlink to a website where credentials are harvested. The online component of the phishing scam similarly spoofs a trusted entity and, in many campaigns, it is difficult to distinguish the phishing website from the genuine site being spoofed.

Phishing attacks are increasing and for one very simple reason. They work. Not only do these messages fool huge numbers of people, they are also easy to conduct and there is little risk of phishers being caught. Even the Italian mafia and other organized crime operations have adopted phishing in addition to the standard protection rackets as a way to rake in money. This week, Europol announced it broke up an organized crime gang with links to the Italian mafia which had raked in €10 million in revenue from phishing and other online fraud scams in the past year.

Phishing Lures are Constantly Changing

The lures used in phishing scams are constantly evolving. While standard phishing campaigns involving fake invoices and resumes, missed deliveries, and fake account charge notifications are regularly used, topical lures related to news stories and COVID-19 are also thrown in into the mix. The lures may change, but there are commonalities with these phishing scams that individuals should be able to recognize.

Phishing scams attempt to get the recipient to take a specific action, such as visit a link in the email or open an email attachment. There is usually a sense of urgency to get recipients to take prompt action, such as a threat of account closure or potential legal action. While suspicions may be raised by these messages, many people still take the requested action, either through fear of missing out or fear of negative repercussions if no action is taken.

It is best to adopt a mindset where every email received is potentially a phishing scam, and any request suggested in an email could well be a scam. Any email received that threatens account closure if no action is taken can easily be checked for legitimacy by logging in to the account via a web browser (never use the links in the email). If there is an unauthorized charge or a problem with the account, this will be clear when you login.

If you receive a message from a company stating there is an unpaid invoice or an order has been made that is not recognized, search for the company online and use trusted contact information to verify the legitimacy of the email.

If you receive an email from your IT team telling you to install a program or take another action that seems suspicious, give the support desk a call to verify the legitimacy of the request.

Links in emails are the most common way to direct people to phishing webpages. You should always hover your mouse arrow over the link to check the true destination, and if the URL is not on an official domain, do not click.

Common Phishing Lures You Should be Aware Of

  • An email about a charge that has been applied to your account that has been flagged as suspicious and requires you to login to block the charge
  • An email threatening imminent account closure or loss of service if you do not take immediate action to correct the issue
  • An email from law enforcement threatening arrest or legal action for a crime you are alleged to have committed
  • An email from the IRS or another tax authority offering a refund as you have overpaid tax, or legal action over nonpayment of tax
  • An email with an invoice for a product or service you have not purchased
  • An email telling you malware has been detected on your computer that requires a software download to remove it
  • An email with a link that requires you to provide credentials to view content or confirm your identify by verifying your credit/debit card number.

If you receive any message, the important thing is to stop and think before taking any action and to carefully assess the legitimacy of the request.

Spam Software will Block the Majority of Phishing Emails

One of the best ways that businesses can improve email security is to implement an advanced spam filtering solution. SpamTitan provides protection against phishing and other malicious emails using a wide range of tools that include machine-learning to identify suspicious messages, sandboxing, dual anti-virus engines, greylisting, and malicious link detection mechanisms. SpamTitan will ensure that malicious messages are not delivered to end users where they can be clicked. When combined with security awareness training to teach cybersecurity best practices, businesses can mount a formidable defense against phishers.

To find out more about how you can protect against phishing and other malicious emails, give the TitanHQ team a call. SpamTitan is available on a free trial, product demonstrations can be arranged on request, and you may be surprised to discover how little it costs to improve protection against all types of email attacks.

OnePercent Ransomware Delivered via Phishing Emails

Ransomware attacks have been rife in 2021, with the increase in attacks seen in 2020 continuing throughout 2021. The number of attacks conducted in 2021 has been staggering. There were more attempted ransomware attacks in the first 6 months of 2021 than there were in all of 2020, according to one report.

Ransomware-as-a-service (RaaS) operations that were active throughout 2020 have increased their attacks, and while some RaaS operations have been shut down, attack volume is showing no sign of reducing. There is also a new ransomware threat to defend against.  The Federal Bureau of Investigation (FBI) has issued a warning about a new ransomware threat actor that has been particularly active in the United States. The group, known as OnePercent, has been using its ransomware to attack U.S. businesses since at least November 2020, according to a recent FBI Flash Alert. The group is known to use the legitimate penetration testing tool Cobalt Strike in its attacks, and prior to using their OnePercent ransomware variant to encrypt files, the attackers exfiltrate sensitive data from victims’ systems.  A ransom demand is issued for the keys to decrypt files and to prevent the publication of the stolen data on the group’s data leak sites on the TOR network and the publicly accessible Internet.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

Like many ransomware gangs, the initial attack vector is phishing emails. Phishing emails are sent to targeted organizations that have malicious .ZIP email attachments which contain Word documents or Excel spreadsheets with malicious macros that deliver the IcedID banking Trojan. The Trojan downloads and installs Cobalt Strike on endpoints to allow the attacker to move laterally within victims’ networks to compromise as many devices as possible. The group is also known to use PowerShell, Mimikatz, SharpKatz, BetterSafetyKatz, and SharpSploit, and Rclone for data extraction.

The attackers are known to take their time within networks to identify and steal critical data. In attacks reported to the FBI, the group has spent up to a month from the initial compromise to the deployment of OnePercent ransomware. During that time, considerable volumes of data are exfiltrated. The ransomware itself encrypts files and uses a random 8-character extension for encrypted files.

As is now the norm, there is no fixed ransom payment. Victims are required to make contact with the attackers to receive ‘technical support’ recovering their files and to discover how much needs to be paid for the decryptors and to ensure data deletion. If the ransom is paid, the attackers say they will deliver the decryption keys within 48 hours. The threat group is also known to contact the victim by telephone using spoofed telephone numbers to pressure victims into paying by threatening to publish the stolen data. The group has also threatened to sell the stolen data to the Sodinokibi ransomware gang to list for sale at a public auction.

Since the group uses phishing emails as the initial attack vector, preventing those messages from reaching inboxes is the best defense against attacks. That requires an advanced spam filtering solution such as SpamTitan. It is also recommended to configure emails to display a warning when they are received from a sender that is outside the organization.

Even greater protection against phishing attacks. Book a free SpamTitan Plus demo.
Book Free Demo

It is also important to follow cybersecurity best practices such as network segmentation to limit the potential for lateral movement, to audit user accounts with admin privileges and restrict their use as far as possible, and to configure access controls using the principle of least privilege. All critical data should be backed up offline on an external hard drive or storage device that is disconnected once the backup has been performed. Backups should also be tested to make sure file recovery is possible.

While the OnePercent ransomware gang is only known to use phishing emails as the attack vector, other methods of attack may also be adopted. It is therefore recommended to ensure that remote access and RDP ports are disabled if not used, to monitor remote access/RDP logs, to keep computers and applications up to date and to apply patches promptly, and to ensure that strong passwords are set and multi-factor authentication is implemented.

Sneaky Tactics Used in Two Ongoing Phishing Campaigns Targeting User Credentials

New phishing campaigns are constantly being launched that impersonate trusted companies, organizations, and individuals, and use social engineering techniques to trick end users into divulging sensitive information such as their email credentials. Two such phishing campaigns have recently been discovered that use sneaky tactics to fool the unwary.

Sneaky Tactics Used to Obtain Office 365 Credentials

Organizations using Office 365 are being targeted in a sneaky phishing campaign that has been ongoing for several months. The phishing campaign incorporates a range of measures to fool end users and email security solutions. The goal of the campaign is to steal Office 365 credentials.

The phishing emails are sent from believable email addresses with spoofed display names to make the sender appear legitimate. The campaign targets specific organizations and uses believable usernames and domains for sender display names related to the target and the messages also include genuine logos for the targeted company and Microsoft branding.

See how SpamTitan Plus inspects all URLs to identify links to malicious websites. Book a free demo.
Book Free Demo

The messages use believable Microsoft SharePoint lures to trick end users into clicking an embedded hyperlink and visiting the phishing URL. Recipients of the messages are informed that a colleague has sent a file-share request that they may have missed, along with a link directing the recipient to a webpage hosting a fake Microsoft Office 365 login box.

To encourage users to click, the emails suggest the shared file contains information about bonuses, staff reports, or price books. The phishing emails include two URLs with malformed HTTP headers. The primary phishing URL is for a Google storage resource which points to an AppSpot domain. If the user signs in, they are served a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and links to a compromise SharePoint site, which again requires the user to sign in to get to the final page.

To fool email security solutions, the messages use extensive obfuscation and encryption for file types often associated with malicious messages, including JavaScript, in addition to multi-layer obfuscation in HTML. The threat actors have used old and unusual encryption methods, including the use of morse code to hide segments of the HTML used in the attack. Some of the code segments used in the campaign reside in several open directories and are called by encoded scripts. Microsoft researchers discovered and tracked the campaign and likened it to a jigsaw puzzle, where all the pieces look harmless individually and only reveal their malicious nature when correctly pieced together.

This campaign is particularly sneaky, with the threat actor having gone to great lengths to fool both end users and security solutions.

FINRA Impersonated in Phishing Campaign

A new phishing campaign has recently been detected that impersonates the U.S. Financial Industry Regulatory Authority (FINRA). In this campaign, cyber threat actors have used domains that mimic FINRA, which are close enough to the genuine finra.org domain to fool unsuspecting individuals into disclosing sensitive information.

The phishing emails have been sent from three fraudulent domains: finrar-reporting.org, finpro-finrar.org, and gateway2-finra.org. The use of hyphens in phishing domains is very common, and it is often enough to trick people into thinking the site is a subdomain of the official website that the campaign mimics.

The emails ask the recipients to click a link in the email to “view request.” If the link is clicked, the users are prompted to then provide information to complete the request. As is typical in phishing campaigns, there is a threat should no action be taken, which in this case is “late submission may attract financial penalties.”

Faster and better detection of malicious URLs in emails. Book a free SpamTitan Plus demo.
Book Free Demo

The financial services regulator has taken steps to take down these fraudulent domains, but it is likely that the threat actor will continue using other lookalike domains. Similar domains were used in the campaign spoofing FINRA earlier this year, including finra-online.com and gateway-finra.org.

These campaign highlights the need for security awareness training, an advanced email security solution, and other anti-phishing measures such as a web filter.

If you are concerned about your cybersecurity defenses and want to block threats such as these, give the TitanHQ team a call for advice on security solutions that can be easily implemented to block phishing and other email threats to improve your security posture and prevent costly data breaches.

Phishing Attacks Surge and Businesses are Struggling to Deal with the Threat

Ransomware attacks have increased significantly since the start of 2020 and that increase has continued in 2021. While these attacks are occurring more frequently than ever, the threat from phishing has not gone away and attacks are still rife. Phishing attacks may not make headline news like ransomware attacks on hospitals that threaten patient safety, but they can still be incredibly damaging.

The aim of many phishing attacks is to obtain credentials. Email credentials are often targeted as email accounts contain a treasure trove of data. That data can be extremely valuable to cybercriminals. In healthcare for example, email accounts contain valuable healthcare data, health insurance information, and Social Security numbers, which can be used to commit identity theft, obtain medical treatment, and for tax fraud. Entire email accounts are often exfiltrated in the attacks and the accounts used to send tailored phishing emails to other individuals in the company.

Many data breaches start with a phishing email, with phishing often used by an attacker to gain a foothold in a network that can be used in a much more extensive attack on an organization. Phishing emails are often the first step in a malware or ransomware attack.

SpamTitan Plus provides leading edge anti-phishing protection with “zero-day” threat protection and intelligence.
Book Free Demo

Multiple surveys have recently been conducted on IT leaders and employees that show phishing is a very real and present danger. Two recent surveys conducted in the United States and United Kingdom indicate almost three quarters of businesses have experienced a data breach as a result of a phishing attack in the past 12 months. One study indicated over 50% of IT leaders had seen an increase in phishing attacks in the past 12 months, while the other put the figure at 80%.

During the pandemic, many businesses were faced with the option of switching to a remote workforce or shutting down. The increase in remote working was a godsend for phishers, who increase their attacks on employees. Many IT departments lacked visibility with a remote workforce and found it harder to block phishing attacks than when employees are in the office. Staff shortages in IT have certainly not helped.

Staff training is important to raise awareness of the threat from phishing, but remote working has made that harder. Training needs to be provided regularly as it can easily be forgotten and bad habits can slip in. Phishing tactics are also constantly changing, so regular training is needed to keep employees aware of the latest threats and phishing techniques, so they know what to look for. It does not help that phishing attacks are increasingly targeted and more sophisticated and can be difficult for employees to spot even if they have received regular training.

So how can businesses combat the threat from phishing and avoid being one of the three quarters of companies that experience a phishing data breach each year? Training is important, but the right technology is required.

Two of the most important technical solutions that should be implemented to block phishing attacks are spam filters and web filters. Both are effective at combatting phishing, albeit from different angles. When both are used together, protection is better than the sum of both parts.

SpamTitan Plus provides multi-layered detection and blocking of malicious URLs. Book a free demo now.
Book Free Demo

A spam filter must have certain features to block sophisticated phishing threats. Blacklists are great for identifying emails from known malicious IP addresses, but IP addresses frequently change. Machine learning approaches are needed to identify previously unseen phishing tactics and threats from IP addresses not known to be malicious. Multiple AV engines can help to block more malware threats, while sandboxing can be used identify new malware variants. DMARC is also vital to block email impersonation attacks, while outbound scanning is important to rapidly detect compromised mailboxes. All of these features are employed by SpamTitan, which is why the solution has such a high block rate (over 99.97%) and low false positive rate.

Web filters are primarily used to restrict access to malicious and undesirable websites, whether they are sites with pornographic content or malicious sites used for phishing and malware distribution. Web filters, especially DNS-based filters, greatly improve protection against threats and will block access to known malicious websites. They will also block malware downloads and restrict access to questionable websites that serve no work purpose but increase risk. WebTitan will do this and more, and can easily be configured to protect remote workers, no matter where they choose to access the Internet.

With phishing attacks increasing it is important that businesses deploy solutions to counter the threat to stay one step ahead of the phishers. For further information on SpamTitan and WebTitan, and how they can protect your business, give the TitanHQ team a call. Both solutions are available on a free trial to allow you to see for yourself the difference they make. You can sign up for a free trial of SpamTitan here, and WebTitan on this link.

ZLoader Banking Trojan Distributed in Phishing Campaign That Disables Office Macro Warnings

One of the most common ways for malware to be distributed is in phishing emails. These emails usually require some user interaction, such as clicking on a link and opening an attached Microsoft Office file. Word and Excel files are often used in malware distribution, with macros used to deliver the malicious payload.

Macros are potentially dangerous as they can contain malicious code, so they are usually disabled by default and will only be allowed to run if they are manually enabled by the end user.  When an Office file is opened which contains a macro, a warning message will appear instructing the user that there is a macro and that it is potentially malicious. If the macro is not manually enabled by the end user, malware cannot be downloaded.

A phishing campaign has recently been detected that is typical of most phishing campaigns distributing malware. The initial attack vector is a phishing email, and Office files are used which contain macros that download the malware payload – in this case ZLoader. However, a novel method is used to deliver the malicious Office files that disables to usual macro warnings and protection mechanism.

With SpamTitan Plus malicious URL protection, we take a multi-layered approach to combat malicious links.
Book Free Demo

In this campaign, malicious DLLs – Zloader malware – are delivered as the payload, but the initial phishing email does not contain the malicious code. The phishing email has a Microsoft Word attachment which will trigger the download of a password-protected Excel spreadsheet from the attacker’s remote server when the file is opened and macros are enabled.

The attack relies on Microsoft Word Visual Basic for Applications (VBA) and the Dynamic Data Exchange (DDE) fields of Microsoft Excel, and is effective on systems that support the legacy .xls file format.

Once the encrypted Excel file is downloaded, Word VBA-based instructions in the document read the cell contents from the specially crafted XLS file. Word VBS then writes the cell contents into XLS VBA to create a new macro for the XLS file. When the macros are ready, Excel macro defenses are disabled by the Word document by setting the policy in the registry to Disable Excel Macro Warning. The Excel VBA is then run and downloads the malicious DLL files, which are executed using rundll32.exe.

While the malicious files will be silently downloaded and executed, this attack still requires the victim to enable macros in the initial Word document. Victims are tricked into doing this by telling them “This document created in previous version of Microsoft Office Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” when they open the Word file. That one click will start the entire infection chain.

ZLoader is a variant of the infamous Zeus banking Trojan, which first appeared in 2006. The malware is also known by the name ZBot and Silent Night and is used by multiple threat groups. The malware was used in large scale campaigns in 2020 using COVID-19 themed lures, such as COVID-19 prevention tips, along with more standard lures such as job applications.

Faster and better detection of malicious URLs in emails. Book a free SpamTitan Plus demo.
Book Free Demo

Once installed, the malware uses webinjects to steal passwords, login credentials and browser cookies. When an infected computer is used to access online banking and financial accounts, banking information and other sensitive data are stolen and exfiltrated to the attacker’s C2 server.

If you want to improve your defenses against malware and phishing, give the TitanHQ team a call and enquire about SpamTitan Email Security and WebTitan Web Security. These solutions can both be downloaded, configured, and protecting you from the full range of web and email threats in under an hour, and both are available on a no obligation 14-day free trial so you can see for yourself how easy they are to use and how effective they are at blocking threats before making a purchase decision.

Mac Users Targeted in Phishing Campaign Distributing XLoader Malware

Apple Mac users are comparatively safe when it comes to malware as most malware variants target Windows users; however, the number of malware variants targeting Mac users has been increasing. When there is a very low risk of a malware infection, it is easy to become complacent, but threats do come along so it is important to remain on one’s guard.

That is especially true now as a new malware threat has been discovered and Mac users are in the attackers’ crosshairs. Further, this is not some half-baked malware. This is a very serious threat. This new malware variant is very malicious, very dangerous, and it has been getting past Apple Mac security defenses.

The threat is more likely to be familiar to Windows users, as it is them who have previously been targeted; however, the malware has now jumped platforms and is being used to target Mac users. The malware is a new variant of FormBook malware. FormBook malware is a well-known commercially available malware that has been around since 2016. The malware, which was rebranded as XLoader last year, is sold as-a-service on hacking forums and is usually delivered via malicious attachments in emails – often PowerPoint documents. The malware has been developed to log keystrokes and, as the name suggests, grab data from online forms when input by users. It can also steal data from instant messenger apps, email clients, and FTP clients. In the latter half of 2020, attacks involving the malware increased substantially, and during the first 6 months of 2021 it has been prolific.

The Apple version of the malware similarly has a wide range of malicious capabilities. It will harvest credentials from web browsers, steal form data, take screenshots, monitor and log keystrokes, and can also download and execute files from the attackers’ C2 servers. The malware also incorporates several features to resist attempts at reverse engineering.

The Mac version of XLoader is under active development and it is likely that throughout the remainder of 2021 it will grow into an even bigger threat. Already, this version is able to move much deeper into systems and move much faster.

Mac users may be complacent as they are not often targeted, but this is not due to Macs being harder to attack. Malware developers simply choose to target Windows devices as there are many more users that can be targeted. Fewer Mac users mean the potential profits from attacks will be lower, but attacks are growing and the complacency of Mac users works to the advantage of attackers. It makes it easier to get their malware installed as users are not anticipating threats. A much broader range of threat actors will be able to use the latest XLoader version and target Mac users, as they can simply pay a licensing fee and use it under the malware-as-a-serve model. That fee can be as low as $69.

As with the Windows campaigns, XLoader is primarily delivered via phishing emails, mostly using malicious Microsoft Office documents. Check Point says it has tracked infections in 69 countries, although the majority of infected devices are in the United States.

Since the malware can bypass Mac security defenses, it is important to check whether it has already been installed by looking for suspicious filenames in the LaunchAgents directory in the library, which is normally hidden from view. While various different file names have been used, an example of XLoader is com.wznlVRt83Jsd.HPyT0b4Hwxh.plist.

Blocking attacks is actually straightforward. Antivirus software should be installed and kept up to date, and businesses should implement a spam filtering solution such as SpamTitan to block the malicious emails that deliver the malware. End users should also exercise caution opening emails and should never open attachments or click links in emails from unknown sources or click unsolicited links in messaging apps.

LemonDuck Malware Campaign Escalates with Attacks on Windows and Linux Systems Increasing

The threat actors behind LemonDuck malware have escalated their operation and have added new capabilities to the malware making it far more dangerous. LemonDuck malware is best known for its botnet and cryptocurrency mining objectives; however, the malware is being actively developed. While its bot and cryptocurrency mining activities continue, the malware is also capable of removing security controls on infected devices, rapidly moving laterally within networks, dropping a range of tools onto infected devices, and stealing and exfiltrating credentials. The malware is also capable of spreading via email.

The threat group behind the malware is known to take advantage of the latest news and events to create topical and convincing phishing emails to spread the malware, often through malicious Microsoft Office attachments; however, the threat actor also takes advantage of new exploits to infect devices, as well as several older vulnerabilities. Last year, the threat group was distributing the malware using phishing emails with OVID-19 themed lures, and while phishing emails are still being used to distribute the malware, the threat actor has also been exploiting the recently disclosed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security alert from Microsoft.

LemonDuck malware is a somewhat atypical bot malware, as it is relatively rare for these types of malware variants to be used to attack both Windows and Linux systems. The malware operators like to have sole control of infected devices and remove competing malware if they are encountered. To make sure no other malware variants are installed, after gaining access to a device, the vulnerability LemonDuck exploited to gain access to a system is patched.

If the malware is installed on a device with Microsoft Outlook installed, a script is run that uses saved credentials to gain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and the a malware downloader as an attachment.

The malware was first detected in May 2019, with the earlier forms of LemonDuck malware used in attacks within China, but the malware is now being distributed much more widely. It has now been detected in United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

Microsoft has identified two distinct operating structures that both use LemonDuck malware which could indicate the malware is being used by different groups with different objectives. The ‘LemonCat’ infrastructure was used in a campaign exploiting Microsoft Exchange Server vulnerabilities to install backdoors, steal credentials and data, and deliver other malware variants, including Ramnit.

Blocking attacks involving this malware requires a combination of approaches. An advanced spam filter such as SpamTitan should be used to block the phishing emails used to deliver the malware. SpamTitan also scans outbound messages to prevent malware variants with emailing capabilities from being sent to contacts. Since vulnerabilities are exploited to gain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are released.  Antivirus software should be implemented and set to automatically update, and a web filter is recommended to block malware downloads over the Internet.

For further information on improving your defenses against LemonDucck malware and other malware threats, give the TitanHQ team a call. Both the SpamTitan email security and WebTitan web security solutions are available on a free trial, and can be implemented, configured, and protecting your devices in less than an hour.

Fake Windows 11 Installers Being Used to Deliver Malware

On June 24, 2021, Microsoft announced Windows 11 will soon be released. Windows 11 is a major upgrade of the Windows NT operating system, which will be the successor to Windows 10. Such a major release doesn’t happen that often – Windows 10 was released in 2015 – so there has been a lot of interest in the new operating system. The new Windows version is due for public release at the end of 2021, but there is an opportunity to get an early copy for free.

On June 28, Microsoft revealed the first Insider Preview of Windows 11. Upgrading to the new Windows version is straightforward. For a lucky few (or unlucky few if Windows 11 turns out to be exceptionally buggy), an upgrade just requires a user to enroll in the Dev channel of the Windows Insider Program.  That said, many people have been trying to get an upgrade from unofficial sources.

Unsurprisingly, unofficial ISOs that claim to provide Windows 11 do not. Instead, they deliver malware. Threat actors have been distributing these fake Windows 11 installers and using them to deliver a wide range of malicious payloads. At best, these fake Windows 11 installers will deliver adware or unwanted programs. More likely, malware will be installed with various degrees of maliciousness, such as Remote Access Trojans and backdoors that give the attackers full access to the victims’ devices, information stealers such as keyloggers that steal passwords and other sensitive data, cryptocurrency miners, and ransomware.

Researchers at Kaspersky Lab have identified several fake Windows 11 installers doing the rounds, including one seemingly legitimate installer named 86307_windows 11 build 21996.1 x64 + activator.exe. Despite the name and 1.76GB file size, it was not what it seemed. If the user executed the file and agreed to the terms and conditions, the file would proceed to download a different executable that delivers a range of malicious software onto the user’s device.

As the hype builds ahead of the official release date, we can expect there to be many other fake installers released. Hackers do love a major software release, as its easy to get users to double click on executable files. Malicious adverts, websites, and emails offering free copies of Windows 11 will increase, so beware.

Ensure you have an advanced and effective spam filtering solution such as SpamTitan in place to protect against malicious emails, and a web filter such as WebTitan installed to block malicious file downloads. You should also make sure that you only install software or applications from official sources and take care to ensure that you really are on the official website of the software developer before downloading any files. A double click on a malicious executable file could cause a great deal of pain and expense for you and your employer.

MSPs Targeted in Phishing Campaign Using Fake Kaseya Update to Deliver Cobalt Strike

On July 2, 2021, IT management software provider Kaseya suffered a ransomware attack that impacted its managed service provider (MSP) customers. Ransomware was pushed out to users of the Kaseya Virtual System Administrator (VSA) platform through the software update mechanism and, through them, to MSP clients. Kaspersky Lab said it found evidence of around 5,000 attempts to infect systems with ransomware across 22 countries in the first 3 days since the attack was identified. Kaseya recently said it believes around 1,500 of its direct customers and downstream businesses were affected.

The attackers exploited vulnerabilities in the KSA platform that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya had issued updates to fix four of the seven reported vulnerabilities in April and May and was working on patches to fix the remaining three flaws. One of those flaws, CVE-2021-30116, was a credential leaking flaw which was exploited by the REvil ransomware gang before the patch was released.

Kaseya detected the attack quickly and was able to implement mitigations that limited the extent of the attacks. the steps taken by Kaseya have been effective at blocking any further attacks, customers are now at risk from Kaseya phishing campaigns.

Cybercriminals have started conducting phishing campaigns targeting Kaseya customers pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. Cobalt Strike is a legitimate penetration testing and threat emulation tool, but it is also extensively used by hackers and ransomware gangs to gain remote access to business networks.

The campaign was first detected by the Threat intelligence team at Malwarebytes. The emails contain an attachment named SecurityUpdates.exe and a hyperlink that claims to provide a Microsoft update to fix the Kaseya vulnerability exploited by the ransomware gang.

Users are told to open the attached file or click the link in the email to update the Kaseya VSA to protect against ransomware attacks but doing so delivers Cobalt Strike beacons and will give attackers persistent access to victims’ networks.

Since Kaseya is working on a patch to fix the flaw exploited in the attack, customers will be expecting a security update and may be fooled into installing the fake update.

Kaseya has issued a warning to all customers telling them not to open any attachments or click links in emails that claim to provide updates for the Kaseya VSA. Kaseya said any future email updates it sends to customers will not include any hyperlinks or attachments.

A similar campaign was conducted following the Colonial Pipeline ransomware attack. The emails claimed to provide system updates to detect and block ransomware attacks.

Any email received that claims to offer a security update should be treated as suspicious. Do not click links in those emails or open attachments, instead visit the software vendor’s official website to check for security updates that have been released.