Phishing & Email Spam
Phishing and email spam is estimated to cost industry more than $1 billion each year, and cybercriminals are becoming more sophisticated in the campaigns they launch to try to extract confidential data or passwords from unsuspecting Internet users.
Part of the reason why phishing and email spam continue to work is the language used within the communication. The message to “Act Now” because an account seems to have been compromised, or because a colleague appears to need urgent support, often causes individuals to act before they think.
Even experienced security experts have been caught by phishing and email spam, and the advice provided to every Internet user is:
- If you are unsure of whether an email request is legitimate, try to verify it by contacting the sender independently of the information provided in the email.
- Never reveal confidential data or passwords requested in an email or on a web page you have arrived at after following a link in an email.
- Enable spam filters on your email, keep your anti-virus software up-to-date and enable two-step authentication on all your accounts whenever possible.
- Always use different passwords for different accounts, and change them frequently to avoid being a victim of key-logging malware downloads.
- Remember that phishing and email spam is not limited to email. Watch out for scams sent via social media channels.
Phishing in particular has become a popular attack vector for cybercriminals. Although phishing goes back to the early days of AOL, there has been a tenfold increase in phishing campaigns over the past decade reported to the Anti-Phishing Working Group (APWG).
Phishing is an extension of spam mail and can target small groups of people (spear phishing) or target executive-level management (whale phishing) in order to collect information or gain access to computer systems.
The best way to protect yourself from phishing and email spam is to follow the advice provided above and – most importantly – enable a reputable spam filter to block potentially unsafe emails from being delivered to your inbox.
Tax season has begun and so have the annual scams targeting tax professionals. Each year in the run up to the tax filing deadline, cybercriminals conduct scams in order to obtain electronic filing identification numbers (EFINs).
In the United States, the Internal Revenue Service (IRS) issues EFINS to tax professionals and individuals to allow them to file tax returns electronically. If cybercriminals obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. Obtaining an e-file number of a tax professional will allow tax returns to be filed for many individuals, so these scams can be very lucrative.
These scams usually start with a phishing email using a lure to get the recipient to visit a malicious website where they are asked to provide information or upload documents that contain sensitive information. Alternatively, recipients are told to download files which silently install a malware downloader which ultimately gives the attackers full control of the victim’s computer.
Commonly, the spam emails spoof the IRS and instruct tax professionals to provide information or documents in order to prevent the suspension of their account. At such as busy time of year, suspension of an account is best avoided. Faced with this threat, tax professionals may provide the requested information.
One of the phishing emails recently intercepted spoofed the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked convincing and required “authorized e-file originators” to reverify prior to filing returns through the IRS system. The emails claimed the IRS had started using this new security measure to prevent unauthorized and fraudulent activities. The scammers requested a PDF file/scan of the EFIN acceptance letter and both sides of the individual’s driver’s license. Similar scams have been conducted that require tax preparers’ ID numbers and e-services usernames and passwords to be provided.
This year, in addition to the usual phishing emails spoofing the IRS, campaigns have been detected where the attackers claim to be potential clients looking for tax preparers ahead of the filing deadline. Attachments are provided that would typically be needed by tax preparers, but they are laced with malicious scripts that install keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.
Tax preparers that fall victim to these scams can suffer catastrophic damage to their reputations, so it is important to exercise caution when opening any emails and to stop and think carefully about any request to provide sensitive information or download files.
One of the easiest ways to protect against these scams is to implement an advanced spam filtering solution that can identify and block these malicious messages. SpamTitan is a powerful email security solution that identifies and blocks malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning techniques. In addition to blocking malware threats, SpamTitan is highly effective at blocking phishing emails containing malicious links.
The award-winning spam filter is quick and easy to implement and maintain, requiring no technical knowledge. You can be up and running in minutes and protecting your inbox from phishing and malware attacks, which will allow you to concentrate on your business at this busy time of year and avoid costly cyberattacks.
For more information about SpamTitan, to book a product demonstration or to register for a free trail, give the SpamTitan team a call today.
Phishers regularly changes their tactics, techniques and procedures and create more convincing scams to trick employees into disclosing sensitive information or installing malware on their computers. One novel tactic that was first observed in the fall of 2020 involved the use of malformed URL prefixes. Over the following months, the number of emails sent with these atypical URL prefixes grew, and according to GreatHorn researchers, the volume of these messages increased by almost 6,000% in the first month of the year.
URLs start with either HTTP:// or HTTPS://, which are the standard URL protocols. While end users may check to see if the URL starts with HTTP or HTTPS to determine whether the connection to the website is encrypted, they may not notice or be overly concerned about what comes after the colon. That is also true of certain security solutions and browsers, which also do not check that part of the URL.
The new tactic sees one of the forward slashes swapped with a backslash, so HTTPS:// becomes HTTP:/\ and it is enough of a change to see phishing emails delivered to inboxes. This tactic has been combined with another tactic that reduces the chance of the link being identified as malicious. The URL linked in the emails directs the user to a web page that includes a reCAPTCHA security feature. This feature will be known to most internet users, as it is used by a great deal of websites and search engines to distinguish between real users and robots.
The challenge must be passed for a connection to the website to me made. Having this security feature helps to convince the visitor that they are arriving on a legitimate site, but it also stops security solutions from assessing the content of the site. If the user passes the reCAPTCHA challenge, they are then redirected to a different URL that hosts the phishing form. That webpage very closely resembles the login prompt of Office 365 or Google Workspace, with this campaign mostly targeting Office 365 credentials.
Since this new tactic is now proving popular it is worthwhile incorporating this into your security awareness training sessions to make employees aware of the need to check the URL prefix, and also add a rule in SpamTitan to block these malformed URLs.
A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 93rd anniversary and is giving 3000 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.
“Adidas is giving away 3000 Free Pair of Shoes to celebrate its 93rd anniversary. Get your free shoes at <link>”
The very same scam was run in 2019 claiming to celebrate 69th anniversary and on that occasion was giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription. The scammer saw success previously and have clearly decided it’s worth trying again.
The Scam Adidas Email
There is also an email version of the scam. The fake Adidas email claims the recipient has won a large sum of money and all they need to do to claim the cash is send their personal details via email.
Scam emails are now a very effective form of cyber attack. Most successful hacking attacks today begin with a phishing email. Scam emails containing ransomware or BEC are a challenge for corporate security.
A successful breach can cost an organization millions but defending against this kind of attack requires powerful anti-spam and malware technology. To defend against this kind of phishing attack you need a cutting edge email security solution to stop scam emails, a security aware workforce to identify a scam email and spot a spoof email, and powerful web protection that blocks user from accessing dangerous websites
WhatsApp phishing scam
The WhatsApp phishing scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.
On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified spoofing different shoe manufacturers.
The link supplied in the WhatsApp phishing message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.
There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.
Be warned. If you receive any unsolicited WhatsApp message offering you free goods, best to assume it is a phishing scam.
To find out more about some of the key protections you can put in place to improve your resilience against email scams and phishing attacks, contact the SpamTitan team today.
Ransomware attacks in 2020 were conducted at twice the rate of the previous year, with many organizations falling victim and having to pay large ransoms to recover their data or risk sensitive information being published or sold to cybercriminal organizations.
At the start of 2020, data exfiltration prior to the deployment of ransomware was still only being conducted by a small number of ransomware gangs, but that soon changed as the year progressed. By the end of the year, at least 17 cybercriminal gangs were using this double extortion tactic and were stealing sensitive data prior to encrypting files. Faced with the threat of publication of sensitive data, many attacked organizations felt they had little alternative other than to pay the ransom demand.
The extent of ransomware attacks in 2020 has been highlighted by various studies by cybersecurity researchers over the past few weeks. Chainalysis recently released a report that suggests more than $350 million has been paid to cybercriminals in 2020 alone, based on an analysis of the transactions to blockchain addresses known to be used by ransomware threat groups. Of course, that figure is likely to be far lower than the true total, as many companies do not disclose that they have suffered ransomware attacks. To put that figure into perspective, a similar analysis in 2019 estimated the losses to be around $90 million. Those figures are for ransom payments alone, not the cost of resolving attacks, which would be several orders of magnitude higher.
The increase in attacks can be partly attributed to the change in working practices due to the pandemic. Many companies switched from office-based working to a distributed remote workforce to prevent the spread of COVID-19 and keep their employees protected. The rapid change involved hastily implementing remote access solutions to support those workers which introduced vulnerabilities that were readily exploited by ransomware gangs.
Most Ransomware Attacks Now Start with Phishing
Throughout 2020, phishing was commonly used as a way to gain access to corporate networks, accounting for between 25% and 30% of all ransomware attacks, but new data released by the ransomware attack remediation firm Coveware shows the attack methods changed in the last quarter of 2020. As companies and organizations addressed vulnerabilities in remote access solutions and VPNs and improved their defenses, phishing became the most common attack method. Coveware’s analysis shows that in the final quarter of 2020, more than 50% of ransomware attacks started with a phishing email.
Ransomware can be delivered directly through phishing emails, although it is more common to use intermediary malware. The most commonly used malware variants for distributing ransomware are Trojans such as Emotet and TrickBot, both of which are extensively delivered via phishing emails. These malware variants are also capable of self-propagating and spreading to other devices on the network.
Access to compromised devices is then sold to ransomware gangs, who access the devices, steal sensitive data, then deploy their ransomware payload. The Emotet botnet played a large role in ransomware attacks in 2020, and while it has now been disrupted following a joint law enforcement operation, other malware variants are certain to take its place.
The same report also highlighted the nature of businesses attacked with ransomware. Far from the gangs targeting large enterprises with deep pockets, most attacks are on small- to medium-sized businesses with under 250 employees. 30.2% of attacks were on businesses with between 11 and 100 employees, with 35.7% on businesses with 101 to 1,000 employees. Healthcare organizations, professional services firms, and financial services companies have all been targeted and commonly fall victim to attacks, although no sector is immune.
70% of ransomware attacks now involve data theft prior to encryption, so even if backups exist and can be used to restore data, it may not be possible to avoid paying the ransom. There is also a growing trend for data to be permanently deleted, which leaves businesses with no way of recovering data after a ransomware attack.
Steps to Take to Block Ransomware Attacks
What all businesses and organizations need to do is to make it as hard as possible for the attacks to succeed. While there is no single solution for blocking ransomware attacks, there are measures that can be taken that make it much harder for the attacks to succeed.
With most ransomware attacks now starting with a phishing email, an advanced email security solution is a must. By deploying best-of-breed solutions such as SpamTitan to proactively protect the Office365 environment it will be much easier to block threats than simply relying on Office 365 anti-spam protections, which are commonly bypassed to deliver Trojans and ransomware.
A web filtering solution can provide protection against ransomware delivered over the internet, including via links sent in phishing emails. Multi-factor authentication should be implemented for email accounts and cloud apps, employees should be trained how to identify threats, and monitoring systems should be implemented to allow attacks in progress to be detected and mitigated before ransomware is deployed.
DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?
There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.
What is DMARC
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is a critical component of email cybersecurity that reduces an attacker’s ability to get email threat to an end user’s inbox.
With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.
The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.
DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes. DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.
What is Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) is an email-authentication technique used to restrict who can send emails from your domain. It allows your mail server determine when a message comes from the domain that it uses. SPF has three major elements: a policy framework, an authentication method and specialized headers to convey the information.
An email message contains two sender addresses:
- The From:header, displaying the name and email address of the sender
- The Envelope From:or Return-Path email address.
Both types of sender addresses can be easily spoofed.
SPF uses a DNS record to verify the Envelope From: only. This means that if a spammer spoofs the Envelope From: address using a domain where SPF is enabled, the mail will be caught by the receiving server. If the spammer spoofs the From: header, SPF will not catch this. The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.
If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.
DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. Both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks. Enabling SPF, DKIM and DMARC will help greatly reduce the amount of spoof emails recieved, and that is only good.
To find out more about improving your email security defenses, contact the TitanHQ team today.
The notorious Emotet botnet, which has been used in extensive attacks on companies around the globe for many years, has been taken down as part of a coordinated effort by Europol, the FBI, the UK National Crime Agency, and other law enforcement agencies.
The threat actors behind Emotet used their malware to create a backdoor in the systems of many companies, with access then sold to other threat groups to conduct further malicious activities including stealing sensitive data and extortion through the deployment of ransomware.
The operation has been planned for around two years and was coordinated to ensure that the multi-country infrastructure was simultaneously taken down to disrupt any attempts by the threat group to reconstruct the network. Law enforcement agencies have seized control of hundreds of servers and have taken control of the entire Emotet infrastructure, in what will be seen by many to be the most important malware takedowns to date. The takedown has prevented the Emotet gang from communicating with the malware and has resulted in the loss of control of the army of compromised devices that make up the botnet.
Europol and its partners succeeded in mapping the entire infrastructure, took control of the network, and deactivated the Emotet Trojan. A software update was placed on the main servers used to control the malware, two of which were located in the Netherlands. Infected computer systems will retrieve the update, which will see Emotet Trojan on those systems quarantined.
The Most Dangerous Malware and Most Prolific Botnet
Emotet is arguably the most dangerous malware of recent years and the botnet used to distribute it is one of the most prolific. Around 30% of all malware attacks in 2020 involved the Emotet Trojan.
Phishing emails were used to deliver the Emotet Trojan. Massive phishing campaigns were conducted using a wide range of lures to trick recipients into opening malicious attachments or visiting websites that downloaded the Emotet Trojan. The lures used in the campaigns frequently changed, taking advantage of world events to maximize the probability of the attachments being opened.
Emotet started life as a banking Trojan but was later developed to also serve as a malware dropper. Emotet delivered other banking Trojans such as TrickBot as the secondary malware payload, and ransomware variants such as Ryuk – each of which were dangerous in their own right.
Devices infected with Emotet are added to the botnet and used to distribute copies of the Emotet Trojan to other devices on the network and the user’s contacts by hijacking the user’s email account. A single device on a corporate network that was infected with Emotet could quickly result in widespread infection. The Trojan was also particularly difficult to eradicate, as removal of the infection would only be temporary, with other devices on the network simply re-infecting the cleaned device.
In the leadup to the 2020 Presidential election in the United States, Microsoft and its partners succeeded in seizing control of some of the infrastructure used to control and distribute the TrickBot Trojan. In that case the operation was only temporarily successful, as the TrickBot gang was able to rapidly recover and restore its infrastructure.
Time will tell as to how successful the Emotet takedown has been and whether the operation has only temporarily disrupted the activities of the Emotet gang or whether the takedown has left it completely crippled.
A new phishing campaign has been identified that abuses the Windows Finger command to download a malware variant called MineBridge.
The Finger command in Windows can be used by a local user to obtain a list of users on a remote machine or, alternatively, to obtain information about a specific remote user. The Finger utility originated in Linux and Unix operating systems but is also included in Windows. The utility allows commands to be executed to find out whether a particular user is logged on, although this is now rarely used.
There are also security concerns with the finger utility, and it has been abused in the past to find out basic information about users that can be targeted in social engineering attacks. Vulnerabilities in the finger protocol have also been exploited in the past by some malware variants.
Recently, security researchers discovered Finger can be used as a LOLBin to download malware from a remote server or to exfiltrate data without triggering alerts from security solutions. Finger is now being used in at least one phishing campaign to download malware.
MineBridge malware is a Windows backdoor written in C++ that has previously been used in attacks on South Korean companies. The malware was first identified in December 2020 by researchers at FireEye and in January 2020 several campaigns were identified distributing the malware via phishing emails with malicious Word attachments.
The latest campaign sees the attackers impersonate a recruitment company. The email is a recommendation of a candidate for consideration for a position at the targeted firm. The sender recommends even if there are no current openings, the CV should be checked, and the candidate considered. The email is well written and believeable.
As is common in phishing campaigns, if the document is opened a message will be displayed that tells the user the document has been created in an old version of Windows and to view the content the user needs to ‘enable editing’ and then ‘enable content’. Doing so will run the macro, which will fetch and download a Base64 encoded certificate using the Finger command. The certificate is a malware downloader that used DLL hijacking to sideload the MineBridge backdoor. Once installed, MineBridge will give the attacker control over an infected device and allow a range of malicious actions to be performed.
It is easiest to block attacks like this by installing an advanced spam filtering solution to block the malicious emails and prevent them from reaching inboxes. As an additional protection against this and other campaigns that abuse the Finger.exe utility in Windows, admins should consider disabling finger.exe if it is never used.
Phishing scams can be difficult for employees to identify. The emails provide a plausible reason for taking a certain action, such as clicking a link in an email. The websites that users are directed to are virtually indistinguishable from the genuine websites that the scammers spoof and credentials are commonly captured.
The pandemic has seen increasing numbers of employees working from home and accessing their company’s cloud applications remotely. Businesses are now much more reliant on email for communication than when employees were all office based. Cybercriminals have been taking advantage and have been targeting remote workers with phishing scams and many of these attacks have been successful.
Employees often receive training on cybersecurity and are told to be wary of emails that have been sent from unknown individuals, but many still open the emails and take the requested action. The emails often spoof an individual that is known to the recipient, which increases the likelihood of that email being opened. It is also common for well known brands to be impersonated in phishing attacks, with the attackers exploiting trust in that brand.
A recent analysis of phishing emails by Check Point revealed the most commonly impersonated brand in phishing attacks over the past 3 months is Microsoft, which is not surprising given the number of businesses using Office 365. The study revealed 43% of phishing attempts that mimic brands impersonate Microsoft.
Microsoft credentials are then captured in these attacks and are used to remotely access accounts. The data stored in a single email account can be substantial. There have been many healthcare phishing attacks that have seen a single account compromised that contained the sensitive data of tens of thousands or even hundreds of thousands of patients. These phishing emails are often only the first step in a multi-stage attack that gives the threat actors the foothold they need for a much more extensive attack on the organization, often resulting in the theft of large amounts of data and ending with the deployment of ransomware.
Microsoft is far from the only brand impersonated. The analysis revealed DHL to be the second most impersonated brand. DHL-based phishing attacks use failed delivery notifications and shipping notices as the lure to get individuals to either disclose sensitive information such as login credentials or open malicious email attachments that download malware. 18% of all brand impersonation phishing attacks involve the impersonation of DHL. This makes sense as the phishers target businesses and especially during a pandemic when there is increased reliance on courier companies.
Other well-known brands that are commonly impersonated include PayPal and Chase to obtain account credentials, LinkedIn to allow professional networking accounts to be compromised, and Google and Yahoo are commonly impersonated to obtain account credentials. Attacks spoofing Amazon, Rakuten, and IKEA also make the top 10 most spoofed brand list.
Phishers mostly target business users as their credentials are far more valuable. Businesses therefore need to ensure that their phishing defenses are up to scratch. Security awareness training for employees is important but given the realistic nature of phishing emails and the plausibility of the lures used, it is essential for more reliable measures to be implemented to block phishing attacks.
Top of the list of anti-phishing measures should be an advanced spam filter. Many businesses rely on the spam filtering capabilities of Office 365, but this only provides a level of protection. The default spam filter in Office 365 is not particularly effective at blocking sophisticated phishing attacks. Businesses that rely on Microsoft’s Exchange Online Protection (EOP) see many phishing emails delivered to inboxes where they can be opened by employees.
To better protect against phishing attacks, a third-party spam filter should be layered on top of Office 365. SpamTitan has been developed to provide enhanced protection for businesses that use Office 365. The solution implements seamlessly with Office 365 and the solution is easy to implement and maintain. The result will be far greater protection from phishing attacks and other malicious emails that employees struggle to identify.
For further information on SpamTitan, to register for a free trial, and for details of pricing, give the TitanHQ team a call today.
To protect their clients from phishing attacks, Managed Service Providers (MSPs) need to provide a comprehensive range of cybersecurity solutions. This post explores the risks from phishing and suggests some easy to implement anti-phishing solutions for MSPs to add to their security offerings.
Phishing is the Number One Cyber Threat Faced by SMBs
Phishing is the number one cyber threat faced by businesses and one of the hardest to defend against. All it takes is for an employee to respond to a single phishing email for a costly data breach to occur. The consequences for the company can be severe.
Email accounts contain a wide range of sensitive information. A phishing attack on a UnityPoint Health hospital in Des Moines, IA, in 2018 saw the protected health information of 1.4 million patients compromised. Also in 2018, a phishing attack on the Boys Town National Research Hospital saw one account compromised that contained the information of more than 105,300 patients. Phishing emails are also used to introduce malware and ransomware. These attacks can be even more damaging and costly to mitigate.
The healthcare industry is extensively targeted by phishers due to the high value of healthcare data, although all industry sectors are at risk. In response to the high number of cyberattacks and the current threat levels, the Trump administration recently launched the “Know the Risk, Raise your Shield” campaign. The campaign aims to raise awareness of the threat from phishing and other attack methods and encourage private businesses to do more to improve their defenses.
Phishing will continue to be a major threat to businesses for the foreseeable future. Attacks will continue because they require relatively little skill to conduct, phishing is highly effective, and attacks can be extremely lucrative.
Easy to Implement Anti-Phishing Solutions for MSPs
There is no single solution that will provide total protection against phishing attacks. Businesses need layered defenses, which provides an opportunity for MSPs. SMBs can struggle to implement effective defenses against phishing on their own and look to MSPs for assistance.
MSPs that can provide a comprehensive anti-phishing package will be able to protect their clients, prevent costly phishing attacks, and generate more business. Effective anti-phishing controls are also an easy sell. Given the cost of mitigating attacks, the package is likely to pay for itself. But what solutions should be included in MSPs anti-phishing offerings?
Listed below are three easy-to-implement anti-phishing solutions for MSPs to offer to their clients, either individually or part of an anti-phishing security package.
Advanced Spam Filtering
Advanced spam filtering solutions are essential. They block phishing emails on the server before they can be delivered to inboxes or employees’ spam folders. An advanced spam filter will block in excess of 99.9% of spam and malicious emails and by itself, is the single most important solution to implement.
SpamTitan is an ideal anti-phishing solution for MSPs. This cloud-based solution supports an unlimited number of domains, all of which can be protected through an easy to use interface. The solution supports per domain administrators, with each able to implement elements of their own email such as searches and the release of messages from the quarantine folder. Reports can be generated per domain and those reports can be scheduled and automatically sent to clients. The solution can be fully rebranded to take an MSP logo and color scheme, and the solution can be hosted in TitanHQ’s private cloud or within your own data center.
Security Awareness Training and Testing
While the majority of malicious emails will be blocked at source, a very small percentage may slip through the net. It is therefore essential for employees to be aware of the risks from phishing and to have the skills to identify potential phishing emails. MSPs can help their clients by providing a staff training program. Many security awareness training companies offer MSP programs to help manage training for clients and a platform to conduct phishing simulation exercises to test security awareness.
DNS-Based Web Filtering
Even with training, some employees may be fooled by phishing emails. This is to be expected, since many phishing campaigns use messages which are highly realistic and virtually indistinguishable from genuine emails. Spam filters will block malicious attachments, but a web filter offers protection from malicious hyperlinks that direct users to phishing websites.
A DNS-based web filter blocks attempts by employees to access phishing websites at the DNS-level, before any content is downloaded. When an employee clicks on a phishing email, they will be directed to a block screen rather than the phishing website. Being DNS-based, web filters are easy to implement and no appliances are required.
WebTitan is an ideal web filtering solution for MSPs. WebTitan can be configured in just a couple of minutes and can protect all clients from web-based phishing attacks, with the solution managed and controlled through a single easy-to-use interface. Reports can be automatically scheduled and sent to clients, and the solution is available in full white-label form ready for MSPs branding. A choice of hosting solutions is also offered, and the solution can connect with deployment, billing and management tools through APIs.
Key Product Features of SpamTitan and WebTitan for MSPs
- Easy to manage: There is a low management overhead. SpamTitan and WebTitan are set and forget solution. We handle all the updates and are constantly protecting against new threats globally, in real-time.
- Scalability: Regardless of your size you can deploy the solution within minutes. SpamTitan and WebTitan are scalable to thousands of users.
- Extensive API: MSPs provided with API integration to provision customers through their own centralized management system; a growth-enabling licensing program, with usage-based pricing and monthly billing.
- Hosting Options: SpamTitan and WebTitan can be deployed as a cloud based service hosted in the TitanHQ cloud, as a dedicated private cloud, or in the service provider’s own data center.
- Extensive drill down reporting: Integration with Active Directory allows detailed end user reporting. Comprehensive reports can be created on demand or via the scheduled reporting options.
- Support: World class support – we are renowned for our focus on supporting customers.
- Tried & Tested: TitanHQ solutions are used by over 1500 Managed Service Providers worldwide.
- Rebrandable: Rebrand the platform with your corporate logo and corporate colors to reinforce your brand or to resell it as a hosted service.
TitanSHIELD Program for MSPs
To make it as easy as possible for MSPs to incorporate our world class network security solutions into their service stacks, TitanHQ developed the TitanSHIELD program. The TitanShield MSP Program allows MSPs to take advantage of TitanHQ’s proven technology so that they can sell, implement and deliver our advanced network security solutions directly to their client base. Under the TitanSHIELD program you get the following benefits:
||Private or Public Cloud deployment
||Access to the Partner Portal
|Dedicated Account Manager
||White Label or Co-branding
||Co-Branded Evaluation Site
|Assigned Sales Engineer Support
||Social Network participation
|Access to Global Partner Program Hotline
||Free 30-day evaluations
|Access to Partner Knowledge Base
||Joint White Papers
||Partner Events and Conferences
|24/7 Priority Technical Support
||Tiered Deal Registration
|5 a.m. to 5 p.m. (PST) Technical Support
||Better Together Webinars
|Online Technical Training and FAQs
||Advanced Product Information
||Partner Certificate – Sales and technical
|Access to Partner Technical Knowledge Base
||Competitive Information and Research
||Sales Campaigns in a box
||Not-for-Resale (NFR) Key
||Public Relations Program and Customer Testimonials
||Product Brochures and Sales Tools
||TitanHQ Corporate Style Guide and Logo Usage
||Partner Advisory Council Eligibility
||TitanHQ Partner Welcome Kit
||QTRLY Business Planning and Review
||Access to TitanHQ’s MVP Rewards Program
||Access to Partner Support
For further information on TitanHQ’s anti-phishing solutions for MSPs, contact the TitanHQ team today and enquire about joining the TitanSHIELD program.
A Trump-themed phishing campaign has been detected that attempts to deliver the Qnode Remote Access Trojan (QRAT) under the guise of a video file that appears to be a Donald Trump sex tape.
QRAT is a Java-based RAT that was first detected in 2015 that has been used in several phishing campaigns over the years, with an uptick in distribution observed from August 2020. Interestingly, the malicious file attachment – named “TRUMP_SEX_SCANDAL_VIDEO.jar” – bears no relation to the phishing email body and subject line, which offers a loan as an investment for a dream project or business plan. The subject line is “GOOD LOAN OFFER,” and the sender claims a loan will be provided if there is a good return on the investment and between $500,000 and $100 million can be provided. It is unclear whether an error has been made and the wrong file attachment was added to the email or if this was a deliberate mismatching of a malicious .jar file. While the emails are unlikely to fool many end users, there may be enough interest in the video to pique the interest of some recipients.
The phishing campaign does appear to be poorly constructed, but the same cannot be said of the malware the campaign attempts to deliver. The version of QRAT delivered in this campaign is more sophisticated than previously detected versions, with several improvements made to evade security solutions. For instance, the malicious code used as the QRAT downloader is obfuscated and split across several different buffers within the .jar file.
Phishing campaigns often take advantage of interest in popular new stories and the Presidential election, allegations of election fraud, and recent events at Capitol Hill have seen President Trump trending. It is likely that this will not be the only Trump-themed phishing campaign to be conducted over the next few days and months.
This campaign appears to target businesses, where the potential returns from a malware infection is likely to be far higher than an attack on consumers. Blocking threats such as this is easiest with an advanced email security solution capable of detecting known and new malware variants.
SpamTitan is an advanced, cost-effective spam filtering for businesses and the leading cloud-based spam filter for managed service providers serving the SMB market. SpamTitan incorporates dual anti-virus engines to identify known malware threats, and a Bitdefender-powered sandbox to identify zero-day malware. The solution also supports the blocking of risky file types such as JARs and other executable files.
SpamTitan is also effective at blocking phishing emails without malicious attachments, such as emails with hyperlinks to malicious websites. The solution has multiple threat detection features that can identify and block spam and email impersonation attacks and machine learning technology and multiple threat intelligence feeds that provide protection against zero-minute phishing attacks.
One of the main reasons why the solution is such as popular choice with SMBs and MSPs is the ease of implementation, use, and maintenance. SpamTitan takes the complexity out of email security to allow IT teams to concentrate on other key tasks.
SpamTitan is the most and top-rated email security solution on Capterra, GetApp and Software Advice, is a top three solution in the three email security categories on Expert Insights and has been a leader in the G2 Email Security grids for 10 consecutive quarters.
If you want a spam filtering solution that is effective and easy to use, look no further than SpamTitan. For more information, give the TitanHQ team a call. SpamTitan is also available on a free trial to allow you to evaluate the solution in your own environment before deciding on a purchase.
The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.
2020 Phishing Statistics
Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.
Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.
Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.
The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.
2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.
How to Detect and Block Phishing Threats
Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.
End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.
Cybercriminals are leveraging interest in COVID-19 vaccination programs and are conducting a range of COVID-19 vaccine phishing scams with the goal of obtaining sensitive data such as login credentials or to distribute malware. Several government agencies in the United States have recently issued warnings to businesses and consumers about the scams including the Department of Health and Human Services’ Office of Inspector General and the Centers for Medicare and Medicaid Services, and law enforcement agencies such as the FBI.
COVID-19 vaccine scams can take many forms. Campaigns have already been detected that offer early access to COVID-19 vaccines. These scams require a payment to be made as a deposit or a fee to get to the top of the waiting list. Other scams offer the recipients a place on the waiting list if they apply and provide personal information.
COVID-19 vaccine phishing scams are being conducted via email; however, it is likely that fraudsters will advertise on websites, social media channels, or conduct scams over the telephone or via SMS messages and instant messaging platforms. While many of these scams target consumers, there is potential for businesses to be affected if employees access their personal emails at work or if the scam emails are sent to work email addresses.
Scam emails often include links to websites where information is harvested. These links may be hidden in email attachments to hide them from email security solutions. Office documents are also commonly used for delivering malware, via malicious macros.
The emails typically impersonate trusted entities or individuals. COVID-19 vaccine scam emails are likely to impersonate healthcare providers, health insurance companies, vaccine centers, and federal, state, or local public health authorities. During the pandemic there have been many cases of fraudsters impersonating the U.S. Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) in Covid-19 related phishing scams.
The U.S. Department of Justice recently announced that two domains have been seized that impersonated vaccine developers. The domains were virtual carbon copies of the legitimate websites of two biotechnology companies involved in vaccine development. The malicious content has been removed, but there are likely to be many more domains registered and used in COVID-19 vaccine phishing scams over the coming weeks.
Warnings have also been issued about the risk of ransomware attacks that take advantage of interest in COVID-19 vaccines and provide the attackers with the foothold in networks they need to conduct their attacks.
There are four important steps that businesses can take to reduce to risk of falling victim to these scams. Since email is extensively used, it is essential to have an effective spam filtering solution in place. Spam filters use blacklists of malicious email and IP addresses to block malicious emails, but since new IP addresses are constantly being used in these scams, it is important to choose a solution that incorporates machine learning. Machine learning helps to identify phishing threats from IP addresses that have not previously been used for malicious purposes and to identify and block zero-day phishing threats. Sandboxing is also important for identifying and blocking zero-day malware threats that have yet to have their signatures incorporated into the virus definition lists of antivirus engines.
While spam filters can identify and block emails that contain malicious links, a web filtering solution is also recommended. Web filters are used to control the websites that employees can access and prevent visits to malicious websites through general web browsing, redirects, and clicks on malicious links in emails. Web filters are constantly updated via threat intelligence feeds to provide protection against recently discovered malicious URLs.
Businesses should not neglect end user training and should regularly provide refresher training to employees to help them identify phishing threats and malicious emails. Phishing simulation exercises are also beneficial for evaluating the effectiveness of security awareness training.
Multi-factor authentication should also be applied as a last line of defense. In the event of credentials being compromised, multi-factor authentication will help to ensure that stolen credentials cannot be used to remotely access accounts.
With these measures implemented, businesses will be well protected from malware, COVID-19 vaccine phishing scams, and other phishing threats.
For further information on spam filtering, web filtering, and protecting your business from malware and phishing attacks, give the TitanHQ team a call today.
Recently, a new technique has been identified that is being used by hackers to conduct cross-site scripting attacks from within PDF files.
PDF files have long been used by hackers for phishing attacks and malware delivery. Oftentimes, emails are sent with PDF file attachments that contain hyperlinks to malicious websites. By adding these links into the files rather than the body of the email message, it is harder for security solutions to identify those malicious links.
The latest attack method also uses PDF files, but instead of tricking employees into revealing their login credentials or visiting a malicious website where malware is downloaded, the attackers attempt to obtain sensitive information contained in PDF files.
The technique is similar to those used to by hackers in web application attacks. Cross-site scripting attacks – or XXS attacks for short – typically involve injecting malicious scripts into trusted websites and applications. When a user visits a website or a hacked application, the script executes. The scripts give the attackers access to user information such as cookies, session tokens, and sensitive data saved in browsers, such as passwords. Since the website or application is trusted, the web browser will not recognize the script as malicious. These attacks are possible in websites and web applications where user input is used to generate output without properly validating or encoding it.
What sort of data could be captured in such an attack? A substantial amount of sensitive data is contained in PDF files. PDF files are used extensively for reports, statements, logs, e-tickets, receipts, boarding passes, and much more. PDF files may contain passport numbers, driver’s license numbers, bank account information, and a range of other sensitive data. The presenters at the conference explained they found some of the largest libraries of PDF files worldwide were sensitive to XXS attacks.
In the most part, the vulnerabilities in PDF files that allow XXS attacks are not due to the PDF files themselves, but improper coding. If PDF libraries fail to properly parse code of escape characters and allow unprotected formats, they will be vulnerable. Fortunately, Adobe released an update on December 9 which prevents this type of security vulnerability from being exploited, although companies that create PDF files must update their software and apply the update to be protected.
This is just one way that malicious attachments can be used to obtain sensitive information. As previously mentioned, malicious macros are commonly added to office documents, executable files are added as attachments to emails and masquerade as legitimate files, and malicious code can be injected into a range of different file types.
One of the best ways to protect against attacks via email using malicious attachments is to use an advanced email security solution that can detect not just known malware but also never-before-seen malicious code. This is an area where SpamTitan Email Security excels.
SpamTitan incorporates dual anti-virus engines (Bitdefender/ClamAV) to catch known malware threats and sandboxing to identify malicious code that has been added to email attachments. Files are subjected to in-depth analysis in the security of the sandbox and are checked for any malicious actions.
To find out more about protecting your organization from malicious emails and malware, give the TitanHQ team a call.
The healthcare industry in the United States has long been targeted by cybercriminals seeking access to sensitive patient data. Patient data is a valuable commodity, as it can be used for a multitude of fraudulent purposes including identity theft, tax fraud, insurance fraud, and blackmail and understandably has a high black market value.
Some of the largest healthcare data breaches ever reported have started with a phishing attack, including the 78.8 million-record data breach at the health insurer Anthem Inc. and the cyberattack on Premera Blue Cross, another U.S. health insurer, which affected around 11 million individuals, both of which were reported in 2015.
While healthcare data breaches on the scale of Anthem’s have been avoided since, large phishing-related breaches are still occurring. The latest phishing-related data breach to be reported by a U.S. health insurer resulted in the exposure of the health records of almost 500,000 Aetna health plan members.
The phishing attack saw the attackers gain access to the email system of a business associate of Aetna. EyeMed manages vision benefits services for the health insurer and has several other healthcare clients. The compromised account contained highly sensitive information such as names, addresses, dates of birth, and full or partial Social Security numbers – information that is extremely valuable to phishers and identity thieves. In total, the records of 484,157 Aetna members were potentially compromised, along with the data of 60,000 members of Tufts Health Plan, and around 1,000 members of Blue Cross Blue Shield of Tennessee. While it was not the largest healthcare data breach of 2020, it does rank in the top 10 healthcare data breaches of the year.
Unfortunately, healthcare industry phishing attacks involving the exposure and/or theft of more than 100,000 patient records are far from unusual. There have been more than a dozen such breaches reported by healthcare organizations and their business associates in 2020, and several dozen smaller phishing attacks.
The healthcare industry is extensively targeted and is vulnerable to phishing attacks. Unfortunately, all it takes is for one employee to respond to a phishing email for their account to be compromised. Emails often contain personal and protected health information and can be downloaded by the attackers, and the compromised account can be used to send further phishing emails to other employees in the organization. In addition to gaining access to multiple email accounts, phishing can give attackers the foothold they need for a more extensive compromise, as was the case with the Anthem and Premera data breaches.
According to a report released by the Healthcare Information and Management Systems Society (HIMSS), its survey of healthcare cybersecurity professionals revealed 57% had experienced a successful phishing attack in the past year.
Securing the email system can be a challenge in healthcare and preventing phishing attacks is a constant struggle. Unfortunately, while there are excellent email security solutions available that will ensure the vast majority of phishing emails are blocked, it is not possible to deploy a single solution and prevent all phishing attacks from succeeding. What is required is a layered approach to phishing defenses. With multiple layers of protection, if one layer fails to block a threat, others will help to ensure the threat is blocked.
At the heart of phishing defenses should be an advanced machine-learning/AI-based anti-phishing solution such as SpamTitan. SpamTitan itself provides multiple layers of protection to block known phishing threats, while the machine-learning components identify new phishing threats that have yet to be seen. SpamTitan also incorporates multiple measures to identify and block email impersonation attacks, has a data loss protection feature, and anti-malware capabilities that block both known and zero-day malware threats.
A web filter is an often-overlooked anti-phishing measure. Web filters target the web-based component of phishing attacks and provide time-of-click protection to stop employees from visiting phishing websites via links in malicious emails.
As Microsoft pointed out in a summer blog post this year, multi-factor authentication is a must. Multi-factor authentication kicks in when credentials are obtained in phishing attacks and stops those credentials from being used to access email accounts. MFA can block more than 99.9% of attacks using compromised credentials.
End user training should also not be neglected. Conditioning employees how to recognize phishing emails and respond appropriately is essential, not just for cybersecurity but also HIPAA compliance.
These measures can be the difference between a successfully thwarted attack and a costly data breach, and the cost of implementing these solutions is cheaper than many people think. To find out more, give the TitanHQ team a call.
After a 2-month break, the Emotet botnet is back up and running and has been observed conducting a phishing email campaign that is delivering between 100,000 and 50,0000 messages to inboxes a day.
Emotet first appeared in 2014 and started life as a banking Trojan; however, over the years the malware has evolved. While Emotet remains a banking Trojan, it is now best known as a malware downloader that is used to deliver a range of secondary payloads. The malware payloads it delivers also act as malware downloaders, so infection with Emotet often results in multiple malware infections, with ransomware often delivered as the final payload.
Once Emotet is installed on an endpoint it is added to the Emotet botnet and is used for spam and phishing campaigns. Emotet sends copies of itself via email to the user’s contacts along with other self-propagation mechanisms to infect other computers on the network. Emotet can be difficult to eradicate from the network. Once one computer is cleaned, it is often reinfected by other infected computers on the network.
Emotet often goes dormant for several weeks or even months, but even with long gaps in activity, Emotet is still the biggest malware threat. Emotet went dormant around February 2020, with activity resuming five months later in July. Activity continued until late October when activity stopped once again until Tuesday this week when it returned in time for Christmas. In 2020, Emotet has been observed delivering TrickBot and other payloads such as Qakbot and ZLoader.
During the periods of inactivity, the threat actors behind the malware are not necessarily inactive, they just stop their distribution campaigns. During the breaks they update their malware and returned with a new and improved version that is more effective at evading defenses.
The latest campaign uses similar tactics to past campaigns to maximize the probability of end users opening a malicious Office document. The phishing emails are usually personalized to make them appear more authentic, with Emotet using hijacked message threats with malicious content inserted. Since the emails appear to be responses to past conversations between colleagues and contacts, there is a greater chance that the recipient will open the email attachment or click a malicious hyperlink.
This campaign favors password-protected files, with the password to open the file supplied in the message body of the email. Since email security solutions cannot open these files, it is more likely that they will be delivered to inboxes. The malicious documents delivered in this campaign contain malicious macros. If the macros are enabled – which the user is told is necessary to view the content of the document – Emotet will be downloaded, after which the TrickBot Trojan will be delivered, usually followed by a ransomware variant such as Ryuk.
Previous campaigns have not displayed any additional content when the macros are enabled; however, this campaign displays an error message after the macros have been enabled instructing the user that Word experienced an error opening the file. This is likely to make the user believe the Word document has been corrupted. A variety of themes are used for the emails, with the latest campaign using holiday season and COVID-19 related lures.
An analysis by Cofense identified several changes in the latest campaign, including switching the malware binary from an executable (.exe) file to a Dynamic Link Library (.dll) file, which is executed using rundll32.exe. The command-and-control infrastructure has been changed and now uses binary data rather than plain text, both of which make the malware harder to detect.
Businesses need to be particularly vigilant and should act quickly if infections are detected and should take steps to ensure their networks are protected with anti-virus software, security policies, spam filters, and web filters.
The COVID-19 pandemic has forced businesses to reassess working practices and adapt to a new way of working, where employees no longer come to the office and instead work remotely. With COVID-19 vaccines on the way, businesses will soon be able to return to “a normal workplace.” However, many employees have got used to working from home and enjoy not having to commute and businesses have already put the effort into making sure their workforce can work effectively from home. Many businesses also report that there have been benefits, such as increases in productivity.
Once the pandemic is over it is likely that the normal workplace will be different from how it was before the pandemic. Many businesses have already stated they will adopt a hybrid workplace model, where employees can spend at least some of the week working remotely.
One of the problems with remote working is how to ensure that threats are dealt with effectively. Throughout the pandemic, cybercriminals and nation state hackers have targeted remote workers who are seen as an easy way to gain access to sensitive data and business networks. One of the ways that this is achieved is through phishing attacks.
One recent study, conducted by the security awareness training firm Terranova Security, explored how remote workers performed at detecting phishing emails and compared the results to phishing simulations conducted before the pandemic.
The company hosted a global ‘Gone Phishing Tournament’ with participants from 98 countries taking part over 11 days in October. Simulated phishing emails were sent to employees that mirrored real world phishing scenarios and responses were tracked, including clicks on suspicious links and any information entered into the webpages that users were directed to.
An analysis of the results revealed a significant year-over-year increase in click rates, which in a real-world scenario would mean that their credentials would have been stolen or they would have downloaded malware onto their computers.
20% of respondents quickly clicked phishing links in emails, compared to 11% before the pandemic. Worryingly, 67% of those who clicked revealed their login credentials on the fake phishing web pages compared to just 2% before the pandemic.
Naturally, the findings show just how important it is to provide ongoing security awareness training to the workforce to condition employees to check for the signs of phishing emails and teach them how to spot scams. They also highlight just how important it is to have an effective anti-spam solution that prevents the vast majority of phishing and scam emails from reaching inboxes where they can easily be clicked without thinking.
TitanHQ can’t help your business train your workforce how to recognize phishing emails and become more security conscious. That requires a commitment to training and phishing simulation exercises. TitanHQ can however help by ensuring phishing emails are not delivered to inboxes where they can attract a click.
TitanHQ developed SpamTitan to protect businesses from phishing and malware attacks via email, even sophisticated email-based attacks. SpamTitan incorporates many layers of protection such as blacklists of known spammers, message header analysis, content analysis, threat intelligence feeds, DMARC and SPF, and a machine learning system that can detect zero-day phishing attacks. Malware protection is provided by dual antivirus engines and sandboxing to identify never-before seen malware threats.
These and other protection mechanisms ensure that 99.97% of threats are detected and blocked, which helps reduce reliance on security awareness training and employees identifying phishing emails.
SpamTitan is an ideal solution for small- to medium-sized businesses and managed service providers serving the SMB market. Contact TitanHQ today to find out more about the solution, how cost-effective SpamTitan is, and how easy the solution is to implement, use, and maintain. Also be sure to check out the customer reviews on Capterra, GetApp and Software Advice, Google Reviews, Expert Insights, and G2 Crowd, where the solution consistently achieves high scores and, in many cases, is the top-rated email security solution.
Banking Trojans have long posed a threat to businesses, but one in particular has stood head and shoulders above the rest in 2020: The Emotet Trojan.
Emotet: The Biggest Malware Threat in 2020
The Emotet Trojan first appeared in 2014 and was initially a banking Trojan, which was used to steal sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since been developed and it has now evolved into a much bigger threat.
Emotet is now far more effective at spreading to other devices, using a worm like element to infect other devices on the network as well as hijacking the user’s email account and using it to send copies of itself to victims’ contacts. Infected devices are added to the Emotet botnet, and have been used in attacks on other organizations. The operators of Emotet have now joined forces with other cybercriminal operations and are using their malware to deliver other Trojans such as TrickBot and QakBot, which in turn are used to deliver ransomware.
Data from HP Inc. revealed Emotet infections increased by 1,200% from Q2 to Q3, showing the extent to which activity has increased recently. Data from Check point show Emotet is the biggest malware threat, accounting for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, accounting for 4% of infections.
Emotet and TrickBot are Driving the Increase in Ransomware Infections
The Emotet and TrickBot Trojans are driving the increase in ransomware infections globally, especially attacks on healthcare organizations. The healthcare industry in the United States is being targeted by ransomware gangs due to the increased chance of the ransom being paid. In many cases, the recent ransomware attacks have been made possible due to previous Emotet an TrickBot infections.
Unfortunately, due to the efficient way that Emotet spreads, removing the malware can be problematic. It is probable that more than one device has been infected, and when the Trojan is removed from one device, it is often reinfected by other infected devices on the network.
The best way of preventing attacks is stopping the Emotet emails from reaching inboxes and making sure that employees are trained how to recognize phishing emails.
How SpamTitan Can Protect Your Organization
SpamTitan use a wide range of different techniques to identify phishing emails that are used to deliver malware such as Emotet. These measures provide layered protection, so should one check fail to identify the threat, several others are in place to provide protection.
SpamTitan uses dual antivirus engines to identify previously seen malware variants and sandboxing to identify new (zero day) malware threats. Suspicious email attachments are sent to the sandbox where they are subjected to in depth analysis to identify malicious actions such as command and control center callbacks.
SpamTitan uses Sender Policy Framework (SPF) and DMARC to block spoofing and email impersonation attacks, which are used to convince employees to open attachments and click malicious links. SpamTitan also includes outbound scanning, which detects devices that have potentially been infected and prevents messages from spreading Emotet internally and to business contacts.
There are many cybersecurity solutions that can provide protection against malware, but finding one that is easy to use, effective, and reasonably priced can be a challenge.
SpamTitan ticks all of those boxes. It is the most and best ranked email security solution on Capterra, GetApp and Software Advice, has achieved a rating of 4.9 out of 5 on Google reviews, and is listed in the top three in the email security gateway, MSP email security, and email security for Office 365 categories.
If you want to protect your organization from Emotet and other malware and phishing attacks, give the TitanHQ team a call to find out more about SpamTitan Email Security.
Black Friday and Cyber Monday are fast approaching and this year even more shoppers will be heading online to secure their Christmas bargains due to the COVID-19 pandemic. In many countries, such as the UK, lockdowns are in place that have forced retailers to close the doors of their physical shops, meaning Black Friday deals will only be available online. 2020 is likely to see previous records smashed with even more shoppers opting to purchase online due to many shops being closed and to reduce the risk of infection.
Surge in Phishing Attacks in the Run Up to Black Friday
The fact that many consumers have been forced to shop online due to COVID-19 has not been missed by cybercriminals, who have started their holiday season scams early this year. Every year sees a sharp rise in phishing emails and online scams that take advantage of the increase in sales in the run up to Christmas, but this year the data show cybercriminals have stepped up their efforts to spread malware, steal sensitive data, and fool the unwary into making fraudulent purchases.
Recent figures released by Check Point show there has been a 13-fold increase in phishing emails in the past 6 weeks with one in every 826 emails now a phishing attempt. To put that figure into perspective, 1 in 11,000 emails in October 2020 were phishing emails. Check Point reports 80% of the phishing emails were related to online sales, discounts, and special offers, and as Black Friday and Cyber Monday draws ever closer, the emails are likely to increase further.
Local lockdowns have piled pressure on smaller retailers, who are at risk of losing even more busines to the large retailers such as Amazon. In order to get their much-needed share of sales in the run up to Christmas, many have started conducting marketing campaigns via email to showcase their special offers and discounts. Those messages are likely to make it easier for cybercriminals to operate and harder for individuals to distinguish the genuine special offers from the fraudulent messages.
Cybercriminals have also started using a range of different techniques to make it harder for individuals to identify phishing and scam messages. Some campaigns involved the use of CAPTCHAs to fool both security solutions and end users, and the use of legitimate cloud services such as Google Drive and Dropbox for phishing and malware distribution is also rife.
With the scams even harder to spot and the volume of phishing and other scam emails up considerably, it is even more important for businesses to ensure their security measures are up to scratch and scam websites and phishing emails are identified and blocked.
How to Improve your Defenses Against Black Friday Phishing Scams and Other Threats
This is an area where TitanHQ can help. TitanHQ has developed two security solutions that work seamlessly together to provide protection from phishing and malware attacks via email and the Internet, not just protecting against previously seen threats, but also zero-day malware and phishing threats.
The SpamTitan email security and WebTitan web security solutions use a layered approach to threat detection, each incorporating multiple layers of protection to ensure that threats are identified and blocked. Both solutions leverage threat intelligence using a crowd sourced approach, to provide protection against emerging and even zero-minute threats.
SpamTitan uses smart email filtering and scanning, incorporating machine learning and behavioral analysis techniques to detect and isolate suspicious emails, dual antivirus engines, sandboxing to trick cybercriminals into thinking they have reached their target, and SPF, DKIM, and DMARC to detect and block email impersonation attacks.
WebTitan is an AI-powered cloud-based DNS web filtering solution that provides protection from online threats such as malware and ransomware and the web-based component of phishing attacks. The solution uses automation and advanced analytics to search through billions of URLs/IPs and phishing sites that could lead to a malware or ransomware infection or the compromising of employee credentials. The solution is an effective cybersecurity measure for protecting against web-based threats for office-based employees and remote workers alike.
If you want to protect your business this holiday season and beyond and improve your defenses against email and web-based threats, give the TitanHQ team a call. Product demonstrations can be arranged, advice offered on the best deployments, and if the solutions are not suitable for your business, we will tell you so. You can also trial both solutions free of charge to evaluate their performance in your own environment before making a decision on a purchase.
A phishing campaign has been identified that spoofs the U.S. Internal Revenue Service (IRS) and advises recipients that they are facing imminent legal action to recover outstanding tax.
The emails are convincing and well written and are final demands for payment to prevent legal action to recover the outstanding funds. The emails warn the recipient that the IRS has made several attempts to make contact by telephone after no response was received to a written demand for payment that the emails claim was mailed 18 months previously in May 2019. The failure to respond has led to the IRS taking legal action, with charges due to be filed imminently to recover the outstanding tax.
In contrast to many scams that seek login credentials or attempt to get the user to open file attachments to trigger a malware download, this scam uses social engineering techniques to scare the recipient into making contact via email to resolve the fictitious issue. The purpose of the scam is to get the recipient to make a fraudulent payment or disclose their financial account information.
The lack of any hyperlinks or email attachments makes it more likely that the email will be delivered to inboxes and will not be identified as malicious by security solutions. Fortunately, SpamTitan users will be protected from this scam as multiple checks are performed which identify the scam for what it is.
The message body contains all the classic hallmarks of a phishing scam:
- There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
- There is a threat of negative consequences if no action is taken – Legal action to recover funds
- The request is plausible, but an atypical request is made – to only make contact via email
The emails include a case file number, detail the outstanding amount – $1450.61 in this case – and include a docket number and warrant ID for the impending legal action. The recipient is told that legal action will proceed in 4 days if payment is not made, and that the opportunity for voluntary action to rectify the issue is coming to an end.
In addition to the threat of legal action and a court case, the recipient is informed that credit reference bureaus may also be notified about the late/missed payment, which would negatively impact their credit score.
The emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” indicating this is not the first time that the message has been sent, helping to emphasize that this is a final warning.
Steps have been taken to make the email appear official, with the display text of the sender address indicating the message has been sent from support @ irs.gov – the legitimate domain used by the IRS. However, the reply to email address supplied is legal.cc @ outlook.com – Which is clearly not an official IRS domain and the message headers show that the email was not sent from the domain stated.
The email does include a postal address; however, no telephone number is supplied. Full contact information would be provided in official IRS communications, although the IRS would not initiate contact with individuals via email.
The phishing emails highlight the importance of stopping to think about what is being requested and to take time to check emails carefully before responding, no matter how pressing the threat may be. Any request for payment should be verified by phone, with contact information obtained from a trusted source, never the contact details supplied in the email. A call to the IRS would quickly reveal this to be a scam.
The reason these scams succeed is because they rely on individuals responding quickly without thinking. Fortunately, an effective spam filter will detect these scam emails and will quarantine or reject the messages.
Cybercriminals have taken advantage of the uncertainty over the U.S. presidential election result over the past few days and are using exploiting fear about voting fraud to infect users with malware. With so many postal votes being sent this year, which take much longer to count than in-person votes, there was always going to be a delay in determining the outcome of the presidential election. In such a close election a winner may not be declared for some time, certainly several days after election day, and possibly weeks given the likelihood of several legal challenges and recounts.
Spam campaigns exploiting the situation started to be sent soon after the polls had closed distributing the QBot banking Trojan. When a device is infected with the QBot Trojan, the user’s email account is hijacked and used to send copies of the malware to the user’s contacts. To increase the probability of emails being opened by the recipients, previous email threads are hijacked, and a response is sent with a malicious attachment containing a macro that downloads the malware.
In this campaign, a search is performed for emails containing the word “election” and replies are sent to the senders of those messages. A zip file is attached to the emails named “ElectionInterference,” with the zip file containing a malicious spreadsheet.
The messages encourage the recipient to open the attached spreadsheet to discover important information about interference in the election. With President Trump suggesting in press conferences that there is substantial evidence of election fraud, these messages may seem very credible and enticing to recipients.
The spreadsheet mimics a secure DocuSign file and the user is instructed to enable content to decrypt the file and view the contents; however, doing so will allow macros to run which will silently download the Qbot Trojan.
The QBot Trojan was first identified in 2008; however, it has received many updates over the years to add new functions and mechanisms to evade security solutions. The ability to hijack Outlook email threads is a fairly new feature. The same tactic is also used by the Emotet Trojan to increase the probability of messages and their malicious attachments being opened. The tactic has proven very effective for the operators of Emotet.
In addition to targeting customers of major financial institutions, the QBot Trojan steals sensitive information such as credit card information and passwords. Like Emotet and the TrickBot Trojan, QBot is also a malware dropper. The operators of QBot team up with other threat groups and deliver their malicious payloads, with ransomware often delivered to QBot victims.
Threat actors are quick to seize any opportunity to infect devices with malware, as was seen in the early days of the COVID-19 pandemic when threat groups switched their spamming infrastructure to send COVID-19 themed lures. Election-themed emails are likely to continue for some time with legal challenges to the result expected. Holiday season is also fast approaching, and like previous years, threat actors will send Black Friday, Cyber Monday, and other holiday period themed phishing lures to steal credentials and distribute malware.
Businesses can protect against these phishing and malspam campaigns using a combination of a spam filter, web filter, antivirus software, and end user training.
The healthcare industry is one of the main targets for hackers, and while ransomware attacks have increased considerably in recent months and vulnerabilities in VPNs, RDP, and software solutions are frequently exploited, healthcare phishing attacks are far more common.
Phishing attacks on healthcare organizations allow threat actors to steal credentials to gain access to email accounts and other systems and steal highly sensitive data. Phishing emails are also used to deliver malware loaders such as the Emotet Trojan, which delivers other malware payloads such as the TrickBot banking Trojan, which in turn delivers ransomware.
Most cyberattacks start with a phishing email, so it is essential for healthcare organizations to ensure they implement safeguards to block these attacks and by doing so, prevent costly data breaches and regulatory fines.
The HHS’ Office for Civil Rights has imposed substantial fines on HIPAA-covered entities for data breaches that have started with a phishing email, including the two largest ever HIPAA fines issued to date – the $16 million financial penalty for Anthem Inc. for its 78.8 million-record data breach and the $6,850,000 penalty for Premera Blue Cross for its breach of the protected health information 10,466,692 individuals.
Tips to Prevent Healthcare Phishing Attacks…
Unfortunately, as far as phishing goes, there is no silver bullet. No single solution will provide total protection against healthcare phishing attacks. What is required is layered defenses – technical solutions providing overlapping layers of security – and adherence to tried and tested cybersecurity best practices. Some of the most important anti-phishing measures you can implemented to stop healthcare phishing attacks are detailed below:
Implement an Advanced Spam Filter
A spam filter is one of the most important technical controls to block phishing attacks and prevent malicious emails from reaching the inboxes of your employees. Advanced spam filters use a combination of blacklists of known malicious IPs, email header and content scanning, link analysis, anti-virus scans, sandboxing, SPF, DKIM, and DMARC to detect and block email impersonation attacks, and AI and machine learning to identify zero-day phishing attacks.
You should implement an advanced spam filter and set rules to filter out all suspicious emails and reject malicious messages. Outbound scanning is also important to detect compromised email accounts that are being used to conduct further phishing attacks on your organization and vendors.
Use a Web Filter to Block the Web-Based Component of Phishing Attacks
Email filters are effective, but not infallible. New tactics, techniques, and procedures are commonly developed by threat actors to fool email security solutions. You may be able to block all malware and 99.9% or more of all malicious messages, but some messages are likely to sneak past your defenses.
A web filter provided additional protection by preventing your employees from visiting known malicious URLs that have been masked in phishing emails. Web filters block the web-based component of phishing attacks and malware downloads from the internet and work in tandem with spam filters to improve your security posture and block healthcare phishing attacks.
Implement Multi-Factor Authentication
A SANS Institute report suggests multi-factor authentication will block 99% of attempts by threat actors to use stolen credentials to remotely access email accounts, while Microsoft says MFA will stop more than 99.9% of email account attacks, yet many admins have not implemented multi-factor authentication. A recent survey by CoreView researchers suggests 78% of Microsoft 365 admins have not enabled MFA on their M365 accounts.
In the event of credentials being stolen – in a phishing attack or using brute force tactics – MFA should prevent those credentials from being used to remotely access your accounts.
Provide Regular Security Awareness Training
Technical measures are important for preventing healthcare phishing attacks but don’t forget the human element. Employees need to be trained how to recognize phishing emails and taught the correct response when a suspicious email is received. Security awareness training should also cover cybersecurity best practices.
To create a “security aware” culture in your organization, you need to provide regular security awareness training sessions, including an annual training session for all staff and more frequent shorter sessions or online CBT sessions throughout the year, making sure you keep the workforce aware of the latest threats. Not only will training help to prevent healthcare phishing attacks from succeeding, it is also a requirement for HIPAA compliance.
Conduct Phishing Simulation Exercises
Training is important, but so is testing. If you do not test your employees’ security knowledge, you will not know whether your training has been successful. There will always be employees that require more training than others, and through testing you will be able to identify the individuals that need more help.
Phishing simulation exercises are the best way to achieve this. You can find weak links in your workforce as well as your training program and ensure they are addressed.
Take Care with the Information You Make Available Online
In order to conduct a targeted phishing attacks on your organization, an attacker needs to know your email addresses. This information can often easily be found online in organizational charts and staff directories. Limiting the information you publish online will make it harder for email addresses to be harvested and used in attacks on your organization.
How to Reduce the Severity of Successful Healthcare Phishing Attacks
Healthcare phishing attacks are extremely common and often result in the exposure or theft of large amounts of protected health information. The Office for Civil Rights breach portal lists many email security breaches that have exposed the personal and health information of tens of thousands and even hundreds of thousands of patients and health plan members.
When conducting a risk analysis, consider what would happen in the event of a breach and take steps to reduce the severity of a breach should your defenses be penetrated. It is a good best practice to implement an email archiving solution to send all emails to a secure, cloud archive to ensure that no email data is lost and to implement policies requiring emails containing PHI to be deleted from your mail system. In the event of a breach, the PHI exposed will be greatly reduced and so too will the breach costs.
By using an email archive, you will still be able to remain compliant and retain al email data, but you will be able to significantly reduce risk while improving the performance of your mail server.
The cybercriminal organization behind Ryuk ransomware – believed to be an eastern European hacking group known as Wizard Spider – has stepped up attacks on hospitals and health systems in the United States. This week has seen a wave of attacks on hospitals from the Californian coast to the eastern seaboard, with 6 Ryuk ransomware attacks on hospitals reported in a single day.
Ryuk ransomware causes widespread file encryption across entire networks, crippling systems and preventing clinicians from accessing patient data. Even when the attacks are detected quickly, systems must be shut down to prevent the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of scenario and patient data can be recorded using pen and paper, the disruption caused is considerable. Non-essential surgeries and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical facilities.
It is unclear if any ransomware attacks on U.S. hospitals have resulted in fatalities, but there was recently a fatality in an attack in Germany, where a patient was rerouted to a different hospital and died before lifesaving treatment could be provided. Had the ransomware attack not occurred, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to result in loss of life, especially in such as large-scale, coordinated campaign.
Earlier in the week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) issued an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to increase.
It is unclear why the attacks have increased now and the exact motives behind the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity firms, disrupted the TrickBot botnet – A network of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by a different cybercriminal group to Ryuk, but it was extensively used to deliver Ryuk ransomware. The botnet is back up and running, with the threat actors switching to alternative infrastructure, but there have been suggestions that this could be a response to the takedown.
The Ryuk ransomware attacks on hospitals come at a time when healthcare providers are battling the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the start of the pandemic. Hospitals cannot afford to have systems taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little alternative other than paying the ransom to ensure that disruption is kept to a minimum. Ransomware gangs are known to time their attacks to cause maximum disruption.
Ryuk ransomware attacks on hospitals have been steadily increasing in the United States prior to the latest spike. Figures released by Check Point Research in the past few days show ransomware attacks on hospitals increased 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.
There is concern that the latest attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to target hundreds of hospitals and health systems in the United States in this campaign. Each attack on a health system could see several hospitals affected. The attack this week on the University of Vermont Health Network impacted 7 hospitals.
Defending against ransomware attacks can be a challenge, as multiple methods are used to gain access to healthcare networks. Ryuk ransomware is commonly delivered by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to deliver Ryuk ransomware. These malware downloaders are delivered via phishing emails so a good spam filter is therefore important.
Employees should be made aware of the increased threat of attack and advised to exercise extra caution with emails. Software updates need to be applied promptly and all systems kept fully patched and up to date. Default passwords should be changed, and complex passwords used, with multi-factor authentication implemented where possible. If it is not necessary for systems to be connected to the Internet, they should be disconnected, and RDP should be disabled where possible.
It is also essential for regular backups of critical data to be made and for those backups to be stored securely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to pay the ransom.
Further information on indicators of compromise and other mitigations are available in the CISA Ryuk ransomware advisory.
Teleconferencing applications have been invaluable during the coronavirus pandemic. They have helped businesses continue to operate during extremely challenging times and have helped support a largely remote workforce.
Platforms such as Zoom, Skype, and Microsoft Teams saw user numbers skyrocket as national lockdowns were imposed and the high usage has continued as lockdowns have eased. The popularity of these platforms has not been missed by cybercriminals, who have devised many phishing campaigns targeting users of these platforms.
The platforms are used as instant messaging services by many workers who are keen to show that they are working hard while at home, so when a message arrives in an inbox informing them they have people trying to connect, they have missed a meeting, or there is a problem with their account, they are likely to reply quickly, often without thinking about the legitimacy of the request.
At first glance these emails appear to be genuine. The request is credible, the images and logos are legitimate, but closer inspection should reveal the messages are not what they seems.
Microsoft Teams Phishing Scams
One of the latest phishing campaigns to spoof a teleconferencing platform targets Office 365 users by spoofing Microsoft Teams. The messages advise the recipient that “There’s new activity in Teams,” and “Your teammates are trying to reach you in Microsoft Teams.” The email claims messages are waiting, and it is necessary to “Reply in Teams” to connect.
Clicking the link will direct the user to a web page that requires them to login to their Microsoft account. Everything on the page is how it should be, as the spoofed login page has been copied from Microsoft. However, close inspection of the URL will reveal a typo. The URL starts with microsftteams to make the web page appear genuine at first glance, but the full URL shows this is not a Microsoft domain. If the user enters their credentials they will be captured and used by the scammers to access the user’s account.
This is far from the only phishing scam to target Microsoft Teams users to obtain Microsoft Office credentials. Several Microsoft Teams phishing scams have attempted to obtain credentials using missed messages from teammates and other plausible lures.
Microsoft Office credentials are extremely valuable to scammers. Accounts can be used to gain access to email data, send further phishing emails, access intellectual property, and can be used as a launchpad for further attacks on the organization. The credentials can also be sold to other cybercriminals.
Similar scams have targeted users of other platforms such as Skype and Zoom. Users of the latter were targeted in one campaign that claimed a meeting was cancelled due to the pandemic, using subject lines such as “Meeting Canceled – Could we do a Zoom call.” A link is included in the email to initiate a call, with the destination site similarly harvesting credentials.
How to Avoid Teleconferencing Platform Phishing Scams
As with other forms of phishing scams, employees need to be vigilant. The emails create a sense of urgency and there is often a “threat” of bad consequences if no action is taken, but it is important to stop and think before responding to a message and to take time to check the email carefully.
You should not open any email attachments or click links in unsolicited emails, especially messages sent from unknown email addresses. Even if the email address appears genuine, take care. Access the teleconferencing platform using your normal login method, never using the links in the emails.
Businesses can protect their remote workers by implementing an advanced spam filtering solution such as SpamTitan to block these emails at source and ensure they are not delivered to their remote workers’ inboxes. A web filtering solution such as WebTitan is also advisable, as it will block attempts to visit malicious websites used to phish for credentials.
For further information on spam filtering and web filtering to protect your business, give the TitanHQ team a call today. Both solutions are available on a free trial – with full product support – to allow you to evaluate their effectiveness before making a decision.
The TrickBot Trojan, one of the biggest malware threats to appear in recent years, has had its backend infrastructure taken down by a coalition of tech firms.
TrickBot started life in 2016 as a banking Trojan used to target Windows devices but the malware has received many updates over the years and has had many new modules added to give it a much wider range of capabilities. TrickBot targets hundreds of different banks and also steals credentials and Bitcoin wallets. In recent years, the operators have teamed up with several different criminal organizations and have used the Trojan to deliver keyloggers, cryptominers, information stealers and ransomware variants such as Ryuk and Conti. TrickBot can now perform a huge range of malicious actions via many different plugins and in January and February 2020 was targeting more than 600 websites via a webinject module, most of which being financial institutions.
The Trojan achieves persistence on infected devices and adds them to a botnet, which has grown into one of the largest in operation. The operators of the Trojan are also known to use the EternalBlue exploit to move around infected networks and spread the Trojan to other devices on the network. This can make removal of the Trojan difficult, as once it is removed from a device, other infected devices on the network simply reinfect it when it is reconnected.
TrickBot is primarily spread via phishing emails via malicious macros, but other malware-as-a-service operations also deliver TrickBot, such as Emotet. TrickBot typically used lures aimed at business users, such as shipment receipts, receipt reminders, required declarations, delivery notifications, and other logistics themes using Word and Excel attachments and Java Network Launch Protocol (.jnlp) attachments, as well as malicious hyperlinks embedded in emails. In 2020, a large-scale campaign was conducted using coronavirus and COVID-19 themed lures, one of which spoofed humanitarian groups and claimed to offer free COVID-19 tests.
Those emails were sent by a diverse range of compromised email accounts and marketing platforms, with the threat group also using domains with their own mail servers to distribute the malware. There has been growing concern that the botnet could also be used in campaigns to disrupt the upcoming November 3, 2020 U.S. presidential election.
TrickBot is stealthy and uses a variety of mechanisms to evade detection by security solutions, including password protected zip files, delayed downloads of the Trojan when macros are run, heavily obfuscated loaders, encryption of configuration files, and a complex command and control infrastructure. The latter has now been untangled and its backend infrastructure has been taken down.
Several tech firms including Microsoft, ESET, Black Lotus Labs, and NTT have been working together for months to try to disrupt the TrickBot operation. More than 125,000 samples of the TrickBot Trojan were analyzed along with over 40,000 configuration files used by various TrickBot modules. After several months of painstaking work, the command and control servers used by the botnet were identified and its network infrastructure was mapped. Armed with the IP addresses, Microsoft obtained a court order and seized control of the infrastructure of servers used to distribute and communicate with the malware and its various modules. The IP addresses associated with the malware have now been disabled.
When the takedown occurred, more than 1 million devices had been infected with the malware and were part of its botnet. The takedown is great news, as one more malware threat – and a major one at that – has been taken out of action, at least temporarily. Efforts are now underway by ISPs to contact victims to ensure the Trojan is removed from their systems.
Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.
The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.
One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.
Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.
The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.
A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.
COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.
Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.
Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.
SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.
Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.
Phishers are constantly devising new ways to trick employees into divulging their credentials. Realistic emails are sent using a variety of ruses to get employees to click on a malicious link, which often aims to obtain Microsoft Office 365 credentials. Office 365 accounts often contain a range of sensitive data, which can be stolen and used for many nefarious purposes.
Recently, a new campaign has been identified targeting businesses that attempts to obtain Microsoft Outlook credentials. The campaign spoofs KnowBe4, a company specializing in security awareness training for employees – Training that helps businesses teach their employees how to recognize a phishing email.
The emails alert the recipient about the impending expiration of a security awareness training module. The recipient is told they only have 24 hours remaining to complete the training. Three links are supplied in the email that appear, at face value, to link to the genuine KnowBe4 website; however, they direct the user to a phishing page on a compromised website where Outlook credentials and personal information are harvested, via a realistic login page for the Outlook Web App.
Instructions are provided for accessing the training outside of the network, with the user instructed to enter their username and password before clicking the sign in button. Doing so, it is claimed, will direct the user to the training module. While the site to which the phishing email links is convincing, the tell-tale sign that this is a scam is the domain. Several different URLs on multiple sites have been used in this campaign, all of which are unrelated to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their credentials.
It is an interesting tactic to spoof a cybersecurity company dedicated to phishing prevention; one that may fool employees into believing the email is genuine. Any company can be spoofed in a phishing campaign. Just because the company offers services to combat phishing does not mean that the email should not be subjected to the usual checks to verify its validity, which is something that should be emphasized in employee security awareness training sessions.
According to Cofense, which analyzed the websites, the compromised sites have recently hosted a web shell that allowed the attackers to upload and edit files. The websites had been compromised since at least April 2020, unbeknown to the site owners. The phishing kit used in this campaign has been loaded onto at least 30 different websites since the campaign commenced in mid-April.
Employees receive hundreds of emails each week and identifying every phishing email can be a difficult task, especially when many phishing emails are realistic and are very similar to genuine emails that employees receive every day. Security awareness training is important, but it is also essential to implement an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.
With an advanced spam filtering solution in place – such as SpamTitan – these emails can be blocked at source and will not be delivered to end users’ inboxes, negating the threat.
Even though there are easy ways to identify a phishing email, many employees are fooled by these scams. Phishing attacks involve the use of social engineering to convince the target to take a certain action, such as opening an email attachment that has a malicious script that downloads malware or visiting a website that requires sensitive information to be entered. These scams can be convincing, the reason supplied for taking a particular action is often credible, and any linked website can be difficult to distinguish from the site it impersonates.
Phishing campaigns can be conducted cheaply, little skill is required, phishing can be very profitable, and the attacks often succeed. It is no surprise that more than two thirds of data breaches start with a phishing email, according to the Verizon Data Breach Investigations Report.
How to Identify a Phishing Email
Phishing emails can take many forms and there is a myriad of lures that are used to fool the unwary, but there are tell-tale signs that an email may not be what it seems. By checking certain elements of an email, you will be able to identify all but the most sophisticated phishing attempts. It only takes a few seconds to perform these checks and that time will be well spent as they will help you identify a phishing email and prevent costly data breaches and malware infections.
Check the true sender of the email
This seems an obvious check but spoofing the sender of an email is one of the most common ways that phishers fool people into responding. The display name is spoofed to make it appear that the email has been sent from a trusted contact. The display name may be PayPal, Netflix, the name of your bank, or your boss or a colleague. However, the actual email address is likely to be from a free email service provider such as @gmail.com or @yahoo.co.uk.
Hover your mouse arrow over the display name or click reply and check the actual sender of the email. The domain name (the bit after @) should match the display name and that domain should be one that is used by the company that appears to have sent you the email. Beware of hyphenated domains such as support-netflix.com. These are unlikely to be genuine.
Check for grammatical errors and spelling mistakes
Read the email carefully. Are there spelling mistakes or grammatical errors? Does the wording seem odd, as if it has not been written by a native English speaker? Scammers are often from non-English speaking countries and may use Google translate to create their emails, which is why the wording may seem a little odd.
Before Google, Netflix, or your bank sends an email, it will be subject to proof checking. Mistakes will be made on occasion by they are exceedingly rare. Some phishing scams deliberately include spelling mistakes and poorly written emails to weed out people who are unlikely to fall for the next stage of the scam. If you fall for the email, it is likely that you can be fooled by the next stage of the attack.
Phishing emails are often addressed in a way that makes it clear that the sender does not know your name. “Dear customer” for example. Most companies will use your name in genuine email communications.
Phishers use urgency and a “threat” if no action is taken
Phishers want you to take action quickly rather than stop and think about the legitimacy of any request. It is common for a request to be made that needs immediate action to prevent something undesirable from happening.
For example, someone has tried to login to your account and you need to take immediate action to secure your account. Something has happened that will result in your account being closed. A payment has been made from your account for something that you have not purchased, and you need to take action to stop that payment from going through. Phishers use fear, urgency, and threats to get prompt action taken and count on people acting quickly without thinking or carefully checking the email. Spending an extra 30 seconds checking an email will not make any difference to the outcome, but it can prevent you from being fooled by a scam.
Check the true destination of any link in the email
Most phishing attacks seek sensitive information such as login credentials. For these to be obtained, you will most likely be directed to a website where you must enter login credentials, financial information, and personal details to verify your identity. Emails are often written in HTML and include a button to click that directs you to a website.
You should check the true URL before clicking. Hover your mouse arrow over any button to find out where you are being directed and make sure the URL matches the context of the message and uses an official domain name of the company referenced in the email. The same applies to the anchor text of a link – the text that is displayed in a clickable link. Make sure you perform the same check on any link before clicking.
On a mobile device this is even more important, as the small screen size means it is not always possible to display the full URL. The visible part of the URL may look like it is genuine, but when viewing the full URL you will see that it is not. Just press on the URL and keep pressing until the link is displayed.
Beware of email attachments
Email attachments are used in phishing scams for distributing malware and for hiding content from spam filters. Hyperlinks are put in an attachment rather than the message body to fool security solutions, and scripts are used in email attachments that may run automatically when the attachment is opened.
If you are sent an unsolicited email that includes an attachment, treat it as suspicious and try to verify the email is legitimate. If the email has been sent by a colleague, give them a quick call to make sure they actually sent the email, even if the sender check was passed. Someone may have compromised their account. Do not use any contact information supplied in the email, as it is likely to be incorrect.
Only open email attachments that you are confident are genuine, and then never “enable content” as this will grant a macro or other malicious script permission to run.
Anti-Phishing Solutions for Businesses
TitanHQ has developed two powerful anti-phishing solutions to help businesses block phishing and other email and web-based cyberattacks. SpamTitan is an advanced email security solution that has been independently verified as blocking 99.97% of spam and phishing emails and is used by thousands of businesses to keep their inboxes free of threats.
SpamTitan performs a myriad of checks to determine the likelihood of an email being malicious, including RBL checks, Bayesian analysis, heuristics, machine learning techniques to identify zero-day threats, and sender policy frameworks to block email impersonation attacks. Dual antivirus engines are used to detect known malware and sandboxing is used to analyze suspicious email attachments safely to check for malicious actions.
WebTitan is a DNS filtering solution that blocks the web-based component of phishing attacks by preventing employees visiting known malicious websites, suspicious sites. WebTitan also blocks malware downloads.
Both solutions are competitively priced, easy to implement and use, and provide protection against the full range of email and web-based threats. For further information on improving protection from phishing attacks and other cyber threats, give the TitanHQ team a call. Alternatively, you can register for a no obligation free trial of both solutions to evaluate them in your own environment.
Phishing is a cybersecurity threat that businesses of all sizes are likely to face and one that requires multiple phishing protection measures to prevent. Phishing is the term given to fraudulent attempts to obtain sensitive information such as login credentials to email accounts or employee/customer information. Phishing can take place over the telephone (vishing), via text message (SMiShing), or through social media networks and websites, but the most common phishing attacks take place over email.
When phishing occurs over email, an attack usually consists of two elements. A lure – a reason given in the email that encourages the user to take a particular action – and a web-based component, where sensitive information is collected.
For instance, an email is sent telling the recipient that there has been a security breach that requires immediate action. A link is supplied in the email that directs the recipient to a website where they are required to login and verify their identity. The website is spoofed to make it look like the site it is impersonating and when information is entered it is captured by the attacker.
Phishing protection measures should be deployed to block both of these components. First, you need a solution that stops the phishing attack at source and prevents phishing emails from being delivered to inboxes. You should also have security measures in place to prevent information from being handed over to the attackers at the web stage of the attack. As an additional protection, in case both of those measures fail, you need to prevent stolen credentials from being used to gain access to the account.
Four Essential Phishing Protection Measures
Phishing protection measures should consist of four elements: a spam filter, a web filter, end user training, and multi-factor authentication – often referred to as layered phishing defenses. If one layer should fail, others are in place to make sure the attack does not succeed.
A spam filter is your first line of defense and one that will block the vast majority of email threats. An advanced spam filter will block in excess of 99.9% of spam, phishing, and malware-laced emails. Spam filters incorporate several layers of protection. They use blacklists of known spammers – domains, email accounts, and IP addresses that have previously been used for spamming, phishing, and other nefarious activities. Checks are performed on the message headers and the message body is subjected to multiple checks to identify malicious URLs and keywords commonly used in spam and phishing emails. Each message is given a score, and if that score is higher than a pre-defined threshold, the message will be either deleted or quarantined. Spam filters also incorporate antivirus engines that check messages for malicious attachments.
Cybercriminals are constantly changing tactics and developing new methods to obfuscate their phishing attempts to bypass spam filters. Spam filters are updated to block these new attacks, but there will be a lag and some messages will slip through the net on occasion. This is where a web filter kicks into action. A web filter will check a website against several blacklists and will assess the content of the website in real-time. If the website is deemed to be malicious, the user will not be permitted to connect, instead they will be directed to a local block page. Web filters also have AV software to prevent malware being downloaded and can be used to control the types of content users can access – blocking pornography for instance, or social media networks, gaming sites and other productivity drains.
End user training
Technical anti-phishing measures are important, but they will not block all attacks. It is therefore essential to provide end user training to help employees identify phishing and other malicious emails. A once-a-year formal training session should be conducted, with ongoing, regular shorter training sessions throughout the year to raise awareness of new threats and to reinforce the annual training. Phishing simulations should also be conducted to test whether training has been effective and to ensure that any knowledge gaps are identified and addressed.
If credentials are stolen in a phishing attack, or are otherwise obtained by a cybercriminal, multi-factor authentication can prevent those credentials from being used. In addition to a password, a second factor must be provided before account access is granted. This could be a token, code, or one-time password, with the latter usually sent to a mobile phone. While multi-factor authentication will block the majority of attempts by unauthorized individuals to access accounts, it is not infallible and should not be considered as a replacement for the other protections. Multi-factor authentication will also not stop malware infections.
Phishing Protection Solutions from TitanHQ
TitanHQ has developed two powerful cybersecurity solutions to help you protect against phishing and malware attacks: SpamTitan email security and the WebTitan web filter. Both of these solutions have multiple deployment options and are easy to implement, configure, and use. The solutions are consistently rated highly by end users for the level of protection provided, ease of deployment, ease of use, and for the excellent customer support if you ever have any problems or questions.
On top of that, pricing is totally transparent with no hidden extras, and the solutions are very competitively priced. Both are available on a free trial to allow you to test them in your own environment before committing to a purchase.
Businesses are constantly targeted by cybercriminals and phishing one of the easiest ways that they can gain a foothold in corporate networks. An email is sent to an employee with a lure to entice them to click an embedded hyperlink and visit a website. When they arrive on the site, they are presented with a login prompt and must enter their credentials. The login prompt is indistinguishable from the real thing, but the domain on which the login prompt appears is controlled by the attacker. Any information entered on the website is captured.
End user training will go a long way to keeping your business protected against phishing attacks. Phishers target people using a variety of “social engineering” tactics to get them to take a specific action, which could be visiting a website and downloading malware, giving up their login credentials, or sending a wire transfer to the criminal’s bank account. By conditioning employees to perform checks and to stop and think before taking any action suggested in an email, you will greatly improve resilience to phishing attacks.
Many employees will say that they can identify a phishing email and will never be fooled, but the number of successful phishing attacks that are occurring every day suggests there are gaps in knowledge and even the most tech-savvy individuals can be fooled.
To illustrate this point, consider the SANS Institute. If you have never heard of the SANS Institute, it is one of the world’s leading computer and information security training and certification organizations, including anti-phishing training.
In August 2020, the SANS Institute announced that one of its employees had fallen for a phishing scam and disclosed their login credentials. The attacker used those credentials to access the account and set up a mail forwarder that sent a copy of every email to the attacker’s email account. 513 emails, some of which contained sensitive information on SANS members, were forwarded to the account before the attack was detected. The emails contained the personally identifiable information of 28,000 SANS members. The SANS Institute decided to use this attack as a training tool and will be providing details of how it succeeded to help others prevent similar attacks.
This incident shows that even the most highly trained individuals can fall for a phishing email. Had training not been provided, instead of one compromised email account there could have been many.
Phishers are constantly changing tactics and developing new scams to fool people and technological anti-phishing solutions. The key to phishing attack prevention is to implement a range of defenses to block attacks. Any one of those measures may fail to detect a phishing email on occasion, but others will be in place to provide protection. This defense-in depth approach is essential given the sophistication of phishing attacks and the volume of messages now being sent.
In addition to regular end user training and phishing simulation emails to harden the human element of your defenses, you need an advanced spam filter. If you use Office 365 you will already have a basic level of protection provided through Microsoft’s basic spam filter, Exchange Online Protection (EOP), but this should be augmented with a third-party solution such as SpamTitan to block more threats. EOP blocks spam, known malware, and many phishing emails, but SpamTitan will greatly improve protection against more sophisticated phishing attacks and zero-day malware.
You should also consider implementing a web filter to block the web-based component of phishing attacks. When an employee attempts to visit a malicious website that is used to steal credentials and other sensitive information, a web filter can prevent that website from being accessed.
With a spam filter, web filter, and end user training, you will be well protected, but you should also implement 2-factor authentication. If credentials are stolen, 2-factor authentication can prevent those credentials from being used by the attacker to gain access to the account.
For more information on spam filtering, web filtering, and phishing protection, give the TitanHQ team a call. Our team of experienced engineers will be happy to help you set up SpamTitan email security and the WebTitan web filter on a free trial so you can see for yourself how effective both are at blocking phishing attacks and other cybersecurity threats.
Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.
Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.
Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.
Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.
Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.
Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.
The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.
In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.
These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.
First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.
Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.
Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.
Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.
Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.
CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.
For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.
Over the past few months, cyberattacks involving Netwalker ransomware have been steadily increasing and Netwalker has now become one of the biggest ransomware threats of 2020.
Netwalker ransomware is the new name for a ransomware variant called Mailto, which first appeared a year ago in August 2019. The threat actors behind the ransomware rebranded their malware as Netwalker in late 2019 and in 2020 started advertising for affiliates to distribute the ransomware under the ransomware-as-a-service model. In contrast to many RaaS offerings, the threat group is being particularly choosy about who they recruit to distribute the ransomware and has been attempting to build a select group of affiliates with the ability to conduct network attacks on enterprises that have the means to pay large ransoms and the data to warrant such large payments if attacked.
Netwalker ransomware was used in an attack in February on Toll Group, an Australian logistics and transportation company, which caused widespread disruption although the firm claims not to have paid the ransom. Like several other ransomware gangs, the Netwalker gang took advantage of the COVID-19 pandemic and was using COVID-19 lures in phishing emails to spread the ransomware payload via a malicious email attachment, opting for a Visual Basic Scripting (.vbs) loader attachments.
Then followed attacks on Michigan State University and Columbia College of Chicago, with the frequency of attacks increasing in June. The University of California San Francisco, which was conducting research into COVID-19, was attacked and had little choice other than to pay the $1.14 million ransom demand to regain access to essential research data that was encrypted in the attack. More recently Lorien Health Services, a Maryland operator of assisted living facilities, also had files encrypted by the Netwalker gang.
The recent attacks have seen the attack vector change, suggesting the attacks have been the work of affiliates and the recruitment campaign has worked. Recent attacks have seen a range of techniques used in attacks, including brute force attacks on RDP servers, exploitation of vulnerabilities in unpatched VPN systems such as Pulse Secure VPNs that have not had the patch applied to correct the CVE-2019-11510 vulnerability. Attacks have also been performed exploiting user interface components of web apps, such as the Telerik UI vulnerability CVE-2019-18935, in addition to vulnerabilities in Oracle WebLogic and Apache Tomcat servers.
With the ransoms paid so far, the group is now far better funded and appears to have skilled affiliates working at distributing the ransomware. Netwalker has now become one of the biggest ransomware threats and has joined the ranks of Ryuk and Sodinokibi. Like those threat groups, data is stolen prior to file encryption and threats are issued to publish or sell the data if the ransom is not paid.
The increase in activity and skill of the group at gaining access to enterprise networks prompted the FBI to issue a flash alert warning of the risk of attack in late July. The group appears to be targeting government organizations, educational institutions, healthcare providers and entities involved in COVID-19 research, and the attacks are showing no sign of slowing, in fact they are more than likely to increase.
Defending against the attacks requires a defense in depth approach and adoption of good cyber hygiene. An advanced spam filtering solution should be used to block email attacks, end users should be taught how to recognize malicious emails and shown what to do if a suspicious email is received. Vulnerabilities in software are being exploited so prompt patching is essential. All devices should be running the latest software versions.
Antivirus and anti-malware software should be used on all devices and kept up to date, and policies requiring strong passwords to be implemented should be enforced to prevent brute force tactics from succeeding. Patched VPNs should be used for remote access, two-factor authentication should be implemented, web filters used for secure browsing of the internet, and backups should be performed regularly. Backups should be stored on a non-networked device that is not accessible over the internet to ensure they too are not encrypted in an attack.
Any popular platform is an attractive target for phishers, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that category. While Netflix may not seem a key target for phishers, a successful attack could give scammers access to credit card and banking information.
Netflix phishing scams are common, so it is not unusual to see yet another scam launched, but one of the latest uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is harder for security solutions to access the phishing websites and identify their malicious nature.
This Netflix phishing scam starts with an email like many other Netflix scams that precede it. The emails appear to have been sent from the Netflix customer support team and advise the recipient there has been a problem with billing for the latest monthly payment. As a result, the subscription will be suspended in the next 24 hours.
The Netflix user is provided with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and manage communication preferences, although they do not work.
As with most phishing scams there is urgency and a threat. Update your information within 24 hours or you will lose access to the service. Clicking the link will direct the user to a fully functioning CAPTCHA page, where they are required to go through the standard CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be directed to a hijacked domain where they are presented with the standard Netflix sign-in page.
They must sign-in, then they are asked to enter their billing address, along with their full name and date of birth, followed by a second page where they are asked for their card number, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If the information is entered, they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the scammers.
There have been many Netflix phishing emails intercepted over the past few months claiming accounts have been put on hold due to problems with payments. The emails are convincing and very closely resemble the emails sent out regularly by Netflix to service subscribers. The emails feature the Netflix logo, correct color schemes, and direct the recipients to very realistic looking login pages.
What all of these emails have in common is they link to a domain other than Netflix.com. If you receive an email from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the correct domain into the address bar and always make sure you are on the correct website before entering any sensitive information.
Football is big business and large quantities of money are often transferred electronically between clubs to bring in new players. If scammers were to insert themselves into the communications between clubs, huge payments could easily be diverted. In 2018, the Italian football club Lazio was targeted with a phishing scam that resulted in a payment of €2 million being sent to an account under the control of scammers. The money was never recovered.
Now it appears that the sports industry is being targeted again. Recently, a similar scam was conducted on a Premier League football club in England. The hackers gained access to the email account of the managing director of the club through a phishing campaign after directing the MD to a domain where Office credentials were harvested. Those credentials were then used to access the MD’s email account, and the scammers inserted themselves into and email conversation with another club looking to purchase a player. Fortunately, the scam was detected by the bank and a £1 million fraudulent payment was blocked.
This type of scam starts with a phishing email but is referred to as a Business Email Compromise (BEC) scam. BEC scams are commonplace and often successful. They range from simple scams to complicated multi-email communications between two parties, whether one party believes they are communicating with the genuine email account holder when they are actually communicating with the scammer. When the time comes to make payment, the scammer supplies their own account credentials. All too often, these scams are not detected until after payment is made.
That is far from the only cyberattack on the sports industry in recent weeks and months. There have been several attempted cyberattacks which prompted to the UK’s National Cyber Security Center (NCSC) to issue a warning advising the UK sports sector to be on high alert.
Prior to lockdown, a football club in the UK was hit with a ransomware attack that encrypted essential systems, including the computer systems that controlled the turnstiles, preventing them from working. A game nearly had to be abandoned due to the attack. The ransomware attack is suspected to have also started with a phishing email.
The recent attacks are not limited to football clubs. NCSC data show that 70% of sports institutions in the United Kingdom have suffered a cyberattack in the past 12 months.
NCSC figures show approximately 30% of incidents resulted in financial losses, with the average loss being £10,000, although one organization lost £4 million in a scam. 40% of the attacks involved the use of malware, which is often delivered via spam email. A quarter of attacks involved ransomware.
While malware and ransomware attacks are costly and disruptive, the biggest cause of losses is BEC attacks. Figures from the FBI show these scams accounted for around half of all losses to cybercrime in 2019. $1.77 billion was lost to BEC attacks in 2019, with an average loss of $75,000 (£63,333). The true figure is likely to be even higher, as not all BEC attacks are reported. The FBI anticipates even greater losses this year.
While there are many different attack methods, email remains the most common vector used in cyberattacks on businesses. It is therefore essential to implement a robust email security solution that can block malicious emails and prevent them from being delivered to inboxes.
TitanHQ has developed a powerful, advanced email security solution that can help businesses improve their email security defenses and block phishing, spear phishing, BEC, malware, and ransomware attacks. SpamTitan incorporates multiple threat intelligence feeds, machine learning systems to identify phishing attempts, dual anti-virus engines, and a sandbox to subject suspicious email attachments to in-depth analysis. SpamTitan also incorporates SPF and DMARC to identify and block email impersonation attacks.
If you are concerned about email security and want to improve your defenses against email threats, give the TitanHQ team a call to find out more about SpamTitan and other security solutions that can help you defend your organization from cyberattacks.
Our customer service team will be happy to discuss your options and help set you up for a free trial so you can see for yourself the difference SpamTitan makes to email security.
A new phishing campaign has been detected that uses Google Cloud Services to fool victims into giving up their Office 365 credentials. The new campaign is part of a growing trend of disguising phishing attacks using legitimate cloud services.
The phishing attack starts like any other with an email containing a hyperlink that the recipient is requested to click. If the user clicks the link in the email, they are directed to Google Drive where a PDF file has been uploaded. When the file is opened, users are asked to click a hyperlink in the document, which appears to be an invitation to access a file hosted on SharePoint Online.
The PDF file asks the victim to click the link to sign in with their Office 365 ID. Clicking the link will direct the user to a landing page hosted using Google’s storage.googleapis.com. When the user arrives on the landing page, they are presented with an Office 365 login prompt that looks exactly like the real thing. After entering their credentials, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting firm.
The campaign has been designed to make it appear that the victim is simply being directed to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their credentials. It is therefore likely that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy individuals would be unlikely to check.
This campaign was identified by researchers at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are legitimate and have valid SSL certificates, they are difficult to detect as malicious. This campaign abused Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add legitimacy to the campaigns.
This campaign highlights the importance of providing security awareness training to the workforce and warning employees about the risks of clicking links in unsolicited emails, even those that link to genuine domains. An advanced email security solution should also be implemented to block malicious emails and ensure the majority of malicious messages are not delivered to inboxes. That is an area where TitanHQ can help.
Emotet was the most prolific malware botnet of 2018 and 2019, but the botnet fell silent on February 7, 2020 but it has now sprung back to life and is being used to distribute Trojan malware. The botnet returned with a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting organizations in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now global.
The Emotet botnet is a network of computers infected with Emotet malware and there are estimated to be around half a million infected Windows computers under the control of the botnet operators. Those infected devices are contacted through the attackers’ command and control (C2) servers and are sent instructions to send out spam emails spreading Emotet malware.
Once the malware is downloaded, the infected computer is added to the botnet and is used to send spam emails. Emotet infections can also spread laterally within an organization. When investigations are launched following the detection of Emotet, it is common for other computers to be discovered to be infected with the malware.
What makes Emotet particularly dangerous is the operators of the botnet pair up with other threat groups and deliver other malware variants. Emotet has been used to distribute a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information stealer that also serves as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the developers of Ryuk ransomware. Once TrickBot has stolen information, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign started by distributing the TrickBot Trojan, although the payload has since switched to the QakBot banking Trojan. QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.
Emotet emails use a variety of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets businesses, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are often personalized, and the threat actors known to hijack email threads and send responses with malicious documents added.
An Emotet infection is serious and should be treated with the same urgency as a ransomware attack. Prompt action may allow Emotet to be removed before a secondary payload is delivered.
Fortunately, Emotet malware is delivered via email so that gives businesses an opportunity to prevent infections. By deploying an advanced spam filter such as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be identified and quarantined. Coupled with other email security measures such as end user training, businesses can mount a robust defense and block infections.
The return of Emotet was inevitable, and while the resumption of activity is bad news, there is some good news. A vigilante hacker has started sabotaging Emotet operations by targeting a weak link in their infrastructure. Emotet malware is downloaded from the internet from a range of hacked WordPress sites. The vigilante has found that the temporary stores of Emotet can be easily hacked as they tend to all use the same password. After guessing that password, the Emotet payload has been replaced with a variety of animated GIFs and has disrupted operations, reducing infections to around a quarter of their normal levels. That said, the Emotet gang is attempting to regain control of its web shells and infections with Emotet are still growing.
Over the past month there has been a surge in Phorpiex botnet activity. A botnet is a network of computers that have been infected with malware, placing them under the control of the botnet operator. Those computers are then used to send spam and phishing emails, often with the aim of distributing malware and ransomware. There are known to be around 500,000 computers in the Phorpiex botnet globally and the botnet has been in operation for almost 10 years.
The Phorpiex botnet has previously been used for sending sextortion emails, distributing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was used to conduct a massive Avaddon ransomware campaign that saw around 2% of companies targeted around the world.
Ransomware attacks have increased over the past few months, with many ransomware gangs delivering ransomware manually after gaining access to corporate networks by exploiting vulnerabilities in VPNs and other software or taking advantage of insecure default software configurations. There has also been an increase in ransomware attacks using email as the attack vector. Several ransomware variants are now being primarily delivered by email, and Avaddon ransomware was one of the biggest email threats in June. One week in June saw more than 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. companies.
Avaddon ransomware is a new ransomware variant that was first detected in June. The operators of Avaddon ransomware are advertising their malware as ransomware-as-a-service (RaaS) and have been recruiting affiliates to distribute the ransomware for a cut of the profits.
Avaddon ransomware searches for a range of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is supplied to a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor available for Avaddon ransomware. File recovery will only be possible if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.
Several subject lines have been used in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a ? emoji in the body of the email. This tactic is simple, yet effective.
There are several steps that can be taken by businesses to prevent Avaddon and other email-based ransomware attacks. End user security awareness training should raise awareness of the threat and teach employees how to recognize phishing and malspam threats and condition them to report emails to their security team. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always prevent infection.
One of the best defenses against email threats such as phishing, malware and ransomware is to install a powerful anti-spam solution such as SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an additional level of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to block zero-day phishing and malware threats.
For more information on protecting your organization from ransomware and other email threats, give the TitanHQ team a call today.
A new phishing campaign has been identified that targets remote workers that will soon be returning to the workplace and claims to include information on coronavirus training. The campaign is one of the most realistic phishing scams in recent weeks, as it is plausible that prior to returning to the office after lockdown would involve some changes to workplace procedures to ensure employee safety.
This campaign targets Microsoft Office 365 users and attempts to obtain users’ Office 365 credentials under the guise of a request to register for COVID-19 training. The emails include the Office 365 logo and are short and to the point.
They just include the text, “COVID-19 Training for Employees: A Certificate For Healthy Workspaces (Register) to participate in Covid-19 Office Training for Employees.”
The message includes a button to click to register, and the emails claim to be “powered by Microsoft Office 365 health safety measures.”
Clicking the link will direct the user to a malicious website where they are required to enter their Office 365 credentials.
This campaign, like many others to have emerged over the past few weeks, closely follow world events. At the start of the pandemic, when there was little information available about COVID-19, phishers were offering new information about COVID-19 and the Novel Coronavirus. As more countries were affected and cases were increasing, incorporation was being offered about local cases in the area. Now that most countries have passed the peak of infections and lockdowns have helped to bring the virus under control, tactics have changed once again.
Campaigns have been detected in the United Kingdom related to the new Track and Trace system being used by the NHS to help control infections warning users that they need to purchase a COVID-19 test. Another campaign targeted parents who are experiencing financial difficulties due to COVID-19, asking for bank account information to allow them to receive a support payment from the government. Messages have also been detected about Free school dinners over the summer, now that the UK government has said that it will be providing support to parents.
There have been several campaigns that have taken advantage of the popularity of the Black Lives Matter movement following the death of George Floyd. This campaign asked recipients of the email to register their opinions about Black Lives Matter and leave a review, with the campaign used to deliver the TrickBot Trojan.
What these phishing campaigns clearly demonstrate is the fluid nature of phishing campaigns, that are regularly changed to reflect global events to maximize the chance of the emails being opened. They show that users need to remain on their guard and be alert to the threat from phishing and always take time to consider the legitimacy of any request and to perform a series of checks to determine whether an email is what it claims to be. This can be tackled through security awareness training, which should be provided to employees regularly.
Naturally, the best defense is to make sure that these emails are blocked and do not reach inboxes, which is why it is important to have layered defenses in place. An advanced spam filtering solution such as SpamTitan is required that uses machine learning and other advanced detection measures to identify new phishing scams along with measures to detect previously unseen malware variants. As an additional layer of protection, you should consider implementing a web filtering solution such as WebTitan that provides time-of-click protection to block the web-based component of phishing attacks and stop drive-by malware downloads. Alongside security awareness training, these solutions will help you to mount a formidable defense against phishing attacks.
A new phishing campaign has been detected that uses calendar invitations to steal banking and email credentials. The messages in the campaign include an iCalendar email attachment which may fool employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been specifically covered in security awareness training.
iCalendar files are the file types used to store scheduling and calendaring information such as tasks and events. In this case, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been sent from a legitimate email account that has been compromised by the attackers in a previous campaign.
Because the email comes from a legitimate account rather than a spoofed account, the messages will pass checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.
As with most phishing campaigns, the attackers use fear and urgency to get users to click without considering the legitimacy of the request. In this case, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been flagged as suspicious. This campaign is targeting mobile users, with the messages asking for the file to be opened on a mobile device.
If the email attachment is opened, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is clicked, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have valid SSL certificates, so they may not be flagged as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the genuine bank website.
The user is then asked to enter their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the attacker and the information will be used to gain access to the accounts. To make it appear that the request is genuine, the user will then be directed to the legitimate Wells Fargo website once the information is submitted.
There are warning signs that the request is not genuine, which should be identified by security conscious individuals. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also asks for a lot of information, including email address and password, which are not relevant.
These flags should be enough to convince most users that the request is not genuine, but any phishing email that bypasses spam filtering defenses and is delivered to inboxes poses a risk.
A U.S. Supreme Court phishing campaign has been detected that uses a fake subpoena to appear in court as a lure to obtain Office 365 credentials. The emails are personalized and are addressed to the victim and claim to be a writ issued by the Supreme Court demanding the recipient attend a hearing. This is a targeted campaign rather than a spray and pray attack that attempts to obtain the credentials of high value targets such as C-Suite members.
The emails include a link that the recipient is required to click to view the subpoena. Clicking the link in the email directs the user to a malicious website where they are required to enter their Office 365 credentials to view the subpoena.
The domain used is brand new and, as such, it is not recognized as malicious by many security solutions, including the default anti-phishing measures of Office 365. The scammers have also used multiple redirects to hide the destination URL in another attempt to thwart anti-phishing defenses.
Prior to the user being directed to the phishing page, they are presented with a CAPTCHA page. CAPTCHA is used to prevent web visits by bots, but in this case, it may be used to add legitimacy to the phish to make the request appear genuine. The CAPTCHA page is real, and the user must correctly select the images in order to proceed. The page also includes the name of the user, further adding legitimacy to the scam. The CAPTCHA may also be a further attempt to make it difficult for the destination URL to be analyzed by security solutions.
This phishing campaign is realistic and uses urgency to get the user to take action quickly, rather than stopping to think about the request. There are signs that this is a scam, such as the domain name which clearly has nothing to do with the U.S. Supreme Court, and a few grammatical and spelling mistakes which would not be expected of any Supreme Court request.
However, the sender name in the email was spoofed to make it appear to have been sent by the “Supreme Court”, the request is certain to scare some recipients into clicking the link, and the landing page is sufficiently realistic to fool busy employees into disclosing their login credentials.
Exchange Online protection (EOP), which is provided by Microsoft free of charge with all Office 365 accounts, often fails to spot these zero-day attacks.
To improve protection against new phishing campaigns, an anti-spam solution is required that incorporates predictive techniques, threat intelligence feeds, and machine learning algorithms. SpamTitan incorporates these and several other layers of protection to identify zero-day phishing, malware, and ransomware campaigns and email impersonation attacks.
SpamTitan can be layered on top of Microsoft’s Exchange Online Protection to serve as an additional layer to your email security defenses to ensure that more malicious emails are blocked and never reach end users inboxes.
A novel phishing scam has been identified that gains access to information on Office 365 accounts without obtaining usernames and passwords. The campaign also manages to bypass multi-factor authentication controls that has been set up to prevent stolen credentials from being used to remotely access email accounts from unfamiliar locations or devices.
The campaign takes advantage of the OAuth2 framework and the OpenID Connect protocol that are used to authenticate Office 365 users. The phishing emails include a malicious SharePoint link that is used to fool email recipients into granting an application permissions that allow it to access user data without a username and password.
The phishing emails are typical of several other campaigns that abuse SharePoint. They advise the recipient that a file has been shared with them and they are required to click a link to view the file. In this case, the file being shared appears to be a pdf document. The document includes the text “q1.bonus” which suggests that the user is being offered additional money. This scam would be particularly effective if the sender name has been spoofed to appear as if the email has been sent internally by the HR department or a manager.
Clicking the link in the email directs the user to a genuine Microsoft Online URL where they will be presented with the familiar Microsoft login prompt. Since the domain starts with login.microsoftonline.com the user may believe that they are on a genuine Microsoft site (they are) and that it is safe to enter their login credentials (it is not). The reason why it is not safe can be seen in the rest of the URL, but for many users it will not be clear that this is a scam.
Entering in the username and password does not provide the credentials to the attacker. It will authenticate the user and also a rogue application.
By entering in a username and password, the user will be authenticating with Microsoft and will obtain an access token from the Microsoft Identity Platform. OAuth2 authenticates the user and OIDC delegates the authorization to the rogue application, which means that the application will be granted access to user data without ever being provided with credentials. In this case, the authentication data is sent to a domain hosted in Bulgaria.
The user is required to enter their login credentials again and the rogue app is given the same permissions as a legitimate app. The app could then be used to access files stored in the Office 365 account and would also be able to access the user’s contact list, which would allow the attacker to conduct further attacks on the organization and the user’s business contacts.
The phishing campaign was identified by researchers at Cofense who warn access only needs to be granted once. Access tokens have an expiration date, but this method of attack allows the attackers to refresh tokens, so that potentially gives the attackers access to documents and files in the Office 365 account indefinitely.
With multi-factor authentication enabled, businesses may feel that they are immune to phishing attacks. Multi-factor authentication is important and can prevent stolen credentials from being used to access Office 365 and other accounts, but MFA is not infallible as this campaign shows.
This campaign highlights how important it is to have an email security solution that uses predictive technology to identify new phishing scams that have not been seen before and do not include malicious attachments. Phishing attacks such as this are likely to bypass Office 365 antispam protections and be delivered to inboxes, and the unusual nature of this campaign may fool users into unwittingly allowing hackers to access their Office 365 accounts.
For further information on how you can secure your Office 365 accounts and block sophisticated phishing attacks, give us a call today to find out how SpamTitan can improve your email defenses.