Security Awareness
by G Hunt |
April 28, 2025 |
Security Awareness
A new campaign has been identified that abuses Microsoft Teams to deliver malware in a tech support scam, where the user is tricked into believing they need assistance to resolve a technical issue that requires them to grant access via the built-in Microsoft remote monitoring and management tool, Windows Quick Assist.
Tech support scams are a very common form of cybercrime. According to the FBI’s Internet Crime Complaint Center (IC3), 36,002 complaints were received about tech support scams in 2024, making it the 6th most commonly reported cybercrime, and the third biggest cause of losses, with more than $1.46 billion lost to the scams in 2024 alone. It should be noted that many victims fail to report these scams to the FBI, so the number of victims and the losses are likely to be substantially higher.
While the companies impersonated are highly varied, these scams typically involve contact being made with the victim, with the scammer impersonating a member of the technical support team to resolve a fictitious technical issue. To make these scams more realistic, threat actors may add a targeted individual to numerous newsletters and spam sources, and then call to help them resolve the spam problem that the threat actor has created.
One of the latest scams saw contact made via Microsoft Teams on targets in the services sector, including finance, professional, and scientific services. One common denominator was that the targeted individuals all had female-sounding names, most of whom were executive-level employees. The scam was also conducted at specific times, between 2 p.m. and 3 p.m. local time, which the threat actors perceived would be the ideal time when attention would likely be reduced and the scam was most likely to succeed.
The Teams request was accompanied by a vishing call. Over the phone, the target was convinced to run a PowerShell command that was delivered via a Microsoft Teams message, which downloaded the first-stage payload. The QuickAssist tool was used by the threat actor for remote access to ensure the deployment of PowerShell, all under the guise of resolving a fictitious technical issue.
The threat actor used QuickAssist to deliver a signed file named Team Viewer.exe to a hidden folder, with that executable likely to be undetected as it would be hidden in normal system activity. The file was used to sideload a malicious DLL called TV.dll, which was used to deliver a second-stage JavaScript-based backdoor, providing persistent access to the user’s device. Persistence was achieved by modifying Registry entries. The campaign was identified by a ReliaQuest researcher and was attributed to a tracked threat actor that uses vishing attacks to infect users with malware, often leading to a ransomware attack. One method of blocking these attacks is to configure Microsoft Teams to block external communications to prevent the initial contact, and if Windows Defender is used, to set it to the most restrictive setting to limit the use of PowerShell.
Ultimately, this scam succeeded because an end user was contacted, and social engineering techniques were used to trick them into taking the actions that the threat actor could not otherwise have performed externally. The recently published Verizon Data Breach Investigations Report revealed that 60% of data breaches involved the human element, with social engineering one of the most common ways that employees are tricked. It is not necessary for threat actors to spend countless hours trying to find zero-day vulnerabilities in software solutions when they can just contact employees and get them to provide the access they need.
As the IC3 data shows, these scams are lucrative for threat actors, and one of the reasons why they are so successful is that they tend to take place over the phone, bypassing the need to defeat anti-spam software and other technical security measures. Since legitimate remote access tools are used, the malicious activity is easy to hide within normal system activity.
Security awareness training can go a long way toward improving defenses against these types of scams. Executives were targeted in this campaign as they have higher-level privileges than other workers, but security awareness training is often less robust at the executive level. It is important to ensure that all members of the workforce,e from the CEO down, are provided with security awareness training, and for the training courses to be tailored to different roles and the specific threats that each is likely to encounter.
With the SafeTitan security awareness training platform, it is easy to create tailored training programs for different members of the workforce and the unique threats that they face, including specific programs for the CEO and executives, the HR department, and the IT team. With the SafeTitan platform, there are hundreds of training modules tailored to different aspects of cybersecurity and different threats, making it quick and easy to create and deliver highly effective training courses covering phishing and other email-based attacks, smishing, vishing, and other cyber threats.
Give the TitanHQ team a call today for more information on improving your cybersecurity defenses and security awareness training programs. All TitanHQ solutions are available on a free trial, with support provided to make sure you get the most out of your trial.
by G Hunt |
March 31, 2025 |
Internet Security, Phishing & Email Spam, Security Awareness
RansomHub is one of the most prolific ransomware-as-a-service (RaaS) groups now that the ALPHV/BlackCat operation has shut down and the LockBit operation has been hit with successive law enforcement actions. RansomHub engages in double extortion tactics, exfiltrating sensitive data from victims’ networks and encrypting files. Victims must pay to obtain the keys to decrypt their data and to prevent the publication of the stolen data on the RansomHub data leak site. Since emerging in early 2024, the group has conducted more than 200 attacks.
As a RaaS operation, RansomHub uses affiliates to conduct attacks in exchange for a percentage of any ransom payments they generate. The affiliates each have their specialties for breaching victims’ systems, including phishing, remote desktop protocol attacks, and the exploitation of unpatched vulnerabilities. Now, a new tactic is being used – The group is using the SocGholish malware-as-a-service (MaaS) framework for initial access, especially in attacks on the government sector.
SocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader that is primarily delivered via compromised legitimate websites. After compromising a website, malicious scripts are added that redirect users to webpages that display browser update notifications. These sites use social engineering to trick visitors into downloading a browser update, as they are told that their browser has a security issue or is not functioning correctly. If the user agrees, they download a zip file that contains a JavaScript file. If that file is executed, SocGholish malware is installed.
SocGholish is a malware downloader that provides initial access to a victim’s network. The malware has been used to deliver a wide range of payloads, including AZORult, Gootloader, NetSupport, and Dridex. SocGholish has also previously been used to deliver DoppelPaymer ransomware, and now RansomHub ransomware. In the case of RansomHub, the group deploys Python-based backdoor components for RansomHub affiliates to use for initial access.
Preventing SocGholish infections is critical to preventing RansomHub ransomware attacks; however, prevention requires a defense-in-depth approach. Traffic to the compromised websites can come from emails that include embedded hyperlinks, malvertising, SEO poisoning, and links to compromised websites are also delivered to users via Google Alerts. The webpages that host the fake browser updates filter traffic, blocking access by sandboxes, which can make detection difficult.
The best approach is to use an advanced anti-spam software such as SpamTitan to block malicious emails. In the last quarterly round of testing at VirusBulletin, SpamTitan, a cloud-based antispam service from TitanHQ, ranked #1 for malware detection, phishing detection and spam blocking with a 0% false positive rate, and in the February 2025 tests, achieved a perfect score blocking 100% of malware, phishing, and spam emails. The high detection rate is due to extensive front-end tests, email sandboxing, and machine learning.
A web filter adds an important layer of protection by scanning websites for malicious content and blocking access to known malicious websites. The WebTitan DNS filter is fed extensive threat intelligence to block access to known compromised webpages, can filter websites by category, and can be configured to block downloads of executable files from the Internet. Security awareness training is vital for creating a human firewall. Employees should be informed about the risks of interacting with security warnings on the Internet, and taught how to identify phishing attempts and be instructed on security best practices. The SafeTitan security awareness training platform and phishing simulator platform make creating and automating training courses and phishing simulations a quick and easy process.
by G Hunt |
February 28, 2025 |
Security Awareness, Website Filtering
A China-based ransomware group, Silver Fox, that has primarily targeted individuals in China, Taiwan, and Hong Kong, has been expanding its attacks outside of those regions and is now conducting attacks more broadly on multiple industry sectors. Silver Fox uses ransomware in its attacks and is focused on file encryption, demanding payment to obtain the keys to decrypt files. While the group does engage in double extortion tactics, stealing data and threatening to leak that data if the ransom is not paid, data theft is limited. Highly sensitive data is not generally stolen.
Many ransomware groups breach networks and spend time moving laterally to infect the maximum number of devices possible and also spend time locating sensitive data to exfiltrate. It is often the data theft and threat of publication that is the main driver behind ransom payments, so much so that some ransomware groups have abandoned the file encryption element of their attacks. In contrast, Silver Fox is focused on quick attacks, often breaching networks and encrypting files on the same day. The group even abandons attacks if lateral movement is not possible or if strengthened security is encountered.
Silver Fox primarily gains initial access to victims’ networks by deploying a remote access Trojan called ValleyRAT. ValleyRAT was first identified in 2023 and is believed to be a malware tool developed by Silver Fox, and its function is to give Silver Fox remote access to networks. The group has extensively targeted individuals in accounting, finance, and sales since those employees are likely to have access to sensitive data that can be quickly and easily stolen.
ValleyRAT is delivered by multiple means, indicating Silver Fox is trying to infect as many users as possible. One of the main methods used for distribution is fake installers for popular software. For instance, the group has been observed using fake installers for EmEditor (a Windows text editor), DICOM software (for viewing medical images), and system drivers and utilities. The group has also been observed using a spoofed website offering the Google Chrome browser, which prompts the user to download a ZIP file containing a Setup.exe file, which installs ValleyRAT.
The methods used to drive traffic to these fake downloads are unclear, although traffic to the fake Google Chrome download site is thought to be generated through malvertising and SEO poisoning, where malicious adverts are displayed for key search terms related to Chrome and web browsers that redirect users to the drive-by download site. SEO poisoning may be used, where black hat SEO techniques are used to get web pages to appear in the search engine listings for key search terms. If the user is tricked into executing the fake installer, they will be infected with ValleyRAT and a ransomware attack will rapidly follow.
Since the group is focused on rapid attacks involving minimal effort, the best defense is to strengthen baseline security and make lateral movement difficult through network segmentation. To prevent ValleyRAT downloads, web security needs to be improved to block attempts by users to visit the malicious websites. A web filter is an ideal tool for blocking access, including redirects through malvertising and SEO poisoning. A web filter such as WebTitan can also be configured to block downloads of certain files from the Internet and restrict access to websites by category – software download sites for example. Ongoing (and regular) security awareness training is also vital to teach employees about the risk of downloading software from the Internet, raise awareness of phishing, and teach security best practices, adding an important human layer to your security defenses.
TitanHQ’s web filter, WebTitan, is easy to implement and use, is automatically updated with the latest threat intelligence, and provides exceptional protection against web-based threats. When coupled with the SafeTitan security awareness training and phishing simulation platform, businesses will be well protected against ValleyRAT malware and other web-delivered malware payloads. Give the TitanHQ team a call to discuss these and other cybersecurity solutions to better protect you against the growing malware threat.
by G Hunt |
February 27, 2025 |
Phishing & Email Spam, Security Awareness, Spam Software
Cybercriminals have extensively used ransomware in their attacks on businesses, government entities, and critical infrastructure, and while these attacks often make headline news and cause massive disruption, there is a much more common malware threat – Information stealers.
Information stealers are malware that is silently installed on devices that can remain undetected for long periods of time. These types of malware have many different capabilities and can serve as downloaders for other malicious payloads, but their main function is information theft. Information theft is achieved in several ways, depending on the malware variant in question. These malware types often have keylogging capabilities and can record keystrokes as they are entered on the keyboard, allowing sensitive information such as usernames and passwords to be captured. They can often record audio from the microphone, take control of the webcam and record video, and take screenshots. They can also steal browser histories, cookies, and other sensitive information.
The information stolen from the victim allows the threat actor to conduct follow-on attacks, access accounts and steal further sensitive data, access and drain financial accounts, or commit identity theft and other types of fraud. Information stealers can also provide a threat actor with access to a device, and that access is often sold to specialized cybercriminal groups such as ransomware actors. Many hackers now act as initial access brokers, using information stealers to gain access before selling that access to other cybercriminal groups.
Information stealers such as Lumma, AgentTesla, FormBook, Redline, and StealC have been increasingly used in recent years, especially last year. Check Point observed a 58% increase in attacks from the previous year, and a report from the threat intelligence firm KELA suggested that lists of credentials obtained from information stealers are being shared on cybercrime forums. The credential lists included billions of logins that had been captured from infected devices, which, according to KELA, included around 4.3 million devices, of which around 330 million credentials had been stolen. An estimated 40% were corporate credentials.
The breach notification service, Have I Been Pwned (HIBP), has recently added 284 million compromised accounts to the service. The credentials were identified from chats on a Telegram channel called ALIEN TXTBASE, with the data obtained from information stealer logs. HIBP founder Troy Hunt said the stealer logs included 23 billion rows of data with 493 million unique website and email address pairs and around 284 million unique email addresses. Hunt said 244 million passwords were not previously known to the HIBP service, with 199 million already in its database.
The extent to which these malware variants are used, and the increase in use in 2024, clearly demonstrates the importance of advanced malware protection and the sheer number of compromised credentials suggests many businesses have been infected with information stealers. The problem for businesses is that these malware variants can be difficult to identify, as new versions are constantly being released. Traditional antivirus software is signature-based, which means it can only detect known malware. When new malware is identified, a signature of that malware is obtained and fed into antivirus software. If a malware signature is not in the software’s definition list, it will not be detected. There are several ways that these information stealers are distributed, with email being one of the most common. They can also be downloaded from the internet from malicious websites in drive-by downloads or installed along with pirated software or doctored versions of legitimate software installers.
Defending against information stealers requires a combination of measures – a defense-in-depth approach, with multiple overlapping layers of security. Given the high volume of infections stemming from email, businesses need a spam filter to block malicious emails. Antispam software will block many malicious emails; however, an antispam server must have advanced antimalware defenses. That means traditional signature-based detection and advanced behavioral detection to ensure previously unseen malware is identified and blocked.
SpamTitan uses dual anti-virus engines for detecting known threats and a next-generation email sandbox for behavioral analysis. If standard checks are passed, suspicious messages are sent to the sandbox – a safe environment where they are detonated and their behavior is analyzed. This vastly improves the detection rate, and in recent independent tests, SpamTitan outperformed all other tested email security solutions and had a 100% malware detection rate.
Security awareness training needs to be provided to the workforce to ensure that employees have the skills to recognize and avoid threats, no matter where they are encountered. Through training, employees should be conditioned to always report potential threats to their security team, and businesses can promote security best practices and eradicate risky behaviors. TitanHQ offers businesses a comprehensive training and phishing simulation platform – SafeTitan – that has been shown to be highly effective at improving employees’ security awareness.
Many malware infections occur via the Internet, and while training can reduce risk, a technical security solution is required to block threats. WebTitan is a DNS-based web filter that is used to block access to known malicious websites, assess websites in real-time for malicious content, block certain file downloads from the Internet, and restrict the sites and web pages employees can access.
With these three security solutions in your arsenal, you will be able to significantly improve your security posture and block information stealers and other threats. Give the TitanHQ team a call today to find out more or take advantage of a free trial of these solutions.
by G Hunt |
February 26, 2025 |
Phishing & Email Spam, Security Awareness, Website Filtering
A ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the networks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains initial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather than email.
The group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco AnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via personalized SMS messages (smishing) or the phone (vishing).
If vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk and uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is spoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are used. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam works, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that company. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor authentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the user is redirected to the genuine login page for their VPN, and the call is terminated.
Another tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of capturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the threat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords, while the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group uses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware payload, and issues a ransom demand.
The group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial contact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the workforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s web filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat intelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any attempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a locally hosted block page.
Regular security awareness training for the workforce is vital to teach security best practices and raise awareness of the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training platform, businesses can easily create training programs tailored for individuals, roles, and departments, and automate those campaigns so they run continuously throughout the year, delivering training in small chunks on a weekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to increase awareness of specific threats. The platform also includes a phishing simulator for running phishing simulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed, training is automatically delivered to the user in real time, relevant to the threat they failed to identify. This ensures training is delivered at the point when it is likely to be most effective.
For more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security awareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to allow you to assess them fully before making a purchase decision.
by G Hunt |
February 16, 2025 |
Security Awareness, Spam Software
A phishing campaign has been identified that targets corporate Facebook credentials and has so far involved more than 12,000 messages to users worldwide. The campaign has primarily targeted enterprises in the European Union (45.5%), United States (45%), and Australia (9.5%) with the phishing emails sent using a legitimate Salesforce automated mailing service. When emails are sent via this service, a sender email address can be specified; however, if no address is supplied, the emails appear to have been sent directly from Salesforce from the noreply@salesforce.com email address, per the terms of service. As such, any recipient of the email may mistakenly believe that the emails are official.
The emails include fake versions of the Facebook logo, which recipients should be able to identify as fake; however, the emails are well-written, and the subject matter is sufficiently concerning to warrant a click. The emails warn the recipient about a copyright infringement claim that has been filed under the Digital Millennium Copyright Act (DMCA) against the user’s personal account, indicating material has been shared via their account that is in violation of copyright laws.
The messages include the date of the complaint, that it was reported by Universal Music Group, and is due to the unauthorized use of copyrighted music. The recipient is told they must respond to the claim by the close of business if they wish to contest the claim. The date of the required response is only 24 hours after the complaint date, therefore an immediate response is required. As is common with phishing attempts, there is a threat – permanent restrictions on the user’s Facebook account. The message includes a button to click to contest the claim, but rather than direct the user to a login page, they are directed to a fake support page, where they are provided with further information on the restrictions that have or will be applied. Several variations of that email have been identified, including warnings that Facebook surveillance systems have identified a copyright issue and, as a result, limitations have been placed on the user’s account.
Those restrictions include the disabling of personal ad accounts and audiences, blocking the management of advertising assets or people for businesses, and preventing the user from creating or running ads and managing ad accounts. In order to have those restrictions removed, the user must click the button to request a review, which directs the user to a spoofed Facebook login page. If credentials are entered, they will be captured and used to log in to the user’s account. The campaign, identified by Check Point Research, targets business users, many of whom will rely on Facebook for advertising and customer contact, therefore the consequences of an account restriction could be serious, and certainly serious enough to warrant filing an appeal. What is unclear is how the threat actor uses the compromised accounts. Potentially they could be used for further scams, which could cause considerable reputational damage to the business.
Protecting against these types of phishing campaigns requires a combination of email security and user awareness. An email security solution can prevent these messages from reaching inboxes, thus neutralizing the threat, but security awareness training should also be provided to workforce members to help them identify and avoid phishing attempts. In this case, Facebook admins for the business should be warned about the campaign and instructed to log in to Facebook directly via their web browser if they receive any copyright infringement notices purporting to have been sent by Facebook. If there is a problem with their account, it will be apparent when login into their account.
With the SafeTitan security awareness training platform from TitanHQ, it is easy to create and automate security awareness training programs and roll out new training content in relation to specific threats, only providing that training to the individuals who are likely to be targeted. Phishing simulations can easily be created to test awareness of these phishing scams, with relevant training automatically delivered in response to clicks on phishing emails.
TitanHQ’s anti-spam software, SpamTitan, provides excellent protection against phishing, as demonstrated by recent tests by VirusBulletin. The cloud-based anti-spam service outperformed all other antispam solutions in the latest round of tests, blocking 100% of phishing emails and 100% of malware, earning SpamTitan the top spot for overall score. If you are not happy with your anti-phishing defenses or feel you are paying too much for protection, give the TitanHQ team a call and ask about SpamTitan. If you have yet to provide regular security awareness training to your workforce, why not sign up for a free trial of Safetitan and put the product to the test on your workforce?
by G Hunt |
February 3, 2025 |
Phishing & Email Spam, Security Awareness, Spam Software
Investigations of cyberattacks have identified an increasing number of incidents that started with email bombing. A high percentage of cyberattacks involve phishing, where emails are sent to employees to trick them into visiting a malicious website and disclosing their credentials, or opening a malicious file that installs malware. Email bombing is now being used to increase the effectiveness of phishing campaigns.
With email bombing, the user is sent a large number of spam emails in a short period of time, such as by adding a user to a large number of mailshots, news services, and spam lists. The threat actor creates a genuine spam issue then impersonates a member of the IT department and claims they can fix the problem, with content often made via a Microsoft Teams message. If the user accepts, they are tricked into installing remote access software and granting the threat actor remote access to their device. The threat actor will establish persistent access to the user’s device during the remote access session. What starts with an email bombing attack often ends with a ransomware attack.
There are several measures that you should consider implementing to prevent these attacks. If you use Microsoft Teams, consider restricting calls and messages from external organizations, unless there is a legitimate need to accept such requests. If so, ensure permission is only given to trusted individuals such as business partners. The use of remote access tools should be restricted to authorized personnel only, and steps should be taken to prevent the installation of these tools, including using a web filter to block downloads of these tools (and other executables) from the Internet.
An spam filter should be implemented to block spam and unwanted messages. Advanced spam filters such as SpamTitan use AI-guided detection and machine learning to block spam, phishing, and other malicious emails, along with email sandboxing to identify novel threats and zero-day malware. In the Q4, 2024, tests at VirusBulletin, the SpamTitan spam filtering service blocked 99.999% of spam emails, 100% of phishing emails, and 100% of malware with a 0.000% false positive rate, earning SpamTitan top position out of all anti-spam software under test.
Businesses should not underestimate the importance of security awareness training and phishing simulations. Regular security awareness training should be provided to all members of the workforce to raise awareness of the tactics used by cybercriminals. A cyberattack is much more likely to occur as a result of a phishing or social engineering attempt than the exploitation of a software vulnerability. Businesses that use the SafeTitan security awareness training platform and phishing simulator have reduced susceptibility to email attacks by up to 80%. For more information on TitanHQ cybersecurity solutions, including award-winning anti-spam solutions for managed service providers, give the TitanHQ team a call or take advantage of a free trial of any of TitanHQ’s cybersecurity solutions.
by G Hunt |
January 31, 2025 |
Phishing & Email Spam, Security Awareness, Spam News
As the massive cyberattack on Change Healthcare demonstrated last year, the failure to implement multifactor authentication on accounts can be costly. In that attack, multifactor authentication was not implemented on a Citrix server, and stolen credentials allowed access that resulted in the theft of the personal and health information of 190 million individuals. The ransomware attack caused a prolonged outage and remediation and recovery cost Change Healthcare an estimated $2.9 billion last year.
The attack should serve as a warning for all companies that multifactor authentication is an essential cybersecurity measure – If passwords are compromised, access to accounts can be prevented. Unfortunately, multifactor authentication protection can be circumvented. Threat actors are increasingly using phishing kits capable of intercepting multifactor authentication codes in an adversary-in-the-middle attack. Phishing kits are packages offered to cybercriminals that cover all aspects of phishing. If purchased, phishing campaigns can be conducted with minimal effort as the phishing kit will generate copies of websites that impersonate well-known brands, the infrastructure for capturing credentials, and templates for phishing emails. After paying a fee, all that is required is to supply the email addresses for the campaign, which can be easily purchased on hacking forums.
Some of the more advanced phishing kits are capable of defeating multifactor authentication by harvesting Microsoft 365 and Gmail session cookies, which are used to circumvent MFA access controls during subsequent authentication. One of the latest phishing kits to be identified is has been dubbed Sneaky 2FA. The kit was first identified as being offered and operated on Telegram in October 2024 by researchers at the French cybersecurity firm Sekoia. The researchers identified almost 100 domains that host phishing pages created by the Sneaky 2FA phishing kit.
As with a standard phishing attack, phishing emails are sent to individuals to trick them into visiting a phishing page. One campaign using the Sneaky 2FA phishing kit uses payment receipt-related emails to trick the recipient into opening a PDF file attachment that has a QR code directing the user to a Sneaky 2FA page on a compromised website, usually a compromised WordPress site. These pages have a blurred background and a login prompt. Microsoft 365 credentials are required to access the blurred content. The phishing pages automatically add the user’s email address to the login prompt, so they are only required to enter their password. To evade detection, multiple measures are employed such as traffic filtering, Cloudfire Turnstile challenges, and CAPTCHA checks.
Many phishing kits use reverse proxies for handling requests; however, the Sneaky 2FA phishing server handles communications with Microsoft 365 API directly. If the checks are passed, JavaScript code is used to handle the authentication steps. When the password is entered, the user is directed to the next page, and the victim’s email address and password are sent to the phishing server via an HTTP Post. The server responds with the 2FA method for the victim’s account and the response is sent to the phishing server. The phishing kit allows session cookies to be harvested that provide account access, regardless of the 2FA method – Microsoft Authenticator, one-time password code, or SMS verification.
Phishing kits such as Sneaky FA make it easy for cybercriminals to conduct phishing attacks and defeat MFA; however, they are not effective at defeating phishing-resistant MFA such as FIDO2, WebAuthn, or biometric authentication. The problem is that these forms of MFA can be expensive and difficult to deploy at scale.
Businesses can greatly improve their defenses with advanced spam filter software with AI- and machine learning detection, email sandboxing, URL rewriting, QR code checks, greylisting, SPF, DKIM, and DMARC checks, and banners identifying emails from external sources. Effective email filtering will ensure that these malicious emails do not land in employee inboxes. TitanHQ offers two email security solutions – SpamTitan email security and the PhishTitan anti-phishing solution for M365. The engine that powers both solutions was recently rated in 1st place for protection in the Q4, 2024 tests by VirusBulletin, achieving a 100% malware and 100% phishing detection rate.
Regular security awareness training should also be provided to all members of the workforce to raise awareness of threats and to teach cybersecurity best practices. With the SafeTitan security awareness training platform it is easy to create and automate training courses and add in new training content when new threat actor tactics are identified. The platform also includes a phishing simulator for reinforcing training and identifying individuals in need of additional training.
For more information on improving your defenses against phishing and malware, give the TitanHQ team a call. Product demonstrations can be arranged on request and all TitanHQ solutions are available on a free trial.
by G Hunt |
December 12, 2024 |
Network Security, Security Awareness
In this post, we explore some of the tactics used by the Black Basta ransomware group to gain initial access to victims’ networks. Black Basta is a ransomware-as-a-service (RaaS) group that first appeared in April 2022. After gaining access to victims’ networks, the group escalates privileges and moves laterally within the network, identifying sensitive data and exfiltrating files before running its encryption processes. The group then drops a ransomware note and demands payment to prevent the publication of the stolen data and to obtain the keys to decrypt the encrypted files. The group targets multiple industry sectors including healthcare organizations, primarily in North America, Europe, and Australia.
The group’s tactics are constantly evolving; however, one of the most common tactics used for initial access is email phishing, either by sending an email with a hyperlink to a malicious website or an infected email attachment. The group’s phishing campaigns aim to deliver Qakbot malware, which is used to provide persistent access to victims’ networks (via autorun entries and scheduled tasks), and for running PowerShell scripts to disable security solutions. The malware is then used to deliver additional malicious payloads such as Cobalt Strike, and legitimate software tools such as Splashtop, Mimikatz, and Screen Connect.
Recently, the group has been observed using a new tactic called email bombing as an alternative way of gaining initial access to networks. With email bombing, the selected targets’ email addresses are sent large volumes of spam emails, often by signing the user up to multiple mailing lists or spamming services simultaneously. After receiving a large volume of spam emails, the user is prepared for the next stage of the attack.
The threat actor reaches out to the user, often via Microsoft Teams or over the phone, and impersonates a member of the IT help desk. The threat actor claims they have identified a problem with spam email and tells the user that they need to download a remote management tool to resolve the issue.
If the user agrees, they are talked through downloading one of several tools such as QuickAssist, AnyDesk, TeamViewer, or ScreenConnect. The threat actor then uses that tool to remotely access the user’s device. These tools may be downloaded directly from the legitimate vendor’s domain; however, since many businesses have controls in place to prevent the installation of unauthorized remote access tools, the installation executable file may be downloaded from SharePoint. Once installed, the threat actor will use the remote access to deliver a range of payloads.
Email bombing is a highly effective tactic as it creates a need to have an issue resolved. Once on the phone or in conversation via Microsoft Teams, the threat actor is able to try other methods for installing the remote access tools if they fail due to the user’s security settings.
Email bombing may be used by multiple threat actors for initial access, and phishing remains the most common method for gaining a foothold in networks for follow-on attacks. Implementing defenses against these tactics will significantly improve your defenses and make it harder for threat actors to breach your network.
An Advanced Spam Filter
An advanced spam filter is a must, as it can identify and block phishing attempts and reduce the effectiveness of email bombing. Next-gen spam filtering software incorporates AI and machine learning algorithms to thoroughly assess inbound emails, checking how they deviate from the emails typically received by the business, and helping to flag anomalies that could indicate novel phishing attempts.
A spam filter should also incorporate email sandboxing in addition to antivirus software protection, as the latter can only detect known threats. Novel malware variants and obfuscated malware are often missed by antivirus software, so a sandbox is key to blocking malware threats. After passing initial checks, an email is sent to the email sandboxing service for deep analysis, where behavior is checked for malicious actions, such as attempted C2 communications and malware downloads.
SpamTitan incorporates machine learning algorithms, sandboxing, and link scanning to provide advanced protection against phishing and malware attacks. SpamTitan was recently rated the most effective spam filter in recent independent tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.99% of spam emails, giving the solution the highest overall score out of all 11 spam filtering services put to the test.
Security Awareness Training
It is important to provide regular security awareness training to the workforce, including all employees and the C-suite. The most effective training is provided regularly in small chunks, building up knowledge of threats and reinforcing security best practices. This is easiest with a modular computer-based training course. When new tactics such as email bombing are identified, they can be easily incorporated into the training course and rolled out to end users to improve awareness of specific tactics. Also consider running phishing simulations, as these have been shown to be highly effective at reinforcing training and identifying knowledge gaps that can be addressed through further training.
TitanHQ makes this as easy as possible with the SafeTitan security awareness training and phishing simulation platform. The platform includes hundreds of engaging and enjoyable training modules covering all aspects of security and threats employees need to be aware of, while the phishing simulation platform makes it easy to create and automate internal phishing simulations, which automatically trigger relevant training content if the user fails the simulation.
Give the TitanHQ team a call today for further information on SpamTitan and Safetitan, for a product demonstration, or to arrange a free trial.
by G Hunt |
October 26, 2024 |
Security Awareness
Managed service providers can implement security solutions to protect their clients from phishing, social engineering, and business email compromise attacks but if a malicious email manages to bypass those defenses, it could easily result in hackers gaining a foothold in the network, resulting in a highly disruptive and costly cyberattack and data breach. To improve defenses against phishing, managed service providers should offer their clients security awareness training to manage human risk, and now TitanHQ can offer a security awareness training (SAT) solution that allows them to do that with ease.
This month, TitanHQ launched its Security Awareness Training (SAT) solution for MSPs. The solution has been specifically created to be used by MSPs and allows them to provide affordable, scalable training with minimal setup. The training platform has now been integrated with TitanHQ’s MSP cybersecurity platform and is ready for MSPs to use. In contrast to many SAT solutions that only provide standard cybersecurity training, TitanHQ’s SAT solution integrates advanced phishing simulation with behavior-focused training that is fun and engaging for participants. The solution delivers maximum value to MSPs and can be rapidly set up, allowing them to roll out training programs to new clients with just a few clicks. There is no need to spend hours assigning training content to new customers, as it is possible to select multiple customers and rapidly spin up training courses that can be rapidly deployed for individuals or groups of customers in the future.
The AI-driven training platform allows training content to be tailored to individual employees to meet their training needs, personalizing the training experience. The platform includes more than 80 videos, training sessions, and webinars to improve awareness and help create a security culture. MSPs are provided with monthly reports on the progress that is being made by individual employees and they are provided with actionable insights.
The platform includes a phishing simulator that allows MSPs to conduct real-time phishing simulations based on a huge variety of templates (1,800+) covering all types of phishing and other attack scenarios, and the content is updated regularly to include the latest tactics, techniques, and procedures used by cybercriminals in real-world phishing campaigns. MSPs can easily pre-configure phishing simulations and training campaigns to roll out to new clients as they are onboarded, and the MSP dashboard provides a view of quick actions and live analytics all in one place.
The training platform can deliver reactive training in response to user behavior, where users in need of training are automatically enrolled and delivered relevant training content. MSPs can use the platform to conduct cyber awareness knowledge checks to identify areas where individuals need training, verify understanding of the training material, and retest employees over time to ensure they have not forgotten the material from previous training sessions. The training material covers the cyber threats that employees are likely to encounter such as phishing, social engineering, business email compromise, and malware, but also in-person threats such as physical security, ensuring they receive comprehensive training that covers all the bases.
If you have yet to start offering security awareness training to your clients, or if you already offer training but require a more comprehensive and easier-to-use training platform, give the TitanHQ team a call. Product demonstrations can be arranged on request to show you just how easy the platform is to use.
“Our integrated cybersecurity platform delivers maximum value to MSPs, offering a quicker time-to-market, reduced set-up requirements combined with real-world, practical security awareness training & phishing simulations. TitanHQ delivers that seamlessly, allowing MSPs to offer comprehensive SAT to their customers in just a few clicks,” said TitanHQ CEO, Ronan Kavanagh.
by G Hunt |
September 30, 2024 |
Security Awareness
While no sector is immune to cyberattacks, some sectors are targeted more frequently than others and attacks on the education sector are common and on the rise. In May 2024, new data released by the UK’s Information Commissioner’s Office revealed there had been 347 cyber incidents reported by the education and childcare sector in 2023, an increase of 55% from the previous year.
These attacks can prevent access to IT systems, forcing schools to resort to manual processes for checking pupil registers, teaching, and all other school functions. Without access to IT systems, teachers are unable to prepare for lessons, schools have been prevented from taking payment for pupil lunches, and many have lost students’ coursework. The impact on schools, teachers, and students can be severe. Some schools have been forced to temporarily close due to a cyberattack.
A survey conducted by the Office of Qualifications and Examinations Regulation (Ofqual) found that 9% of surveyed headteachers had experienced a critically damaging cyberattack in the past academic year. 20% of schools were unable to immediately recover from a cyberattack and 4% reported that they still had not returned to normal operations more than half a term later.
The Ofqual survey revealed more than one-third of English schools had suffered a cyber incident in the past academic year and a significant percentage faced ongoing disruption due to a cyberattack. Cyberattacks can take many forms and while ransomware attacks are often the most damaging, the most common type of cyber incident is phishing. According to the survey, 23% of schools and colleges in England experienced a cybersecurity incident as a result of a phishing attack in the past year.
Schools are not sufficiently prepared to deal with these attacks. According to the survey, 1 in 3 teachers said they had not been provided with cybersecurity training in the past year, even though cybersecurity training has proven to be effective at preventing cyberattacks. The survey revealed that out of the 66% of teachers who had been provided with training, two-thirds said it was useful.
TitanHQ has developed a comprehensive security awareness training platform for all sectors, that is easy to tailor to meet the needs of individual schools. The platform includes an extensive range of computer-based training content, split into modules of no more than 10 minutes to make it easy for teachers and other staff members to complete. The training material is enjoyable, covers the specific threats that educational institutions face, and teaches the cybersecurity practices that can help to improve defenses and combat phishing, spear phishing, and malware attacks.
The SafeTitan platform also includes a phishing simulator for conducting simulated phishing attacks to improve awareness, reinforce training, and give staff members practice in identifying phishing and other cyber threats. The training and simulations can be automated, and training modules can be set to be triggered by security errors and risky behaviors. Further, the platform is affordable.
To find out more about improving human defenses at your educational institution through SafeTitan, give the TitanHQ team a call. TitanHQ can also help with improving technical defenses, with a suite of cybersecurity solutions for the education sector including SpamTitan anti-spam software, the PhishTitan anti-phishing solution, and the WebTitan DNS-based web filter. Combined, these technical defenses can greatly improve your security posture and prevent cyber threats them from reaching end users and their devices.
by G Hunt |
August 29, 2024 |
Phishing & Email Spam, Security Awareness
If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.
There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.
In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.
Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.
Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.
It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.
The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.
Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts. These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.
Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.
TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.
The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.
The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.
For more information about improving your phishing defenses, speak with TitanHQ today.
by G Hunt |
August 27, 2024 |
Phishing & Email Spam, Security Awareness
Business email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial losses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.
BEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These attacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker then tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the case of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black supplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was conversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.
BEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted email accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker often has access to emails, they will be aware of confidential information that no other individual other than the genuine account holder should know. The attacker can also check past emails between the account holder and the victim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans to distinguish from genuine communications. Scammers often reply to existing email threads, which makes these scams even more believable.
BEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams even harder for humans and email security solutions to identify. AI tools can be fed past emails between two individuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could fool even the most security-aware individual.
Some of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains access to the account through phishing or stolen credentials and searches through the account for information of interest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s clients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change the bank account information for genuine upcoming payments.
Due to the difficulty of identifying these threats, a variety of measures should be implemented to improve defenses, including administrative and technical controls, as well as employee training. In order to beat AI tools, network defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning capabilities, such as the SpamTitan cloud-based spam filtering service.
SpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails can be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to identify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution is also strongly recommended to protect accounts against initial compromise and to raise awareness of potential threats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about external emails and other threats and allows IT teams to rapidly remediate any attacks in progress.
Security awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these scams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the threat, taught how to identify these scams, and the actions to take when a potentially malicious message is received. With the SafeTitan security awareness training program it is easy to create training courses and tailor the content to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most pertinent threats.
While spam email filtering and security awareness training are the most important measures to implement, it is also important to strengthen defenses against phishing through the adoption of multi-factor authentication on all email accounts, to prevent initial compromise. Administrative controls should also be considered, such as requiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and maintaining a contact list of verified contact information to allow phone verification of any high-risk change. This two-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.
by G Hunt |
August 15, 2024 |
Phishing & Email Spam, Security Awareness
Business Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest data from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500 complaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion. Between October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and internationally.
What is Business Email Compromise?
BEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to individuals that appear to have come from a trusted source and making a legitimate-sounding request, which is typically a change to bank account details for an upcoming payment or payment of a fake invoice.
One such scam targets homebuyers, with the attacker impersonating the title company and sending details for a wire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire money for an upcoming payment to a different bank account. While the scammer is usually based overseas, the bank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are immediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.
BEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email account, then the account is used to send phishing emails internally. The goal is to compromise the account of an executive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively, vendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their customers.
Once a suitable email account has been compromised, the scammers search through previous emails in the account to find potential targets – the company’s customers in the case of a vendor account or individuals responsible for making wire transfers in the case of a CEO’s account. The attackers study previous communications between individuals to learn the writing style of the account holder, and then craft their messages impersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching targets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email addresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen via malware infections.
From here, a single request may be sent or a conversation may ensue over several emails to build trust before the request is made. Considerable time and effort is put into these scams because the effort is worth it for the scammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of dollars or more, and with two recent scams, the losses have been immense.
Tens of Millions Fraudulently Obtained in BEC Scams
INTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC attack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In July, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to a new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an account that differed slightly from the supplier’s legitimate email address. That difference was not identified and the bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was only determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL was able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery of a further $2 million.
There has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing company Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm told the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into transferring the funds to multiple third-party accounts. So far, that loss has not been recovered.
How to Reduce Risk And Defeat BEC Attacks
Defending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers are expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against BEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare the workforce by improving awareness of the threats.
Security awareness training is vital. All members of the workforce should receive training and be made aware of BEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they are conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly beneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying these scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it easy for businesses to improve their human defenses against BEC attacks.
Policies and procedures should be developed and implemented to reduce risk. For instance, it should be company policy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank account changes by vendors to require verification by phone, using previously verified contact information.
It is vital to implement technical security measures to prevent email accounts from being compromised, malware from being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect these sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s reputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate compromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel malware threats.
What is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can learn about the standard emails sent and received by a company or individual and determine when emails deviate from the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI tools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection to identify and block novel malware threats, to prevent the malware infections that are used to gather information to support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests confirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as BEC attacks.
The most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your business featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses for your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.
by G Hunt |
May 30, 2024 |
Phishing & Email Spam, Security Awareness
Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.
Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.
The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.
Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.
The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.
If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.
Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.
Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.
If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.
by G Hunt |
May 27, 2024 |
Phishing & Email Spam, Security Awareness, Spam Advice
Email phishing is the most common form of phishing, with email providing threat actors with an easy way of getting their malicious messages in front of employees. Phishing emails typically include a URL along with a pressing reason for clicking the link. The URLs are often masked to make them appear legitimate, either with a button or link text relevant to the lure in the message. Email attachments are often added to emails that contain malicious scripts for downloading a variety of malicious payloads, or links to websites where malware is hosted.
While there are many email security solutions available to businesses, many lack the sophistication to block advanced phishing threats as they rely on threat intelligence, antivirus software, and reputation checks. While these are important and effective at blocking the bulk of phishing and malspam emails, they are not effective at blocking zero-day attacks, business email compromise, and advanced phishing threats.
More advanced features include email sandboxing for detecting and quarantining zero-day malware threats and malicious scripts, greylisting for increasing the spam catch rate, and AI and machine learning capabilities that can assess messages and identify threats based on how they differ from the messages that are typically received by the business. SpamTitan, a cloud-based anti-spam service from TitanHQ, has these features and more. Independent tests have shown that the solution blocks more than 99.99% of spam emails, 99.95% of malware, and more than 99.91% of phishing emails. SpamTitan can be provided as a hosted email filter or as a gateway spam filter for installation on-premises on existing hardware, serving as a virtual anti-spam appliance.
Microsoft 365 users often complain about the phishing catch rate of the protections provided by Microsoft, which are EOP only for most licenses and EOP and Defender for the most expensive licenses. While these protections are effective at blocking spam and known malware, they fall short of what is required for blocking advanced threats. To improve Microsoft 365 security and block the threats that Microsoft misses, TitanHQ has developed PhishTitan. PhishTitan augments Microsoft 365 defenses and is the easiest way of improving the Office 365 spam filter. These advanced defenses are now vital due to the increase in attacks. The Anti-Phishing Working Group (APWG) has reported that more phishing attacks were conducted in 2023 than ever before.
Massive Increase in Text Message Phishing Scams
Blocking email phishing attempts is straightforward with advanced email security solutions, which make it much harder for phishers to get their messages in front of employees. One of the ways that threat actors have adapted is by switching to SMS phishing attacks, which no email security solution can block. APWG has reported a major increase in SMS-based phishing attempts.
A recent study attempted to determine the extent to which SMS phishing is being used. Researchers used SMS gateways – websites that allow users to obtain disposable phone numbers – to obtain a large number of phone numbers for the study. They then waited to see how long it took for SMS phishing messages to be received. The study involved 2,011 phone numbers and over 396 days the researchers received an astonishing 67,991 SMS phishing messages, which averages almost 34 per number. The researchers analyzed the messages and identified 35,128 unique campaigns that they associated with 600 phishing operations. Several of the threat actors had even set up URL shortening services on their own domains to hide the destination URLs. With these shortening services, the only way to tell that the domain is malicious is to click the link.
Blocking SMS phishing threats is difficult for businesses and the primary defense is security awareness training. SMS phishing should be included in security awareness training to make employees aware of the threat, as it is highly likely that they will encounter many SMS phishing threats. The SafeTitan security awareness platform makes creating training courses simple and the platform includes training content on all types of threats, including SMS, voice, and email phishing. With SafeTitan it is easy to create and automate campaigns, as well as deliver training in real-time in response to employee errors to ensure training is provided when it is likely to have the greatest impact – immediately after a mistake is made.
by G Hunt |
May 26, 2024 |
Phishing & Email Spam, Security Awareness
Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.
Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.
The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.
Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.
When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.
Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.
by G Hunt |
January 31, 2023 |
Security Awareness
Cyberattacks on businesses increased during the pandemic and have continued at high levels since. Fortunately, businesses have responded and are taking cybersecurity seriously and have increased investment in cybersecurity. Data from ESG research suggests 65% of organizations are planning to increase investment in cybersecurity in 2023. While there is room for improving technical defenses to block more attacks and identify and address vulnerabilities faster before they can be exploited, it is important not to neglect the human element, which according to Verizon’s 2022 Data Breach Investigations Report, is a factor in 82% of data breaches.
While simple errors can easily lead to data breaches, many are the result of a lack of understanding of security. There is also a common view among employees that cybersecurity is the sole responsibility of the IT department. It is true that one of the roles of the IT department is to ensure that technical measures are implemented to block cyber threats and that vulnerabilities are identified and addressed promptly, but even companies that invest heavily in IT security still suffer data breaches, and that is because even sophisticated defenses can be bypassed.
Technology and hardware will block the majority of threats, but employees are still likely to encounter phishing, social engineering scams, business email compromise, and malware, and need to be provided with proper education to improve awareness of those threats and be taught the skills to allow them to identify and avoid cyber threats. The workforce needs to be educated on all aspects of security, not just how to identify a phishing email. Take password security for example. Password policies can be implemented, and employees provided with password managers, but as the recent credential stuffing attack on NortonLifeLock users revealed, many users of that password manager set a master password for their password vault that had been used elsewhere on the internet, which allowed the hackers to access their accounts.
By providing security awareness training, businesses can improve the baseline knowledge of the workforce, make sure everyone is aware of the threats they are likely to encounter, and security best practices can be taught, along with the importance of always following those best practices. The ultimate aim of security awareness training is to develop a security culture, where everyone in the organization understands that they have a role to play in the cybersecurity of the organization and that cybersecurity is not just a matter for the IT department.
Unfortunately, it is not possible to get to that point overnight. Providing a one-time security awareness training session is not enough and even conducting annual training sessions is unlikely to result in behavioral change. For training to be effective and to change employee behavior, training needs to be provided continuously, with short training sessions conducted regularly throughout the year. Training also needs to be individualized. There is no point in providing a single training course to every employee, as training needs to be role-specific and cover the specific threats each employee is likely to encounter.
The training also needs to be engaging to get employees to take the information on board, and training needs to be regularly reinforced. One of the best ways to do this is through phishing simulations, which test whether employees have understood the training and if they are applying that training day in, day out. Employees should also be empowered to help with cybersecurity by providing a phishing reporting button as an email client add-on, so they can alert the IT department when a suspicious email is encountered. Organizations that provide their workforce with training using the SafeTitan platform and conduct regular phishing simulations through the platform report significant improvements in security. Phishing simulation data also shows improvements in employee susceptibility to phishing attacks, with organizations seeing reductions of up to 92% in click rates by employees.
With 2023 looking like it will be another year with high levels of cyberattacks, January is the ideal time to review your security awareness training programs, make improvements, and implement a training program if you are not yet providing training to your employees. TitanHQ is here to help. Give the team a call today to find out more about how SafeTitan can benefit your business.
by G Hunt |
June 28, 2022 |
Security Awareness
If you want to create a culture of security in your organization, you need to provide comprehensive security awareness training to teach employees the skills they will need to be able to identify and avoid cyber threats. It is also important to conduct phishing simulations on all members of the workforce.
Phishing simulations are realistic but fake phishing emails that are sent to employees to determine the level of security awareness of the organization, assess whether employee security awareness training has been effective, identify any gaps in knowledge that need to be addressed, and to identify any individuals who require further training.
If phishing simulations are not used, organizations will be unaware whether their training has worked and has reduced the susceptibility of the workforce to phishing attacks, and gaps in knowledge could exist that could easily be exploited in real world phishing attacks.
Sending phishing emails to employees to see if they click links or open potentially malicious attachments is important, but to get the full benefits of phishing simulation exercises you need to create a structured phishing simulation program. To help you get started we have provided some tips on how to run effective phishing simulations in the workplace, and highlight some areas where businesses go wrong.
How to Run Effective Phishing Simulations at Work
One of most common assumptions made about phishing simulations is that in order to determine whether employees will respond to genuine phishing emails, employees should not be aware that you will be conducting phishing simulations. That is a mistake. When employers conduct phishing simulations on an unsuspecting workforce, it has the potential to backfire.
Employees often feel like they are being targeted and it can create friction between employees and the IT department, and that is best avoided. You should warn employees when you provide training that part of the training process will involve phishing simulations and that the simulations are not being conducted to catch employees out but to assess how effective training has been. Do not provide specific notice when you are conducting campaigns, just make the workforce aware that you do periodically run phishing simulations.
When you conduct phishing simulations, the emails you send need to be realistic. You should use templates that are based on real-world phishing attacks, after all, the aim of the simulations is to determine if employees will fall for real phishing emails. You should use a variety of lures and send different types of phishing emails, including emails with links, attachments, and Word documents with macros. You should also vary the difficulty of the simulations and include targeted spear-phishing attacks.
Before sending simulated phishing emails to the workforce, test out the emails in small numbers, as this will allow you to correct any problems. Do not send the same email to everyone at the same time, as this often results in employees tipping each other off and will not give you accurate data. Vary the emails you send in any one campaign, and this can be avoided. Each email should include at least two red flags that will allow it to be identified as a phishing attempt. Be careful about the lures you choose. If you send an email offering a pay rise – there are genuine phishing campaigns that do this – be prepared for a backlash, as such a campaign is likely to cause upset. These types of phishing simulations are best avoided.
The first phishing campaigns you send should serve as a baseline against which you can measure how awareness improves over time, so use a moderately difficult phishing attempt, not an incredibly difficult spear phishing email. Anyone can be fooled by a phishing email so ensure that everyone is part of the program, including board members. They too need to be taught how to recognize phishing emails and be tested to see how security aware they are. The C-suite is the top target for phishers.
It is important not to name and shame employees that fail phishing simulations. A failed phishing simulation should be seen as an opportunity for further training, not a reason for punishing an employee. If you opt for positive rather than negative reinforcement, you are likely to get much better results.
Security Awareness Training and Phishing Simulations from TitanHQ
SafeTitan from TitanHQ is a comprehensive security awareness training platform with an extensive library of training courses, videos & quizzes. The content is highly interactive and fun, with short and efficient testing and a phishing simulation platform with hundreds of real-world phishing templates to use. SafeTitan is also the only behavior-driven security awareness solution that delivers security training in real-time. Phishing simulations have shown that SafeTitan reduces staff susceptibility to phishing by up to 92%.
For more information and to arrange a product demonstration, give the TitanHQ team a call.
by G Hunt |
May 4, 2022 |
Phishing & Email Spam, Security Awareness, Spam Software
Phishing is commonly used to gain access to credentials to hijack email accounts for use in business email compromise (BEC) attacks. Once credentials have been obtained, the email account can be used to send phishing emails internally, with a view to obtaining the credentials of the main target. Alternatively, by spear phishing the target account, those steps can be eliminated.
If the credentials are obtained for the CEO or CFO, emails can be crafted and sent to individuals responsible for wire transfers, requesting payments be made to an attacker-controlled account. A common alternative is to target vendors, in an attack referred to as vendor email compromise (VEC). Once access is gained to a vendor’s account, the information contained in the email accounts provides detailed information on customers that can be targeted.
When a payment is due to be made, the vendor’s email account is used to request a change to the account for the upcoming payment. When the payment is made to the attacker-controlled account, it usually takes a few days before the non-payment is identified by the vendor, by which time it may be too late to recover the fraudulently transferred funds. While BEC and VEC attacks are nowhere near as common as phishing attacks, they are the leading cause of losses to cybercrime due to the large amounts of money obtained through fraudulent wire transfers. One attack in 2018 resulted in the theft of $23.5 million dollars from the U.S. Department of Defense.
In this case, two individuals involved in the scam were identified, including a Californian man who has just pleaded guilty to six counts related to the attack. He now faces up to 107 years in jail for the scam, although these scams are commonly conducted by threat actors in overseas countries, and the perpetrators often escape justice. The scam was conducted like many others. The BEC gang targeted DoD vendors between June 2018 and September 2018 and used phishing emails to obtain credentials for email accounts. An employee at a DoD vendor that had a contract to supply Aviation JA1 Turbine fuel to troops in southeast Asia for the DoD received an email that spoofed the U.S. government and included a hyperlink to a malicious website that had been created to support the scam.
The website used for the scam had the domain dia-mil.com, which mimicked the official dla.mil website, and email accounts were set up on that domain to closely resemble official email accounts. The phishing emails directed the employee to a cloned version of the government website, login.gov, which harvested the employee’s credentials. The credentials allowed the scammer to change bank account information in the SAM (System for Award Management) database to the account credentials of the shell company set up for the scam. When the payment of $23,453,350 for the jet fuel was made, it went to the scammers rather than the vendor.
Security systems were in place to identify fraudulent changes to bank account information, but despite those measures, the payment was made. The SAM database is scanned every 24 hours and any bank account changes are flagged and checked. The scammers learned of this and made calls to the Defense Logistics Agency and provided a reason why the change was made and succeeded in getting the change manually approved, although flags were still raised as the payment was made to a company that was not an official government contractor. That allowed the transfer to be reverted. Many similar scams are not detected in time and the recovery of funds is not possible. By the time the scam is identified, the scammers’ account has been emptied or closed.
The key to preventing BEC and VEC attacks is to deal with the issue at its source to prevent phishing emails from reaching inboxes and teach employees how to identify and avoid phishing scams. TitanHQ can help in both areas through SpamTitan Email Security and the SafeTitan security awareness training and phishing simulation platform. Businesses should also implement multifactor authentication to stop stolen credentials from being used to access accounts.
by G Hunt |
April 30, 2022 |
Network Security, Security Awareness
It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.
The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.
Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.
Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.
Security Awareness Training Improves Resilience to Phishing Attacks
The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.
One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.
SafeTitan Security Awareness Training & Phishing Simulations
TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.
If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.
