Security Awareness

Hackers Using Free File Conversion Tools for Malware Delivery

by G Hunt | March 26, 2025 | Phishing & Email Spam, Security Awareness

Malware is often packaged with software solutions, where the user is given the software they are looking for, but the installer also silently delivers malware to their device. Since the desired product is installed, the user will be unaware that their device has been infected. Malware is often hidden in installers for pirated software or the associated keygen for obtaining the product key. All a threat actor has to do is convince a user to download and execute the installer.

One such campaign involves the use of online document converters, which are used to convert one file type to another. For example, these tools can be used to convert .docx files to .pdf files, create .pdf files from multiple .jpeg images, or convert one audio or video format to another. The Federal Bureau of Investigation (FBI) has been receiving an increasing number of complaints about malware infections from free document converters and download tools. The tool is delivered, but malware is also installed that provides the threat actor with remote access to the infected device, allowing them to steal sensitive data, encrypt files with ransomware, or use the infected device for other nefarious purposes. There are other risks associated with this scam. Cybercriminals in control of these tools are able to scrape sensitive information from the converted files, including passwords, cryptocurrency seeds, email addresses, banking information, and Social Security numbers. Any file uploaded to any online service risks a disclosure of sensitive information.

Traffic can be driven to these doctored or fake installers via links in emails, or malvertising and search engine poisoning. With malvertising and search engine poisoning, cybercriminals target key search terms, such as “free online file converter.” The URLs are made to appear legitimate, such as mimicking a genuine tool and transposing a couple of letters, using hyphenated domain names, or subdomains on an existing site. The site content often appears professional and can be difficult for web users to identify as malicious.

In addition to bundling malware with legitimate software, there are online versions of these tools. The user is instructed to upload the file they wish to convert, and the converted file is downloaded. There have been instances where the converted file is added to a zip file for download, but rather than the converted file, an executable file is delivered, such as a .js file. Attempting to open the file triggers the installation of malware such as a remote access trojan, keylogger, banking trojan, or malware downloader. The popular malware download Gootloader has been observed being delivered this way. A Gootloader infection often leads to the delivery of a variety of malware payloads such as banking trojans, information stealers, and post-exploitation tools such as Cobalt Strike beacons.

Due to the increasing use of these tactics, it is important to incorporate them into your security awareness training programs to make users aware of the risks of using free file conversion tools. Before any such tool is used, it is important to conduct research to make sure the tool provider is genuine, and to scan any downloaded installer or converted file with antivirus software. Busy employees who need to quickly convert a file into a different format can easily fall victim to these scams.

In addition to raising awareness of the threat, businesses should consider restricting the types of files that can be downloaded from the Internet. This is easy with WebTitan, a powerful DNS-based web filter that prevents access to malicious websites and blocks unauthorized file downloads from the Internet. WebTitan can be configured to prevent certain employees (non-IT staff, for instance) from downloading executable file types, thereby neutralizing the threat. In addition to serving as an extra layer of protection against malware, WebTitan can also help to curb shadow IT – software installations unknown to the IT department. While these software installations may not contain any malware, they can easily introduce risks and vulnerabilities that can be exploited by hackers.

Give the TitanHQ team a call today to find out more about WebTitan and how it can improve security at your business, and for more information on the SafeTitan security awareness training and phishing simulation platform. TitanHQ also offers antispam software and a Microsoft 365 anti-phishing solution for blocking phishing threats. In recent independent tests, the engine that powers these two solutions achieved top spot for malware, phishing, and spam blocking out of all tested solutions with a perfect 100% block rate in each category and a 0.0% false positive rate.

That Recruitment Email Could be A Phishing Attempt

by G Hunt | January 15, 2025 | Phishing & Email Spam, Security Awareness

A scam has recently been identified that impersonates the CrowdStrike recruitment process and tricks recipients into downloading the XMRig cryptocurrency miner. Initial contact is made via email, with the email using CrowdStrike branding offering an Interview with the company.

The emails claim that the next phase of the hiring process is a 15-minute call with the hiring team; however, this year, the company is rolling out a new applicant and employee CRM app. The recipient is instructed to click the employee CRM application button, which triggers the download of a fake application for scheduling the interview. Recipients are given the option of downloading a Windows or MacOS version of the application; however, the downloaded file is an XMRig installer. When executed, checks are performed of the environment to determine if a debugger is attached to the process, the device is checked to ensure it has two cores and is suitable for cryptocurrency mining, and checks are performed to identify virtualization and running processes to prevent execution in a sandbox environment. If the checks are passed, a copy of XMRig is downloaded from GitHub and executed. If the checks are passed, the user is presented with an error message, advising them that the installation has failed, potentially due to a hardware compatibility issue. The user is told to try again by downloading the application on another device, potentially infecting a second device with XMRig.

Jobseekers are often targeted in phishing scams. In the hunt for a job, they can be susceptible to phishing attempts, forgetting their security awareness training in the hope of landing an exciting new position. Fraudsters often claim to be recruitment agents who have identified individuals for a lucrative job and may even claim that the job is theirs based on information found on professional networking sites or from headhunting activities. According to the Better Business Bureau, recruitment scams result in losses of around $2 billion each year, and these scams are becoming more common.

The scammers often seek personal information and usually require the payment of a nominal charge for job placement or training, or in this case, the goal is malware delivery. Initial contact may be made via email to a personal email address; however, this could easily result in malware being installed on a corporate-owned device. As with all phishing attempts, vigilance is key. Regardless of the subject of an email or the offer or threat contained therein, all emails should be subject to checks to assess the authenticity of the email.

For businesses, TitanHQ offers a comprehensive security awareness training platform for training workforce members on cybersecurity best practices and common threats. The platform includes hundreds of computer-based training modules covering all aspects of security. The training modules are no longer than 10 minutes, are enjoyable and engaging, and can be easily combined into training courses tailored for job roles or individuals. New content is frequently added in response to changing tactics, techniques, and procedures of threat actors to keep employees up to date on the threats they are likely to encounter.

The platform also includes a phishing simulator for assessing the effectiveness of training and identifying individuals who are susceptible to phishing attempts to ensure they receive the additional training they need. Through regular security awareness training and phishing simulations using the SafeTitan platform, businesses have been able to make measurable improvements to their human defenses, reducing susceptibility to phishing attempts by up to 80%. If you have yet to implement a security awareness training program or your employees are still falling for phishing attempts, give the TitanHQ team a call about the SafeTitan platform.

New Tactics Used by Threat Actors for Phishing, Malware Delivery, and Extortion

by G Hunt | October 30, 2024 | Phishing & Email Spam, Security Awareness

Several new campaigns have been detected in recent weeks that use diverse tactics to trick people into disclosing sensitive information and installing malware.

Cybercriminals Target Crypto Wallets via Webflow Sites

Webflow is a software-as-a-service company that businesses can use to accelerate website development. The platform makes it easier to create websites and web pages, simplifying and eliminating many of the complex tasks to speed up website creation. Cybercriminals have taken advantage of the platform and are using it to rapidly spin up phishing pages and create pages to redirect users to malicious sites. One of the main advantages of Webflow compared to alternative platforms is the ease of creating custom subdomains, which can help phishers make their phishing pages more realistic. Subdomains can be created to mimic the login pages that they are impersonating, increasing the probability that individuals will be fooled into disclosing their credentials.

The number of detected phishing pages on Webflow has increased sharply, especially for crypto scams. One of the campaigns impersonated the Trezo hardware wallet. Since the subdomain can be customized to make the phishing page appear official, and screenshots of the actual Trexor site are used, these phishing pages can be very convincing. In these campaigns, the aim is to steal the seed phrases of the victim to allow the threat actor to access cryptocurrency wallets and transfer the funds. In one campaign, when the seed phrase is disclosed, the user is told their account has been suspended for unauthorized activity and they are told to launch a chat service for support. The chat service is manned by the threat actor who keeps the victim engaged while their wallet is emptied.

Hackers Use Deepfakes to Target Finance Professionals

The cost of artificial intelligence (AI) solutions is falling and cybercriminals are taking advantage. AI is increasingly being used to manipulate images, audio, and video recordings to make their scams more convincing. These deepfakes are realistic and more effective at tricking individuals into making fraudulent wire transfers than business email compromise scams, as they include deepfake videos of the person being spoofed. Cybercriminals use AI tools to create deepfakes from legitimate video presentations and webinars, impersonating an executive such as the CEO or CFO in an attack on finance team members. The aim is to trick the employees into making a wire transfer. Earlier this year, the engineering group Arup was targeted using a deepfake of the company CFO, and $25 million was transferred to the scammers in transfers to five different bank accounts.

Vendors are often spoofed in deepfake scams to trick their clients into wiring payments to attacker-controlled bank accounts. A recent survey by Medius revealed that 53% of finance professionals in the UK and US had experienced at least one attempted deepfake scam. These scams may occur over the phone, with the deepfake occurring in real-time, and there have been many cases of deepfake impersonations over video conferencing platforms such as Microsoft Teams and Zoom.

North Korean Hackers Target Developers with Fake Job Interviews

The North Korean hacking team, Lazarus Group, is known to use diverse tactics in its attacks. The group has now been observed infiltrating business networks by obtaining positions as IT workers. According to Mandiant, dozens of Fortune 100 companies have been tricked into hiring workers from North Korea, who steal corporate data after being hired. One UK firm discovered they had been duped 4 months after employing an It worker who was actually based in North Korea. The IT worker used the network access provided to siphon off sensitive data, and when the worker was sacked for poor performance, demanded a ransom to return the stolen data. Researchers believe the data was provided to North Korea.

The Lazarus Group has also been targeting developers through fake interviews. The group hosts fake coding assessments on legitimate repositories such as GitHub and hides malicious code in those repositories, especially in Python files. The developers are tricked into downloading the code and are tasked with finding and fixing a bug but will inadvertently execute the malicious code regardless of whether they complete the assessment. The hackers often pose as legitimate companies in the financial services.

Legitimate File-Hosting Services Used for Phishing Attacks and Malware Distribution

One of the ways that cybercriminals attempt to bypass filtering mechanisms is to use legitimate hosting services for phishing and malware delivery. Dropbox, OneDrive, Google Drive, and SharePoint are all commonly used by cybercriminals. These services are used by businesses for storing and sharing files and for collaboration, so these services are often trusted. They are also often trusted by security solutions. Tactics commonly used include sharing links to files hosted on these services via phishing emails, often restricting access to the files to prevent detection by security solutions. For instance, the user is required to be logged in to access the file. Files may be hosted in view-only mode to avoid detection by security solutions, with social engineering techniques used to fool the user into downloading the files.

Cybercriminals are constantly evolving their tactics to phish for credentials, distribute malware, and gain unauthorized access to sensitive data. Businesses need to adopt a defense-in-depth approach to security, adding several layers to their defenses to combat new threats. These measures include an advanced spam filtering service with machine learning capabilities and email sandboxing, a web filter for blocking access to malicious websites and preventing malware downloads from the Internet, anti-phishing solutions for Microsoft 365 environments to block the threats that Microsoft often fails to detect, and comprehensive security awareness training for the workforce.

Cybercriminals will continue to evolve their tactics, so security solutions should also be able to evolve and be capable of detecting zero-day threats. With TitanHQ as your security partner, you will be well protected against these rapidly changing tactics.  Give the TitanHQ team a call today to find out more about improving your technical and human defenses against these threats.

Is Your Business Protected Against Internal Phishing Attempts?

by G Hunt | August 29, 2024 | Phishing & Email Spam, Security Awareness

If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.

There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.

In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.

Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.

Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.

It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.

The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.

Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts.  These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.

Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.

TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.

The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.

The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.

For more information about improving your phishing defenses, speak with TitanHQ today.

AI Tools Increasingly Used for BEC/VEC Attacks

by G Hunt | August 27, 2024 | Phishing & Email Spam, Security Awareness

Business email compromise (BEC) and vendor email compromise (VEC) attacks can result in huge financial losses that can prove catastrophic for businesses, and these attacks are being conducted with increasing regularity.

BEC and VEC attacks have their roots in phishing and often involve phishing as the first stage of the attack. These attacks involve impersonation of a trusted person through spoofed or compromised email accounts. The attacker then tricks the targeted individual into disclosing sensitive information or making a fraudulent wire transfer. In the case of the latter, the losses can be considerable. A company employee at Orion, a Luxembourg carbon black supplier, resulted in fraudulent transfers of $60 million. The employee was tricked into believing he was conversing with a trusted vendor and made multiple fraudulent transfers to the attacker’s account.

BEC and VEC attacks are among the most difficult email threats to detect, as they often use legitimate, trusted email accounts so the recipient of the email is unaware that they are conversing with a scammer. Since the attacker often has access to emails, they will be aware of confidential information that no other individual other than the genuine account holder should know. The attacker can also check past emails between the account holder and the victim and can mimic the writing style of the account holder. These attacks can be almost impossible for humans to distinguish from genuine communications. Scammers often reply to existing email threads, which makes these scams even more believable.

BEC/VEC scammers are increasingly turning to AI tools to improve their attacks and AI tools make these scams even harder for humans and email security solutions to identify.  AI tools can be fed past emails between two individuals and told to create a new email by mimicking the writing style, resulting in perfect emails that could fool even the most security-aware individual.

Some of the most convincing VEC attacks involve the use of compromised email accounts. The attacker gains access to the account through phishing or stolen credentials and searches through the account for information of interest that can be used in the scam. By searching through sent and stored emails, they can identify the vendor’s clients and identify targets. They are then sent payment requests for fake invoices, or requests are made to change the bank account information for genuine upcoming payments.

Due to the difficulty of identifying these threats, a variety of measures should be implemented to improve defenses, including administrative and technical controls, as well as employee training. In order to beat AI tools, network defenders need to adopt AI themselves, and should implement a spam filter with AI and machine learning capabilities, such as the SpamTitan cloud-based spam filtering service.

SpamTitan analyzes the genuine emails received by the company to create a baseline against which other emails can be measured. Through machine learning, Bayesian analysis, and other content checks, SpamTitan is able to identify the signs of BEC/VEC and alert end users when emails deviate from the norm. An anti-phishing solution is also strongly recommended to protect accounts against initial compromise and to raise awareness of potential threats. PhishTitan from TitanHQ incorporates cutting-edge threat detection with email banners warning about external emails and other threats and allows IT teams to rapidly remediate any attacks in progress.

Security awareness training is essential for raising awareness of the threat of BEC and VEC attacks. Since these scams target executives, IT, and HR staff, training for those users is vital. They should be made aware of the threat, taught how to identify these scams, and the actions to take when a potentially malicious message is received. With the SafeTitan security awareness training program it is easy to create training courses and tailor the content to cover threats each user group is likely to encounter to ensure the training is laser-focused on the most pertinent threats.

While spam email filtering and security awareness training are the most important measures to implement, it is also important to strengthen defenses against phishing through the adoption of multi-factor authentication on all email accounts, to prevent initial compromise. Administrative controls should also be considered, such as requiring employees to verify any high-risk actions, such as changes to bank accounts or payment methods, and maintaining a contact list of verified contact information to allow phone verification of any high-risk change. This two-step verification method can protect against all BEC/VEC attacks and prevent fraudulent payments.

$60 Million Lost in Single Business Email Compromise Scam

by G Hunt | August 15, 2024 | Phishing & Email Spam, Security Awareness

Business Email Compromise (BEC) has long been one of the costliest types of cybercrime. According to the latest data from the Federal Bureau of Investigation (FBI) Internet Crime Compliant Center (IC3), almost 21,500 complaints were received about BEC attacks in 2023 resulting in adjusted losses of more than $2.9 billion. Between October 2013 and December 202, more than $50 billion was lost to BEC scams domestically and internationally.

What is Business Email Compromise?

BEC, also known as email account compromise (EAC), is a sophisticated scam that involves sending emails to individuals that appear to have come from a trusted source and making a legitimate-sounding request, which is typically a change to bank account details for an upcoming payment or payment of a fake invoice.

One such scam targets homebuyers, with the attacker impersonating the title company and sending details for a wire transfer for a down payment for a house purchase. Businesses are commonly targeted and asked to wire money for an upcoming payment to a different bank account. While the scammer is usually based overseas, the bank account may be at a bank in the victim’s home country. When the funds are transferred by the victim they are immediately transferred overseas or withdrawn, making it difficult for the funds to be recovered.

BEC attacks often start with phishing emails. The scammers use phishing to gain access to an employee’s email account, then the account is used to send phishing emails internally. The goal is to compromise the account of an executive such as the CEO or CFO. That account can then be used for the BEC part of the scam. Alternatively, vendors are targeted, such as construction companies, and their accounts are used for BEC attacks on their customers.

Once a suitable email account has been compromised, the scammers search through previous emails in the account to find potential targets – the company’s customers in the case of a vendor account or individuals responsible for making wire transfers in the case of a CEO’s account. The attackers study previous communications between individuals to learn the writing style of the account holder, and then craft their messages impersonating the genuine account owner. AI tools may also be used for this part of the scam or even researching targets. Alternatively, email accounts and websites may be spoofed, using slight variations of legitimate email addresses and domains. The information needed to conduct the scam may be gleaned from public sources or stolen via malware infections.

From here, a single request may be sent or a conversation may ensue over several emails to build trust before the request is made. Considerable time and effort is put into these scams because the effort is worth it for the scammers. The losses to these scams can be huge. Fraudulent wire transfers are often for tens of thousands of dollars or more, and with two recent scams, the losses have been immense.

Tens of Millions Fraudulently Obtained in BEC Scams

INTERPOL recently reported that it had successfully recovered more than $40 million stolen in a single BEC attack. The scammers targeted a commodities firm in Singapore, impersonating one of the company’s suppliers. In July, an email was received that had apparently been sent by the supplier requesting a pending payment be sent to a new bank account, in this case, the account was based in Timor Leste. In this scam, the email was sent from an account that differed slightly from the supplier’s legitimate email address. That difference was not identified and the bank account details were changed. A payment of $42.3 million was made to the account, and the transfer was only determined to be fraudulent when the supplier queried why the payment had not been received. INTERPOL was able to assist with the recovery of $39 million, and seven arrests were made which also involved the recovery of a further $2 million.

There has since been an even bigger scam and the victim was not so fortunate. The chemical manufacturing company Orion reported falling victim to a BEC attack that resulted in a $60 million loss. The Luxembourg firm told the U.S. Securities and Exchange Commission (SEC) that a non-executive employee was tricked into transferring the funds to multiple third-party accounts. So far, that loss has not been recovered.

How to Reduce Risk And Defeat BEC Attacks

Defending against BEC attacks can be a challenge, as legitimate email accounts are often used and the scammers are expert impersonators. The use of AI tools makes these scams even more difficult to identify. Defending against BEC attacks requires a defense-in-depth approach to prevent malicious emails from being delivered and prepare the workforce by improving awareness of the threats.

Security awareness training is vital. All members of the workforce should receive training and be made aware of BEC scams (and other cybersecurity threats). Training should cover the basics of these scams, such as why they are conducted and the attackers’ aims, as well as the red flags to look for. Phishing simulations can be highly beneficial, as BEC scams can be simulated to put training to the test and give individual practice at identifying these scams. TitanHQ’s SafeTitan platform includes BEC training material and a phishing simulator and makes it easy for businesses to improve their human defenses against BEC attacks.

Policies and procedures should be developed and implemented to reduce risk. For instance, it should be company policy for any requested change to banking credentials to be reviewed by a supervisor, and for any requested bank account changes by vendors to require verification by phone, using previously verified contact information.

It is vital to implement technical security measures to prevent email accounts from being compromised, malware from being installed, and to identify and block BEC emails. Traditional anti-spam software often fails to detect these sophisticated threats. A standard anti-spam appliance will perform a range of checks on the sender’s reputation and may be able to detect and block spoofed emails, but generally not emails sent from legitimate compromised accounts. Traditional anti-spam and antivirus solutions can detect known malware, but not novel malware threats.

What is needed is a next-generation hosted anti-spam service with machine learning and AI capabilities that can learn about the standard emails sent and received by a company or individual and determine when emails deviate from the norm and flag them as suspicious. AI-based protection is needed to defeat cybercriminals ‘ use of AI tools. The spam filtering service should also include email sandboxing in addition to standard anti-virus protection to identify and block novel malware threats, to prevent the malware infections that are used to gather information to support BEC attacks. SpamTitan from TitanHQ has all these features and more, with recent independent tests confirming the solution provides exceptional protection against phishing, spam, and sophisticated threats such as BEC attacks.

The most important thing to do is to take proactive steps to improve your defenses. Doing nothing could see your business featured in the next set of FBI statistics. Give the TitanHQ team a call today to discuss the best defenses for your business and find out more about how TitanHQ can help block BEC attacks and other cyber threats.

How Real-Time Security Awareness Training Improves Cybersecurity

by G Hunt | July 30, 2024 | Phishing & Email Spam, Security Awareness

Cybersecurity awareness training is now vital for businesses to raise employees’ awareness of cyber threats. Here we will explain why you need real-time security awareness training and phishing simulations and the difference they can make to your security posture.

The biggest cybersecurity threat faced by businesses is phishing. Phishing attacks target employees as cybercriminals and nation-state actors know all too well that employees are a weak link in security defenses. If they can get a phishing email in front of an employee and give them a plausible reason for taking the action they suggest, they can steal credentials that will give them the access they need or get the employee to download and open a malicious file, that will download malware and provide persistent access to the network.

If doesn’t always need to be a sophisticated phishing attempt if the email lands in the inbox of a busy employee or one who lacks security awareness. Many unsophisticated phishing attempts succeed due to human error. The problem is that phishing attempts are often sophisticated, and are now being crafted using LLMs that not only ensure that the emails are devoid of spelling mistakes and grammatical errors, but LLMs can also help to devise new phishing lures.

All it takes is for one phishing attempt to be successful to give an attacker the access they need for an extensive compromise. Cybercriminals often gain access to an employee’s email account and then use that account to conduct further phishing attempts internally, until they compromise large numbers of email accounts and manage to steal credentials with high privileges. Since email accounts often contain a wealth of sensitive and valuable data, the attack does not even need to progress further for it to be costly to remediate.

Businesses need to ensure that they have robust email security defenses, including an email security solution with sandboxing, AI, and machine learning detection to identify and block malware threats and zero-day phishing attacks, malicious URL detection capabilities, and a solution that is constantly updated with the latest threat intelligence. While the most advanced cloud-based email security solutions will block the vast majority of malicious emails, they will not block all threats. For example, in recent independent tests, SpamTitan email security was determined to have a spam catch rate of 99.984%, a phishing catch rate of 99.99%, and a malware catch rate of 100% with zero false positives, finishing second in the test.

For the small percentage of malicious emails that do reach inboxes, employees need to be prepared, be on their guard, and have the skills to identify and report suspicious emails, which is where security awareness training and phishing simulations are needed.

The purpose of security awareness training is to raise the level of awareness of cyber threats within the workforce, teach cybersecurity best practices, and eliminate risky behaviors. Training will only be effective if it is provided regularly, building up knowledge over time. Training should ideally be provided in short regular training sessions, with training programs running continuously throughout the year. Each week, every employee can complete a short training module which will help to build awareness and keep security fresh in the mind, with the ultimate goal of creating a security culture where every employee is constantly on their guard and aware that the next email they receive could well be a phishing attempt or contain malware.

Training is most effective when combined with phishing simulations. You can teach employees how to recognize a phishing email, but simulations give them practice at detecting threats and applying their training. Further, the emails will be received when the employees are completing work duties, just the same as a genuine phishing threat. A phishing simulator can be used to automate these campaigns, and administrators can track who responds to determine the types of threats that are tricking employees and the individuals who are failing to identify threats. Training programs can then be tweaked accordingly to address the weaknesses.

The most effective phishing simulation programs automatically deliver training content in real-time in response to security mistakes. When a phishing simulation is failed, the employee is immediately notified and given a short training module relevant to the mistake they made. When training is delivered in real time it serves two important purposes. It ensures that the employee is immediately notified about where they went wrong and how they could have identified the threat, and the training is delivered at the point when it is likely to have the greatest impact.

SafeTitan from TitanHQ makes providing training and conducting phishing simulations simple. The training modules are enjoyable, can be easily fitted into busy workflows, and the training material can be tailored to the organization and individual employees and roles. The training and simulations can be automated and require little management, and since the content is constantly updated with new material and phishing templates based on the latest tactics used by cybercriminals, employees can be kept constantly up to date.

For more information about SafeTitan security awareness training and phishing simulations, give the TitanHQ team a call.

Quick Assist Abused in Tech Support Scam Leading to Black Basta Ransomware Attack

by G Hunt | June 3, 2024 | Phishing & Email Spam, Security Awareness

Earlier this month, warnings were issued about the Black Basta ransomware group, after an increase in activity in recent weeks. Now a new tactic has emerged to gain initial access to networks that ultimately leads to a Black Basta ransomware attack.

Storm-1811 is a highly sophisticated financially motivated cybercriminal group that was first detected in April 2022. Unlike many cybercriminal groups that start slowly, Storm-1811 conducted more than 100 attacks in its first 7 months. The latest campaign linked to the group is a type of tech support scam and is conducted over the phone through voice phishing (vishing).

The threat actor targets users and uses social engineering techniques over the phone to convince the user that they need to take urgent action to fix a fictitious problem on their computer. The threat actor often impersonates a member of the IT help desk or even Microsoft technical support. This attack leverages Quick Assist – a legitimate Windows app that is used to establish a remote connection to a device.

Quick Assist is a useful tool for providing IT support. If a friend or family member is having difficulty with their computer, they can provide remote access to a more technically skilled family member to sort out the problem remotely. Through Quick Assist, it is possible to view the display, make annotations, and take full control of the connected device.

Any remote access tool can be abused by a threat actor and Quick Assist is no different.  If the user is convinced that the request is genuine and access to their device is granted, the threat actor will be able to perform a range of malicious actions. In this campaign, the threat actor installs a range of malicious tools to allow them to achieve their objectives, including remote monitoring and management (RMM) tools such as ScreenConnect and NetSupport Manager, and malware including Qakbot and Cobalt Strike. After gaining access, Storm-1811 actors can steal data and the access will ultimately lead to a Black Basta ransomware attack.

One point where this campaign could fail is convincing a user that they have a problem with their computer that requires remote access to fix. To get around this problem, Storm-1811 threat actors create a problem that needs to be addressed. One of the ways they do this is by conducting an email-bombing campaign. They identify email addresses of employees at the targeted company and bombard them with spam emails by signing them up to various high-volume email subscription services. When they make the call, the user will no doubt be frustrated by the spam emails, and it is easy to convince them that the problem can be sorted via Quick Assist.

The user just needs to press CTRL plus the Windows Key and Q to initiate Quick Assist, and then enter the security code provided by the threat actor and confirm that they want to proceed with screen sharing. The threat actor can then request remote access through the session and, if granted by the user, will be provided with full control of the user’s device. If they get to that point while the user is still on the phone, the threat actor will be able to explain any installation of a program as part of the remediation efforts. The threat actor can then unsubscribe the user from the various email subscriptions to make them believe that the problem has been resolved. Since the tools used by the threat actor can easily blend in, the attack is likely to go undetected until ransomware is used to encrypt files.

There are two easy ways to reduce susceptibility to this attack. The first is for IT teams to block or uninstall Quick Assist if they are not using the tool for remote access. Since other remote access tools may be used in these tech support scams, it is also vital to educate the workforce about tech support scams.

Users should be trained never to provide remote access to their device unless they initiate the interaction with their IT help desk or Microsoft support. Many companies provide security awareness training to the workforce that focuses on email phishing since this has long been the most common method of gaining access to internal networks.

Security awareness training should also educate users about other forms of phishing, including SMS phishing (smishing), vishing, and phishing via instant messaging services. With SpamTitan, creating, automating, and updating training content with the latest tactics used by cybercriminals is easy. The platform includes an extensive range of engaging training modules and is constantly updated with new content based on real-world attacks by cybercriminal groups.

When you train your workforce with SafeTitan, you can greatly reduce susceptibility to the different types of cyberattacks. Give the TitanHQ team a call today for further information or use the SafeTitan link to sign up for a free trial.

Discord Phishing Risk Increases with 50,000+ Malicious Links Detected in 6 Months

by G Hunt | May 30, 2024 | Phishing & Email Spam, Security Awareness

Phishing tactics are constantly changing and while email is still one of the most common ways of getting malicious content in front of end users, other forms of phishing are growing. Smishing (SMS phishing) has increased considerably in recent years, and vishing (voice phishing) is also common, especially for IT support scams.

Another method of malware delivery that has seen an enormous increase recently is the use of instant messaging and VoIP social platform Discord. Discord is a platform that has long been popular with gamers, due to being able to create a server with voice and text for no extra cost, both of which are necessary for teamspeak in gaming. While gamers still account for a majority of users, usage for non-gaming purposes is growing.

The platform is also proving popular with cybercriminals who are using it for phishing campaigns and malware distribution. According to Bitdefender, the antivirus company whose technology powers the SpamTitan email sandboxing feature, more than 50,000 malicious links have been detected on Discord in the past 6 months. Around a year ago, a campaign was detected that used Discord to send links to a malicious site resulting in the delivery of PureCrypter malware – a fully featured malware loader that is used for distributing information stealers and remote access trojans.

Discord responded to the misuse of the platform and implemented changes such as adding a 24-hour expiry for links to internally hosted files, which made it harder for malicious actors to use the platform for hosting malware. While this move has hampered cybercriminals, the platform is still being used for malware distribution. One of the latest malicious Discord campaigns is concerned with obtaining credentials and financial information rather than distributing malware.

The campaign involves sending links that offer users a free Discord Nitro subscription. Discord Nitro provides users with perks that are locked for other users, such as being able to use custom emojis anywhere, set custom video backgrounds, HD video streaming, bigger file uploads, and more. Discord Nitro costs $9.99 a month, so a free account is attractive.

If the user clicks the link in the message, they are directed to a fake Discord website where they are tricked into disclosing credentials and financial information. Other Discord Nitro lures have also been detected along the same theme, offering advice on how to qualify for a free Discord Nitro subscription by linking to other accounts such as Steam. According to Bitdefender, 28% of detected malicious uses are spam threats, 27% are untrusted, around 20% are phishing attempts and a similar percentage involve malware distribution.

Any platform that allows direct communication with users can be used for phishing and other malicious purposes. Security awareness training should cover all of these attack vectors and should get the message across to end users that they always need to be on their guard whether they are on email, SMS, instant messaging services, or the phone. By running training courses continuously throughout the year, businesses can develop a security culture by training their employees to be constantly on the lookout for phishing and malware threats and developing the skills that allow them to identify threats.

Developing, automating, and updating training courses to include information on the latest threats, tactics techniques, and procedures used by threat actors is easy with the SafeTitan security awareness training platform. SafeTitan makes training fun and engaging for end users and the platform has been shown to reduce susceptibility to phishing and malware threats by up to 80%.

If you are not currently running a comprehensive security awareness training program for your workforce or if you are looking to improve your training. Give the TitanHQ team a call and ask about SafeTitan. SafeTitan is one product in a suite of cloud-based security solutions for businesses and managed service providers, which includes an enterprise spam filter, a malicious file sandbox for email, a DNS-based web filter, email encryption, email archiving, and phishing protection for M365.

Sophisticated Phishing Campaign Abuses Cloudflare Workers

by G Hunt | May 26, 2024 | Phishing & Email Spam, Security Awareness

Cloudflare Workers is being abused in phishing campaigns to obtain credentials for Microsoft, Gmail, Yahoo!, and cPanel Webmail. The campaigns identified in the past month have mostly targeted individuals in Asia, North America, and Southern Europe, with the majority of attacks conducted on organizations in the technology, finance, and banking sectors.

Cloudflare Workers is part of the Cloudflare Developer Platform and allows code to be deployed and run from Cloudflare’s global network. It is used to build web functions and applications without having to maintain infrastructure. The campaigns were identified by researchers at Netskope Threat Labs. One campaign uses a technique called HTML smuggling, which involves abusing HTML5 and JavaScript features to inject and extract data across network boundaries. This is a client-side attack where the malicious activities occur within the user’s browser. HTML smuggling is most commonly associated with malware and is used to bypass network controls by assembling malicious payloads on the client side. In this case, the malicious payload is a phishing page.

The phishing page is reconstructed in the user’s browser, and they are prompted to log in to the account for which the attacker seeks credentials, such as their Microsoft account. When the victim enters their credentials, they will be logged in to the legitimate website and the attacker will then collect the tokens and session cookies.

Another campaign uses adversary-in-the-middle (AitM) tactics to capture login credentials, cookies, and tokens, and allow the attackers to compromise accounts that are protected with multi-factor authentication. Cloudflare Workers is used as a reverse proxy server for the legitimate login page for the credentials being targeted. Traffic between the victim and the login page is intercepted to capture credentials as well as MFA codes and session cookies. The advantage of this type of attack is the user is shown the exact login page for the credentials being targeted. That means that the attacker does not need to create and maintain a copy of the login page.

When the user enters their credentials, they are sent to the legitimate login page by the attacker, and the response from the login page is relayed to the victim. The threat actor’s application captures the credentials and the tokens and cookies in the response. In these CloudFlare Workers phishing campaigns, users can identify the scam by looking for the *.workers.dev domain and should be trained to always access login pages by typing the URL directly into the web browser.

Defending against sophisticated phishing attacks requires a combination of security measures including an email security solution with AI/machine learning capabilities and email sandboxing, regular security awareness training, and web filtering to block the malicious websites and inspecting HTTP and HTTPS traffic. For more information on improving your defenses, give the TitanHQ team a call.

Sophisticated Ransomware Campaign Uses Business Email Compromise Tactics

by G Hunt | August 30, 2023 | Phishing & Email Spam, Security Awareness

Companies in Spain are being targeted by a ransomware group that uses phishing emails to distribute LockBit Locker ransomware. According to a recent warning issued by the Central Cybercrime Unit of the Policía Nacional, the campaign has a very high level of sophistication and has so far targeted architecture companies; however, the campaign may be expanded to target other sectors.

LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct ransomware attacks in exchange for a cut of any ransoms they generate. LockBit is one of the most active ransomware groups and was the most deployed ransomware variant in 2022. The LockBit Locker group conducting this campaign claims to be affiliated with the notorious LockBit group; however, those claims have yet to be verified. What is known is that this is a highly capable group that conducts sophisticated attacks targeting specific industry sectors. The lures and communications used in these attacks are very difficult to distinguish from genuine communications from legitimate companies.

The group appears to have adopted tactics used by business email compromise (BEC) threat actors who build trust with the victim over several emails. An initial communication is sent to a company and the threat actor then engages in conversations over several emails to make it appear that the firm is engaging with a legitimate company that is seeking their services.

The Policía Nacional described one of the attacks, which saw the initial email sent from the non-existent domain, fotoprix.eu. The threat actor claimed to be a photography company looking for a quote from architecture firms for a renovation of their premises. The targeted company responded to the initial email, then the threat actor exchanged several more messages before proposing a date to hold a meeting to finalize the budget. As a prerequisite, documents were sent via email that contained specifications for the proposed renovation to allow the architecture form to provide an accurate quote. The archive file attached to the email contained a shortcut file that executes a malicious Python script, which establishes persistence and executes the LockBit Locker payload to encrypt files. A ransom demand is then dropped on the encrypted device, payment of which is required to recover files.

Ransomware groups are constantly changing their tactics, techniques, and procedures (TTPs) which is why it is so important to provide ongoing security awareness training to the workforce. This campaign is especially concerning because of the effort the threat actor is putting into the impersonation of a potential customer. Ransomware groups often copy each other’s tactics, and if this campaign proves to be successful, the same TTPs are likely to be used by other groups.

It is therefore recommended to incorporate these TTPs into your security awareness training and make sure that employees are made aware of this new method of attack. Companies that use TitanHQ’s SpamTitan solution can easily provide training to the workforce on specific tactics through short training modules and incorporate new tactics in their phishing simulations. Phishing simulations can be quickly and easily spun up through the platform in response to changing TTPs and administrators will be able to get instant feedback on the likelihood of employees falling for a campaign. A phishing simulation failure will immediately trigger a training module specific to the threat, ensuring employees are provided with the additional training they need to avoid similar threats in the future.

Call TitanHQ today for more information on the SafeTitan security awareness training and phishing simulation platform and find out how it can significantly improve your company’s security posture.

UK Cyber Security Agency Makes Recommendations for Businesses to Combat Phishing

by G Hunt | December 22, 2022 | Phishing & Email Spam, Security Awareness

Phishing is one of the most common ways that cybercriminals attack businesses. Phishing is used to install malware and steal credentials, both of which will provide them with initial access to the network. Since phishing targets individuals, one of the most important steps to take to prevent phishing attacks is to provide security awareness training to the workforce.

Employees should be warned about the risk of phishing attacks and taught what to look for to help them identify, avoid, and report phishing threats. Training alone is not the answer though, as employees need practice at identifying phishing. Phishing simulations should therefore be conducted. These are realistic but fake phishing emails that are sent to all members of the workforce, the responses to which are tracked. When a user fails a phishing simulation, they can be provided with relevant training to help them identify similar threats in the future and to correct any risky behaviors. The combination of security awareness training and phishing simulations – both of which are provided through SafeTitan – can reduce susceptibility to phishing attacks by up to 80%.

Security awareness training should teach employees the red flags that indicate a phishing attempt. Employees should also be encouraged to report phishing attempts to their security team, as there is a good chance that the phishing email will not be the only such threat in the email system. When these threats are reported, security teams can remove all other copies of that message from the email system, thus preventing other users from being exposed to the threat. It is also important to encourage users to report phishing threats that they have responded to, as the faster the security team is made aware of a clicked link or file download, the faster mitigations can be implemented to reduce the harm that can be caused.

One problem for businesses is employees are often fearful of reporting responses to phishing emails due to the potential for negative repercussions, such as disciplinary action. If reporting is delayed, then mitigations are also delayed, which can potentially have serious consequences. The UK’s National Cyber Security Centre (NCSC) has recently suggested that in order to address this issue, businesses need to change their mindset. At many businesses, employees are made to feel that it is their responsibility to identify and avoid phishing attempts when the reality is it is the responsibility of the employer to block threats by implementing a range of technical controls. Employees should be trained on how to identify phishing attempts of course, but in order to develop a strong reporting culture, employees must not be made to think that a failure to avoid a phishing threat is their fault. The NCSC also takes issue with the commonly provided advice that employees should not click hyperlinks in unsolicited emails as, in many cases, that is actually a requirement of their job.

Technical Recommendations for Protecting Against Phishing Attacks

So how should businesses combat phishing? What technical measures should be implemented to improve defenses and make it much harder for phishing attacks to succeed? TitanHQ has long recommended what the NCSC suggests, and that is phishing prevention requires a defense-in-depth approach, where multiple overlapping layers of protection are implemented. This is vital, as no single anti-phishing measure will be 100% effective, 100% of the time.

The NCSC recommends multiple technical measures, the most important of which are a spam filtering solution that scans all inbound emails for phishing signatures and the setting of DMARC and SPF policies, as these are effective at blocking the majority of phishing threats. TitanHQ’s SpamTitan solution incorporates DMARC, DKIM, and SPF for blocking phishing threats, machine learning for identifying zero-day threats, as has constantly updated blacklists of malicious IP addresses and domains. SpamTitan also has a sandbox for deep behavioral inspection of attachments, in addition to dual anti-virus engines.

The NCSC also recommends implementing web proxies or web filters to prevent employees from accessing malicious websites linked in phishing emails. SpamTitan Plus rewrites URLs in phishing emails and follows them, providing protection against these malicious links. The WebTitan DNS filter will block access to known malicious websites and will also prevent downloads of malicious or risky files from the Internet, such as executable files – another recommendation of NCSC.

While not often considered by businesses as a phishing prevention measure, a password manager does provide a degree of protection against phishing attacks that harvest credentials, so businesses should provide one for their employees to use and they should encourage employees to use it. Password managers suggest strong passwords and then autofill them when they are required. Since the password is tied to a specific URL or domain, if a user lands on a phishing site that spoofs a brand, the password manager will not auto-fill the password, since the URL/domain is not associated with that password. It is also important to ensure that multi-factor authentication is enabled.  Ideally,  businesses should opt for passwordless authentication with a FIDO token.

Additional safeguards that should be considered include allow-listing to prevent executable files from running from any directories that users can write them and configuring the Registry to ensure that dangerous scripting or file types are opened in Notepad and are not executed.  NCSC also recommends using PowerShell in constrained mode, script signing, disabling the mounting of .iso files on endpoints, locking down the macro settings, and only allowing users to enable macros if they need to do so for their job. Businesses should also stay up to date on the latest threats and ensure that mitigations are implemented against those threats and that they are incorporated into security awareness training programs, as TitanHQ does with SafeTitan.

By implementing all of these mitigations and adopting a defense-in-depth approach it becomes less important that employees can recognize and avoid threats, although training is still important because one or more of the above measures may fail. Businesses should also avoid punishing employees for failing to identify phishing attempts, as that is likely to create a culture of fear rather than a culture of reporting threats.

TitanHQ can help businesses significantly improve their defenses and implement many of the NCSC recommendations for combatting phishing. For more information on TitanHQ solutions, give the team a call today, or take advantage of the free trials on all TitanHQ products.

BEC Attacks on Businesses are Increasing: How To Improve Your Defenses Against These Damaging Attacks

by G Hunt | August 12, 2022 | Phishing & Email Spam, Security Awareness

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging types of cyberattacks, and attacks have been increasing. These attacks involve gaining access to business email accounts, often the email account of the CEO or CFO, and using those accounts to send emails to staff that has responsibility for making payments and tricking them into wiring funds to an attacker-controlled account. The attacks can also be conducted to make changes to payroll information to get employees’ salaries deposited to attacker-controlled accounts.

BEC scams have resulted in losses in excess of $43 billion over the past 5 years according to the Federal Bureau of Investigation (FBI), and that is just complaints submitted to its Internet Crime Complaint Center (IC3). In 2021 alone, almost $2.4 billion in losses to BEC attacks were reported to IC3.

Anatomy of a BEC Attack

BEC attacks require considerable effort by threat actors, but the rewards from a successful attack are high. BEC attacks often see fraudulent transfers made for hundreds of thousands of dollars and in some cases several million. Companies are researched, individuals to target are identified, and attempts are made to compromise their accounts. Accounts can be compromised through phishing or brute force attempts to guess weak passwords.

With access to the right email accounts, the attacker can study the emails in the account. The usual communication channels can be identified along with the style of emails that are usually sent. The attacker will identify contracts that are about to be renewed, invoices that will soon be due, and other regular payments to try to divert. Timely and convincing emails can then be sent to divert payments and give the attacker sufficient time to move the funds before the scam is uncovered.

A recent report from Accenture suggests the rise in ransomware attacks is helping to fuel the rise in BEC attacks. Ransomware gangs steal data before encrypting files and publish the data on their data leak sites. The stolen data can be used to identify businesses and employees that can be targeted, and often includes contract information, invoices, and other documents that can cut down on the time spent researching targets and identifying payments to divert. Some ransomware gangs are offering indexed, searchable data, which makes life even easier for BEC scammers.

How to Improve Your Defenses Against BEC Attacks

Defending against BEC attacks can be a challenge for businesses. Once an email account has been compromised, the emails sent from the account to the finance department to make wire transfers can be difficult to distinguish from genuine communications.

Use an Email Security Solution with Outbound Scanning

An email security solution such as SpamTitan can help in this regard, as all outbound emails are scanned in addition to inbound emails. However, the key to blocking attacks is to prevent the email accounts from being compromised in the first place, which is where SpamTitan will really help. SpamTitan protects against phishing emails using multiple layers of protection. Known malicious email accounts and IP addresses are blocked, other checks are performed on message headers looking for the signs of phishing, and the content of the emails is checked, including attachments and embedded hyperlinks. Emails are checked using heuristics and Bayesian analysis to identify irregularities, and machine learning helps to identify messages that deviate from the normal emails received by a business.

Implement Robust Password Policies and MFA

Unfortunately, it is not only phishing that is used to compromise email accounts. Brute force tactics are used to guess weak passwords or credentials stuffing attacks are performed to guess passwords that have been used to secure users’ other accounts. To block this attack vector, businesses need to implement robust password policies and enforce the use of strong passwords. Remembering complex passwords is difficult for employees, so a password manager solution should be used so they don’t need to. Password managers suggest complex, unique passwords, and store them securely in a vault. They autofill the passwords when they are needed so employees don’t need to remember them. If email account credentials are compromised, they can be used to remotely access accounts. Multifactor authentication can stop this, as in addition to a password, another form of authentication must be provided.

Provide Security Awareness Training to the Workforce

Providing security awareness training to the workforce is a must. Employees need to be taught how to recognize phishing emails and should be trained on cybersecurity best practices. If employees are unaware of the threats they are likely to encounter, when the threats land in their inboxes or are encountered on the web, they may not be able to recognize them as malicious. Training should be tailored for different users, and training on BEC attacks should be provided to the individuals who are likely to be targeted: the board, finance department, payroll, etc.

Security awareness should be accompanied by phishing simulations – fake, but realistic, phishing emails sent to the workforce to test how they respond. BEC attacks can be simulated to see whether the scams can be recognized. If a simulation is failed it can be turned into a training opportunity. These campaigns can be created, and automated, with the SafeTitan Security Awareness Training and Phishing Simulation Platform.

Set Up Communication Channels for Verifying Transfer Requests

Employees responsible for making wire transfers or changing payroll information should have a communication channel they can use to verify transfers and bank account changes. Providing them with a list of verified phone numbers will allow them to make a quick call to verify changes. A quick phone call to verify a request can be the difference between an avoided scam and a major financial loss.

Speak to TitanHQ about Improving Your Defenses Against BEC Attacks

TitanHQ offers a range of cybersecurity solutions for blocking email and web-based cyber threats. For more information on SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training, give the TitanHQ team a call. All solutions are quick and easy to set up and use, and all have been developed to make it easy for MSPs to offer these cybersecurity solutions to their clients. With TitanHQ solutions in place, you will be well protected from phishing, malware, ransomware, botnets, social engineering, and BEC attacks.

Twilio SMS Phishing Attack Highlights Importance of Security Awareness Training on all Forms of Phishing

by G Hunt | August 9, 2022 | Phishing & Email Spam, Security Awareness

Phishing is mostly conducted via email; however, a recent data breach at the cloud communication company Twilio demonstrates that phishing can be highly effective when conducted using other popular communication methods, such as SMS messages.

An SMS phishing attack – known as SMiShing – involves sending SMS messages with a link to a malicious website with some kind of lure to get people to click. Once a click occurs, the scam progresses as an email phishing attack does, with the user being prompted to disclose their credentials on a website that is usually a spoofed site to make it appear genuine. The credentials are then captured and used by the attacker to remotely access the victims’ accounts.

Twillio provides programmable voice, text, chat, video, and email APIs, which are used by more than 10 million developers and 150,000 businesses to create customer engagement platforms. In this smishing attack, Twilio employees were sent SMS messages that appeared to have been sent by the Twilio IT department that directed them to a cloned website that had the Twilio sign-in page. Due to the small screen size on mobile devices, the full URL is not displayed, but certain keywords are added to the URLs that will be displayed to add realism to the scam. The URLs in this campaign included keywords such as SSO, Okta, and Twilio.

According to Twilio EMEA Communications director, Katherine James, the company detected suspicious account activity on August 4, 2022, and the investigation confirmed that several employee accounts had been accessed by unauthorized individuals following responses to the SMS messages. The attackers were able to access certain customer data through the Twilio accounts, although James declined to say how many employees were tricked by the scam and how many customers had been affected.

Twilio was transparent about the data breach and shared the text of one of the phishing emails, which read:

Notice! [redacted] login has expired. Please tap twilio-sso-com to update your password!

The text messages were sent from U.S. carrier networks. Twilio contacted those companies and the hosting providers to shut down the operation and take down the malicious URLs. Twilio said they were not the only company to be targeted in this SMS phishing campaign, and the company worked in conjunction with those other companies to try to shut the operation down; however, as is common in these campaigns, the threat actors simply switch mobile carriers and hosting providers to continue their attacks.

The smishing attack and data breach should serve as a reminder to all businesses of the risk of smishing. Blocking these types of phishing attacks can be a challenge for businesses. The best starting point for improving your defenses is to provide security awareness training for the workforce. Security awareness training for employees usually has a strong emphasis on email phishing, since this type of phishing is far more common, but it is important to also ensure that employees are trained on how to recognize phishing in all its forms, including smishing, social media phishing, and voice phishing – vishing – which takes place over the telephone.

The easiest way to do this is to work with a security vendor such as TitanHQ. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – with an extensive range of training content on all aspects of security, including smishing and voice phishing. The training content is engaging, interactive, and effective at improving cybersecurity understanding, and SafeTitan is the only security awareness training platform that delivers training in real-time in response to the behavior of employees. The platform also includes a phishing simulator for automating simulated phishing tests on employees.

For more information about improving security awareness in your organization, contact TitanHQ today.

Social Media Phishing Attacks are on the Rise

by G Hunt | July 13, 2022 | Phishing & Email Spam, Security Awareness

Phishing can take many forms and while email is the most common vector used in these scams, other types of phishing such as voice phishing (vishing), SMS phishing (Smishing), and social media phishing increasing. In particular, there has been a recent spike in social media phishing attempts.

The threat from email phishing can be greatly reduced with an email security solution; however, these solutions will do nothing to block vishing, smishing, and social media phishing attempts. Businesses can improve their defenses by also using a DNS filtering solution. DNS filters block attempts to visit malicious websites and work in tandem with email security solutions to block email phishing and can also block the web-based component of smishing attacks and social media phishing to a certain extent. Unfortunately, since the social media networks where phishing takes place are not malicious websites, it will not prevent people from encountering phishing attempts.

This is why security awareness training is so important. Security awareness training gives employees the skills they need to recognize and avoid phishing attempts, no matter where the phishing attack is conducted. By training the workforce on security threats, risky behaviors can be eradicated, and employees can be taught the signs of phishing to look out for. The SafeTitan Security Awareness Training platform also delivers training in real-time, in response to risky behaviors by employees. This ensures training is delivered instantly when risky behavior is detected and training is likely to have the greatest benefit.

Social Media Phishing

Two social media phishing campaigns have recently been identified by researchers at Malwarebytes, the goal of which is to obtain the credentials for social media accounts. If the credentials are disclosed, the attacker can access the victim’s account and use it to conduct further attacks on the victim’s followers. If the credentials for a corporate social media account are stolen, attacks could be conducted on all the company’s followers. These attacks abuse the trust customers have in the company. The two campaigns have been conducted on Twitter and Discord users. Both use social engineering to trick people into disclosing their account credentials.

Twitter Phishing Campaign

In the Twitter campaign, the scammer sends a direct message to the user informing them that their account has been flagged for hate speech and threatens an immediate suspension of the account unless action is taken. The user is told that they must authenticate the account via the Twitter Help Center, a link for which is provided in the message. The link directs the user to a phishing page that spoofs Twitter where they are asked to log in. If they do, their credentials will be captured.

Discord Phishing Campaign

The Discord campaign sees a message sent from either a contact of the victim using a compromised Discord account or from strangers. The account owner is accused of disseminating explicit photographs and the sender says they are going to block the account until an explanation is provided. A link is provided to a server where the recipient has allegedly been named and shamed. If the message recipient tries to respond to the message, their message will not be sent as they will have been blocked, increasing the likelihood of their clicking the link to the server.

Victims are required to log in via a QR code and once they have attempted that they are locked out of their accounts, which are then under the full control of the scammer. The scammer is then free to use the legitimate account to continue their scam on all the victims’ contacts. Social media scams such as these try to scare or shame users into responding. This tactic can be very effective, even if the user has never said a bad word on Twitter or sent an explicit photograph to anyone on Discord.

Other Social Media Phishing Campaigns

Phishing can – and does – occur on all social media platforms. One scam that has proven successful targets Instagram users and offers them the verified Instagram badge. In order to receive the badge, they are required to log in to verify their identity, naturally via a malicious link. Doing so will allow the scammer to take full control of the user’s Instagram account.

It is a similar story on LinkedIn. One of the most common scams involves impersonating a company and sending a message to an individual about a job offer, or a message suggesting they have been headhunted. Fake connection requests are also common. In this scam, the user is provided with a link to a scam site that spoofs LinkedIn and again is conducted to harvest credentials.

On Facebook, phishing scams are rife but often they seem innocuous. If you use Facebook, you will no doubt have seen countless posts asking site users to determine their band name, porn star name, pirate name, etc., by providing information such as the month and year of birth.  Posts asking what was your first car? Where did you grow up? What was your favorite teacher’s name? and many more do not seek credentials, but the information disclosed can be used to answer security questions that are asked in order to recover accounts. These scams also make brute force attacks to guess passwords so much easier.

Dangers of Social Media Phishing

The loss of access to a social media account may not be the end of the world and is likely far better than having a bank account emptied, but the damage caused can be considerable. Many small businesses rely on social media for publicity and generating sales, and the loss of an account or scamming of customers can be devastating. The passwords used for social media accounts are often reused across multiple platforms. Scammers often conduct credential stuffing attacks on other platforms and accounts using the same password. Fall victim to a social media phishing scam and many other accounts could be compromised.

Blocking social media phishing attacks can be a challenge. You should also ensure that two-factor authentication is enabled on social media accounts, consider restricting who can send direct messages to your account, and who can view your profiles. If you encounter a scam, be sure to report it.

For businesses, employees with access to corporate social media accounts should be given specific training on social media phishing to ensure they can recognize and avoid phishing scams. The SafeTitan Security Awareness Training platform makes this simple and helps businesses instantly correct risky behaviors through the automated delivery of a relevant training course in real-time. The platform has a wealth of engaging, gamified training content and a phishing simulation platform for testing resilience to phishing attacks.

For more information on SafeTitan and improving your phishing defenses through the use of an email security solution and DNS filtering, give the TitanHQ team a call today.

Copyright Infringement Notices used in Phishing Emails for Delivering Lockbit 2.0 Ransomware

by G Hunt | June 29, 2022 | Phishing & Email Spam, Security Awareness

Cybercriminals are constantly changing tactics and lures in their phishing campaigns, so it is no surprise to see a new technique being used by affiliates of the Lockbit ransomware-as-a-service operation. A campaign has been identified by researchers at AhnLab in Korea that attempts to deliver a malware loader named Bumblebee, which in turn is used to deliver the LockBit 2.0 ransomware payload.

Various lures are used in phishing campaigns for delivering malware loaders, with this campaign using a warning about a copyright violation due to the unauthorized use of images on the company’s website. As is common in phishing emails, the emails contain a threat should no action be taken – legal action. Emails that deliver malware loaders either use attached files or contain links to files hosted online. The problem with attaching files to emails is they can be detected by email security solutions. To get around this, links are often included. In this case, the campaign uses the latter, and to further evade detection, the linked file is a password-protected archive. This is a common trick used in malware delivery via email to prevent the file from being detected as malicious by security solutions, which are unable to open the file and examine the contents. The recipient of the message is provided with the password to open the file in the message body.

The password-protected zip file contains a file that masquerades as a PDF file, which the user is required to open to obtain further information about the copyright violation. However, a double file extension is used, and the attached file is actually an executable file, which will deliver the Bumblebee loader, and thereafter, LockBit 2.0 ransomware.

These types of phishing attacks are all too common. Believable lures are used to trick people into taking the requested action, a threat is included should no action be taken, and multiple measures are used to evade security solutions. Any warning about a copyright violation must be taken seriously but as with most phishing emails, there are red flags in this email that suggest this is a scam. Security-aware employees should be able to recognize the red flags and while they may not be able to confirm the malicious nature of the email, they should report such messages to their IT department or security team for further investigation. However, in order to be able to identify those red flags, employees should be provided with security awareness training.

Through regular training employees will learn the signs of phishing emails, can be conditioned to always report the emails to their security team, and can be kept abreast of the latest tactics used in phishing emails for malware delivery. It is also recommended to conduct phishing simulations to test whether employees are being fooled by phishing attempts. If employees fail phishing simulations it could indicate issues with the training course that need to be addressed, or that certain employees need to be provided with additional training. Through regular security awareness training and phishing simulations, businesses can create a human firewall capable of detecting phishing attempts that bypass the organization’s email and web security defenses.

TitanHQ can provide assistance in this regard through the SafeTitan Security Awareness Training and Phishing Simulation Platform – Further information on the solution can be found here.