The main aim of our spam advice section is to keep you up to date with the latest news on new email spam campaigns, email-based threats and anti-spam solutions that can be deployed to block those threats.
Email spam is more than a nuisance. Even if the number of spam emails received by employees is relatively low, it can be a major drain on productivity, especially for organizations with hundreds or thousands of employees. This section includes articles offering advice on how to reclaim those lost hours by reducing the number of messages that are delivered to your employees’ inboxes.
However, far worse than the lost hours are the malware and ransomware threats that arrive via spam email. Email is now the number one attack vector used by cybercriminals to deliver malware and ransomware. Cybercriminals are now using increasingly sophisticated methods to bypass security solutions. Today’s spam emails use advanced social engineering techniques to fool end users into revealing login credentials and other sensitive information, and installing malicious software on their computers.
Considerable advances have also been made to malware and ransomware. Self-replicating worms are being used to infiltrate entire networks before ransomware attacks occur, maximizing the damage caused and the ransom payments that can be generated. The cost to industry is considerable. Last year ransomware attacks resulted in $1 billion in losses by businesses, with 2017 expected to see those losses rise to a staggering $4 billion. Blocking spam email messages from being delivered is therefore an essential element of any cybersecurity strategy.
Good spam advice can help organizations take action promptly to reduce the risk of email-based attacks. You will find a range of articles in this section on the latest spam email campaigns, data breaches that started with a phishing email and advice on mitigating the risk of phishing and business email compromise scams.
The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.
Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.
Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.
A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.
That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.
Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.
The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.
Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.
To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.
Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.
In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information.
A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails.
Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.
There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal.
Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.
In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers.
A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients.
The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account.
Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.
So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR?
The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.
A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered.
Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.
Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.
An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.
The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.
The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.
Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.
Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.
Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.
The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine. It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.
On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.
A recent wave of DocuSign phishing emails has been linked to a data breach at the digital signature technology provider. A hacker gained access to a ‘non-core’ system that was used to send communications to users via email and stole users’ email addresses.
DocuSign reports that the peripheral system was compromised and only email addresses were accessed and stolen. No other data has been compromised as a result of the cyberattack. The data breach only affected DocuSign account holders, not registered users of eSignature.
It is currently unclear exactly how many email addresses were stolen, although the DocuSign website indicates the firm has more than 200 million users.
The attacker used customers’ email addresses to send specially crafted DocuSign phishing emails. The emails containing links to documents requiring a signature. The purpose of the emails was to fool recipients into downloading a document containing a malicious macro designed to infect computers with malware.
As is typical in phishing attacks, the DocuSign phishing emails appeared official with official branding in the headers and email body. The subject lines of the email were also typical of recent phishing campaigns, referring to invoices and wire transfer instructions.
The san Francisco based firm has been tracking the phishing emails and reports there are two main variations with the subject lines: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature,” or “Completed *company name* – Accounting Invoice *number* Document Ready for Signature.”
The emails have been sent from a domain not linked to DocuSign – a sign that the emails are not genuine. However, due to the realism of the emails, many end users may end up clicking the link, downloading the document and infecting their computers.
Recipients are more likely to click on links and open infected email attachments if they relate to a service that the recipient uses. Since DocuSign is used by many business users, there is a significant threat of a network compromise if end users open the emails and follow the instructions provided by the threat actors.
Businesses can reduce the risk of malicious emails reaching end users inboxes by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam emails and 100% of known malware using dual antivirus engines for maximum protection.
To find out more about SpamTitan and other antimalware controls to protect your business, contact the TitanHQ team today.
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.
The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.
In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.
Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.
The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.
Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.
Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.
Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.
IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.
Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.
The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.
IC3 lists the five most common types of business email compromise scams as:
- Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
- An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
- A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
- The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
- A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.
There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.
- Using a domain-based email account rather than a web-based account for business email accounts
- Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
- Implement a two-step verification process to validate all transfer requests
- Use two-factor authentication for corporate email accounts
- Never respond to an email using the reply option. Always use forward and type in the address manually
- Register all domains that are similar to the main domain used by the company
- Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
- Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers
A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.
In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.
The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’
This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.
Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.
The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.
Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.
If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.
The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.
Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.
Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.
Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.
Employees Still Lack Security Awareness
Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.
A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.
Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.
When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.
How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.
The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.
20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.
How to Improve Defenses Against Email Attacks
Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.
Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.
Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.
A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.
A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.
The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.
OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.
These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as an essential security control.
The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.
HIPAA Penalties for Phishing Attacks
OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.
The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.
In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware. OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”
Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.
The Solicitors Regulation Authority in the United Kingdom has recently issued a warning about law firm email scams following a sharp rise in law firm cyberattacks.
According to SRA figures, almost 500 UK law firms have been targeted by cybercriminals. One of the most common law firm email scams seen in recent weeks involves an attacker sending an email to a solicitor pretending to be a new client. While the attacker could claim to have any number of legal problems in the initial email, one of the favored themes is a property or business that is about to be purchased or sold.
Legal services are requested and, when the solicitor replies, the attacker sends an email containing a malicious email attachment. The email attachment does not contain the malware, instead a malicious macro is embedded in the document. A believable explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is enabled, a script is run that downloads the malicious payload. The download occurs silently so the solicitor is unlikely to be aware that their computer has been infected.
The malware then collects and exfiltrates sensitive data, or provides access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be installed to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has emphasized there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken promptly to mitigate the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause considerable damage to a firm’s reputation and could result in significant harm to clients. Clients and the law firm can suffer considerable financial losses as a result of these scams.
Not all cyberattacks on law firms involve malware. Phishing is also a major risk. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login credentials, passwords, or other confidential information. These law firm email scams are not easy to identify. Cybercriminals invest considerable time and effort into building up relationships with solicitors via email or over the telephone to build trust. Once a personal relationship has been established it is far easier for the scammers to fool solicitors into revealing sensitive information.
The seriousness of the threat is clear from the reports of cybercrime received by the SRA from solicitors over the past year. The SRA says more than £7 million of clients’ money has been stolen from solicitors in 2016.
The advice to law firms on reducing cybersecurity risk is:
- Make sure all data are backed up and stored securely on a drive that is not connected to a computer
- Make use of secure cloud services for storing sensitive data and accessing and processing information
- Keep software up to date. Patches and software/system updates should be applied promptly
- Solicitors should consider using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be installed and set to update definitions automatically. Regular scans of systems should also be scheduled.
As an additional protection against law firm email scams, solicitors should implement an advanced antispam solution to prevent phishing and other malicious emails from being delivered.
To protect against malicious links and redirects from malvertising, solicitors should consider implementing a web filtering solution. A web filter can be used to block visits to webpages known to contain malware.
Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.
Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.
To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.
Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.
LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator. Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.
Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”
A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.
Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.
At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.
It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.
Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again. While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.
The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.
A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.
This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.
Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.
Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.
An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.
Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.
Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.
Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.
The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.
In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.
The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.
Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.
The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high. Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.
The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.
Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.
Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.
An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.
Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.
The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.
All antispam solutions and spam filters check inbound messages for common spam signatures; however, it is also important to choose a solution that performs outbound email scanning. Outbound email scanning ensures spam emails, or emails containing malware, are not sent from an organization’s email accounts or domains.
Your employees would be unlikely to knowingly use their corporate email accounts to send spam emails, but malware infections can allow cybercriminals to gain access to email accounts and use them to send high volumes of spam email messages. Cybercriminals could also compromise email accounts and use an organization’s domain to send malware and ransomware to clients and customers.
Should this happen, it can have a seriously detrimental effect on an organization’s reputation and may result in corporate email accounts or an entire domain being blacklisted.
Blacklists are maintained by a number of organizations – spamhaus.org for example. Internet Service Providers (ISPs), web servers, and antispam solutions check these blacklists before allowing emails to be delivered to end users. If a particular IP address, email account, or domain is listed in one of the blacklist databases, emails sent from the domain, IP address or email account will not be delivered.
Blacklists are updated in real-time and contain many millions of blocked domains and email addresses that have been reported as having been used for unwanted activity such as the sending of spam emails. If emails are sent from a blacklisted account, domain, or IP address those emails will either be directed to a quarantine folder, deleted, or will simply be rejected.
If a business has its domain added to a spam blacklist important emails to clients and customers will not get through. This can prove costly, as real estate firm Keller Williams has recently discovered.
Blacklisted Domains and Email Accounts Can Prove Costly for Businesses
Over the past few days, email messages sent from the kw.com domain used by Keller Williams have been rejected by AOL. Yahoo has been blocking emails from the kw.com account for some time. The problem appears to be the addition of the kw.com domain to spam blacklists.
If a Keller Williams real estate agent needs to send an email to a customer who has an AOL or Yahoo account, it will not be delivered. Agents have therefore been forced to get customers to open Google email accounts in order to send online paperwork or documents requiring e-signatures.
The issue also affects online paperwork sent via the transaction management software program Ziplogix, with one Keller Williams agent also claiming Dotloop is also affected. Some agents at Keller Williams have reportedly had to send important paperwork for listings and sales via personal email accounts to ensure emails are delivered.
The AOL website explains that when domains have been flagged as being abusive, the server will be temporarily blocked until the spamming stops. Until a domain is removed from its blacklist, AOL account holders will be prevented from receiving emails from the blocked domain. Removing the domain from the blacklist can take up to a week.
Removing a domain from the 80+ commonly used spam blacklists can be a time-consuming task; furthermore, if spam emails are sent from the account again, the domain will simply be added to the blacklists once more.
Outbound Email Scanning Prevents the Blacklisting of an Organization’s Domain
Unlike many third-party antispam solutions, SpamTitan checks incoming email messages for spam signatures as well as performing outbound email scanning. If an email account has been compromised and is being used to send spam emails, if malware is sending spam, those messages will be blocked and will not be sent. Outbound email scanning is an important protection that will prevent an organization’s domain or email accounts from being used to send spam or malware.
Organizations can therefore avoid the embarrassment and reputation damage that results from being suspected as engaging in spamming or malware delivery. They can also rest assured that in addition to blocking 99.97% of inbound email spam, their domains and email accounts will not be added to spam blacklists.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.
Knowing how to avoid email server blacklisting is vitally important for any organization that relies on email as a channel of communication. The consequences of your email server being blacklisted can be costly, inconvenient, and potentially damaging to your organization´s credibility.
To best understand what email server blacklisting might mean to your organization, it is ideal to have a little knowledge about how email server filters work. Consequently we have divided this post into three sections explaining a little about email server filters, what may cause your email server to be blacklisted, and how to avoid email server blacklisting.
A Little about Email Server Filters
Email server filters do not actually filter your incoming emails at server level. They protect your organization from spam emails and other email-borne threats from the cloud or as a virtual appliance installed between your firewall and your email server. The distinction between the two types of filter is that virtual appliances can be more appropriate for some larger organizations.
Regardless of how they are deployed, email filters effectively work in the same way – using fast front-end tests to detect and reject the majority of spam emails before a deeper analysis is conducted of the email that remains. One of these front-end tests is a comparison of each email against a list of known sources of spam. This list is known as the Realtime Block List or RBL.
If your organization´s IP address appears on this list, all of your emails will be rejected by most email filters until the IP address is removed from the list – something that can take anything from 24 hours to six months to resolve completely. During this time you will have to ask your customers and other contacts to add your email address to a safe list or “whitelist”.
Why Was My Email Server Blacklisted?
There are several reasons why an email address (or IP address) can be blacklisted, and it is important to find out the exact reason(s) before trying to get your organization´s IP address removed from the Realtime Block List. If you fail to identify the cause, and fail to take steps to avoid email server blacklisting in the future, it can be much tougher to get un-blacklisted second time around.
Blacklisting typically occurs for one of several reasons:
- Your system has been infected with a spambot that has created multiple email accounts within your organization´s domain and is using those accounts to send out spam email.
- Someone in your organization may have revealed their login credentials and a spammer is using that information to send spam emails from the end-user´s email account.
- Emails sent innocently from one or more end-user accounts have had a high proportion of spam-related keywords, or have had infected files attached to them.
The last scenario is entirely possible if an end-user has prepared a presentation or spreadsheet on an infected home computer and bought the infected file into the workplace on a flash drive. Most email filters have antivirus software for identifying malware in attachments. If the infected attachment is sent to multiple recipients – and identified by multiple email filters – your organization´s IP address will quickly be blacklisted.
How to Avoid Email Server Blacklisting
Ideally, organizations should be able to avoid email server blacklisting by having robust antivirus protection and educating their end-users about online security. There should also be an email usage policy in place that would avoid email server blacklisting due to inappropriate content or unsafe attachments – even when these events occur inadvertently.
Unfortunately end-users are the weakest link in the security chain, and it only takes one end-user to click on a malicious URL or reveal their login credentials for an organization´s IP address to be blacklisted. In fact, if blacklisting is the worse consequence of a security breach, your organization has got off lightly and should consider itself lucky that the consequences were not far more serious.
Consequently, the best way how to avoid email server blacklisting is with an email filter that has malicious URL blocking to prevent end-users visiting malware-infested websites, with phishing protection to reject emails directing an end-user to fake website, and outbound scanning to identify potential spam and infections contained in – or attached to – outgoing emails.
Avoid Email Server Blacklisting with SpamTitan
Not all email filtering solutions have mechanisms to avoid email server blacklisting. However, SpamTitan has taken these factors into account in the design of SpamTitan Cloud and SpamTitan Gateway. Both of our solutions for email filtering use “URIBL” and “SURBL” protocols to compare links contained within inbound emails and their attachments against a global blacklist of known malicious and phishing sites.
The same protocols – along with several other mechanisms – are used in the scanning of outbound mail to ensure it is clear of viruses and could not be interpreted as having spammy content. Outbound scanning would also identify spam emails originating from a spambot or a compromised email account in order to prevent it from being sent and avoid email server blacklisting.
Naturally, you do not want your end-users to be under the impression that their emails have been sent when they are caught by the outbound filter. So SpamTitan Cloud and SpamTitan Gateway have comprehensive reporting features that advise of any problems in order that the problems can be rectified quickly and effectively – certainly more quickly than trying to get your organization´s IP address removed from a Realtime Block List.
The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.
What is a Business Email Compromise Scam?
A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.
A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.
Business Email Compromise Scams are a Growing Problem
The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.
New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.
Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.
The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:
- Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
- Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
- Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
- A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
- Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters
To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas. Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.
The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.
A new report by anti-phishing training company PhishMe shows a marked rise in the volume of ransomware emails in March. The report shows that spam emails are now predominantly being used to deliver ransomware to unsuspecting victims. The spike in ransomware emails highlights how important it is to conduct anti-phishing training and to use anti-spam solutions to prevent the malicious file-encrypting software from being delivered to employee’s inboxes.
Spike in Ransomware Emails as Criminals Seek Easy Cash
Ransomware has been around for about a decade, yet it has not been favored by cybercriminals until recently. Throughout 2015, under 10% of phishing emails were being used to transmit ransomware. However, in December there was a major spike in ransomware emails, which accounted for 56% of all phishing emails in December. The upward trend has continued in 2016 and by March, 93% of phishing emails contained ransomware – or were used to infect users by directing them to malicious websites where drive-by downloads of the malicious software occurred.
Spam email volume has been in general decline, in no small part to the shutting down of major botnets in recent years. However, that does not mean that the threat of cyberattacks via email can be ignored. In fact, PhishMe’s figures show there has been a surge in the number of phishing emails being sent. In the first quarter of 2016, the number of detected phishing emails soared to 6.3 million, which represents a 789% increase from the volume captured in the last quarter of 2015.
Ransomware is increasingly being used by cybercriminals for a number of reasons. Ransomware is now easy to obtain and send out. Many ransomware authors offer ransomware-as-a-service to any criminal looking to make a quick buck. Not only can the ransomware be hired for next to nothing, instructions are supplied on how to use it and criminals are allowed to set their own ransoms and timescales for payment. All they need to do is pay a percentage of the ransoms they obtain to the authors.
What makes the use of ransomware even more attractive is the speed at which criminals can get paid. Time limits for paying ransoms are usually very short. Demands for payment within 48 hours are not uncommon. While phishing emails have commonly been used to obtain credit card details from victims, which then need to be sold on, criminals can run a ransomware campaign and rake in Bitcoin payments in just a few days.
The ransoms being demanded are also relatively low. This means that many individuals can afford to pay the ransom to obtain the decryption keys to unlock their files, and businesses are also likely to pay. The cost of recovering data and restoring systems, together with the lost revenue from the time that computer systems are down, is often less than the ransom being demanded.
Ransomware Is Becoming Much More Sophisticated
The latest forms of ransomware now being used – Locky, CryptXXX, TeslaCrypt, and Samas (Samsam) – are capable of spreading laterally. Not only can the ransomware infect files on a single computer, other networked computers can also be infected, as can network drives, servers, portable storage devices, and backup drives. Some forms are also capable of deleting Windows shadow copies and preventing the restoration of files from backups.
All that the criminals need is for one business computer to be infected in order to encrypt files throughout the network. That means only one end user needs to be fooled into opening an infected attachment or visiting a malicious webpage.
Ransomware emails often contain personal information to increase the likelihood of an individual clicking a malicious link or opening an infected attachment. Word files are now commonly being used to infect users. Embedded macros contain code that downloads the malicious payload.
The malicious software is sent out in spear phishing campaigns targeting one or two users in a company, such as accounts and billing department executives. Personal information is often used in the emails – names, addresses, and job titles for example – to increase the likelihood of attachments being opened and links being clicked.
As criminals get better at crafting phishing emails and the ransomware becomes more sophisticated, it is more important than ever to use anti-spam solutions such as SpamTitan to trap ransomware emails and prevent them from being delivered. SpamTitan traps 99.9% of spam emails, helping organizations protect their networks from ransomware attacks.
According to a recent report on spam email from anti-virus software developer Kaspersky Lab, the decline in spam email over the past few years appears to have reversed, with the first quarter of 2016 seeing a major increase in malicious spam email volume.
Major Increase in Malicious Spam Email Volume Reported by Kaspersky Lab
Over the past few years there has been a decline in the number of spam emails, as cybercriminals have sought other ways to deliver malware and defraud computer users. In 2015, the volume of spam emails being sent fell to a 12-year low. Spam email volume fell below 50% for the first time since 2003.
In June 2015, the volume of spam emails dropped to 49.7% and in July 2015 the figures fell further still to 46.4%, according to anti-virus software developer Symantec. The decline was attributed to the taking down of major botnets responsible for sending spam emails in the billions.
Malicious spam email volume has remained fairly constant during 2015. Between 3 million and 6 million malicious spam emails were detected by Kaspersky Lab throughout 2015; however, toward the end of the year, malicious spam email volume increased. That trend has continued in 2016.
Image source: Kasperky Lab
Wide Range of Malicious Files Being Sent in Spam Email
While it was common for virus-loaded executable files to be sent as email attachments, these are now commonly caught by email filters and are marked as spam. However, spammers have been developing new methods of getting past traditional webmail spam filters. The spam emails intercepted by Kaspersky Lab now contained a wide variety of malicious files.
One of the most common methods now used by spammers is to send office documents infected with malicious macros. Microsoft Word files with the extension DOC and DOCX are commonly used, as are rich text format files RTF, Adobe PDF files, and Microsoft Excel spreadsheets with the extensions XLS and XLSX.
These file formats are commonly opened as many end users are less suspicious of office documents than they are about ZIP, RAR, and EXE files. Most office workers would know not to open a EXE file that was emailed to them by a stranger, yet an office document – a file format they use on a daily basis – is less likely to arouse suspicion.
Instead of the emails containing the actual malware, virus, or ransomware payload, they contain Trojan downloaders that download JS scripts. Those scripts then perform the final stage of infection and download the actual malware or ransomware. This method of attack is used to bypass anti-virus protections.
Web Filters and Email Spam Filters Should be Used to Reduce the Risk of a Malware Infection
There has been an increase in drive-by downloads in recent years as attackers have lured victims to websites containing exploit kits that probe for vulnerabilities in browsers and browser plugins. Visitors are redirected to these malicious websites when visiting compromised webpages, via malvertising, and malicious social media posts. While drive-by downloads are still a major threat, the use of web filters and anti-virus software browser add-ons are blocking these malware downloads and malicious websites.
Email is still a highly effective way of getting past security defenses and getting end users to install malware on their devices. Carefully crafted emails that include unique text increase the likelihood of the scammers getting users to open malicious attachments. Oftentimes, the messages include personal information about the recipient such as their name or address. This has helped the spammers to get the victims to take the desired action and run malicious macros and install malware.
It may be too early to tell whether spam email volume has only temporarily spiked or if there is a reversal in the decline of spam, but organizations and individuals should remain vigilant. The increase in malicious spam email volume should not be ignored.
Staff members should receive regular training on how to identify malicious email messages and phishing scams. It is also a wise precaution to use a robust spam filter such as SpamTitan. SpamTitan blocks 99.97% of malicious spam email messages, dramatically reducing the probability of malware, ransomware, adware, and spyware being installed.