The main aim of our spam advice section is to keep you up to date with the latest news on new email spam campaigns, email-based threats and anti-spam solutions that can be deployed to block those threats.
Email spam is more than a nuisance. Even if the number of spam emails received by employees is relatively low, it can be a major drain on productivity, especially for organizations with hundreds or thousands of employees. This section includes articles offering advice on how to reclaim those lost hours by reducing the number of messages that are delivered to your employees’ inboxes.
However, far worse than the lost hours are the malware and ransomware threats that arrive via spam email. Email is now the number one attack vector used by cybercriminals to deliver malware and ransomware. Cybercriminals are now using increasingly sophisticated methods to bypass security solutions. Today’s spam emails use advanced social engineering techniques to fool end users into revealing login credentials and other sensitive information, and installing malicious software on their computers.
Considerable advances have also been made to malware and ransomware. Self-replicating worms are being used to infiltrate entire networks before ransomware attacks occur, maximizing the damage caused and the ransom payments that can be generated. The cost to industry is considerable. Last year ransomware attacks resulted in $1 billion in losses by businesses, with 2017 expected to see those losses rise to a staggering $4 billion. Blocking spam email messages from being delivered is therefore an essential element of any cybersecurity strategy.
Good spam advice can help organizations take action promptly to reduce the risk of email-based attacks. You will find a range of articles in this section on the latest spam email campaigns, data breaches that started with a phishing email and advice on mitigating the risk of phishing and business email compromise scams.
Tax season is open season for cybercriminals and phishers, who increase their efforts to obtain personal information and Social Security numbers in the run up to – and during – tax season. Until April, we can expect many W2 phishing attacks. Make sure you are prepared and do not fall for a scam.
Anatomy of a W2 Phishing Attack
The most common method of stealing the information needed to file fraudulent tax returns is phishing. Phishing emails are sent in the millions to individuals in an effort to obtain their sensitive information. Individuals must be on high alert for malicious emails during tax season, but it is businesses that are most likely to be targeted.
Payroll employees have access to the W2 forms of the entire workforce. If a single worker can be convinced to email the data, the attacker can file thousands of fraudulent tax returns in the names of employees.
The way cybercriminals get payroll staff to part with sensitive data is by impersonating the CEO or CFO in what is referred to as a Business Email Compromise Scam – otherwise known as a BEC attack or CEO fraud.
The most successful attacks require access to the CEO or CFO’s email account to be gained. That means the CEO or CFO must first be targeted with a spear phishing email and lured into parting with his/her login credentials. Once access to the email account is gained, the impostor can craft an email and send it to a select group of individuals in the company: Payroll and accounts department employees.
The company is researched, individuals likely to have access to W2 forms are identified, and emails are sent. A request is made to attach the W2 forms of all employees who worked for the company in the past year, or for a specific group of employees. A series of emails may be sent, rather than asking for the information straight away.
Since the attacker has access to the CEO’s or CFO’s email account, they can delete sent emails and replies before they are seen by the account holder.
An alternative way of conducting BEC attacks is to spoof an email address. The CFO or CEO is identified from social media sites or LinkedIn, the email address is obtained or guessed based on the format used by the company, and the email is made to appear as if it has come from that email account. An alternative is for the attacker to purchase a similar domain to that used by the company, with two transposed letters for instance. Enough to fool an inattentive worker.
Oftentimes, W2 phishing attacks are not detected until days or weeks after the W2 forms have been sent, by which times IRS tax refund checks have been received and cashed.
How to Defend Against W2 Phishing Attacks
There are several methods that can be used to block W2 phishing attacks. A software or cloud-based anti-spam service should be used to block attacks that come from outside the company. Configured correctly, the spam filter should block spoofed emails and emails sent from similar domains to that used by the company. However, a spam filter will not block emails that come from the CFO or CEOs account.
Multi-factor authentication should be set up on all email accounts to help prevent the first phish that gives the attacker access to a C-suite email address. W2 phishing attacks using spoofed email addresses are much easier to identify and block.
It is therefore important to raise awareness of the threat of W2 phishing attacks with accounts and payroll staff, and anyone else with access to W2 forms. Training can greatly reduce susceptibility to W2 phishing attacks. Training should also be provided to the C-suite, not just employees.
The number of staff who have access to W2 forms should be restricted as far as is possible. Policies should also be introduced that require any request for W2 data to be verified. At a minimum, a request for the data should be checked by a supervisor. Ideally, the request should be confirmed face to face with the sender of the email, or with a quick phone call. The scammers rely on this check not taking place.
More than 60 apps have now been removed from Google Play Store that were laced with AdultSwine Malware – A malware variant that displays pornographic adverts on users’ devices. Many of the apps that contained the malware were aimed at children, including Drawing Lessons Lego Star Wars, Mcqueen Car Racing Game, and Spinner Toy for Slither. The apps had been downloaded by between 3.5 and 7 million users before they were identified and removed.
While the malicious apps have been removed, users who have already downloaded the infected apps onto their devices must uninstall the apps to remove the malware. Simply deleting the apps from the Play Store only prevents more users from being infected. Google has said that it will display warnings on Android phones that have the malicious apps installed to alert users to the malware infection. It will be up to users to then uninstall those apps to remove the AdultSwine malware infection.
Apps Infected with AdultSwine Malware
- Addon GTA for Minecraft PE
- Addon Pixelmon for MCPE
- Addon Sponge Bob for MCPE
- Blockcraft 3D
- CoolCraft PE
- Dragon Shell for Super Slither
- Draw Kawaii
- Draw X-Men
- Drawing Lessons Angry Birds
- Drawing Lessons Chibi
- Drawing Lessons Lego Chima
- Drawing Lessons Lego Ninjago
- Drawing Lessons Lego Star Wars
- Drawing Lessons Subway Surfers
- Easy Draw Octonauts
- Exploration Lite: Wintercraft
- Exploration Pro WorldCraft
- Fire Skin for Slither IO app
- Five Nights Survival Craft
- Flash Skin for Slither IO app
- Flash Slither Skin IO
- Girls Exploration Lite
- Guide Clash IO
- Guide Vikings Hunters
- How to Draw Animal World of The Nut Job 2
- How to Draw Batman Legends in Lego Style
- How to Draw Coco and The Land of the Dead
- How to Draw Dangerous Snakes and Lizards Species
- How to Draw Real Monster Trucks and Cars
- Invisible Skin for Slither IO app
- Invisible Slither Skin IO
- Jungle Survival Craft 1.0
- Jurassic Survival Craft Game
- Mcqueen Car Racing Game
- Mine Craft Slither Skin IO
- Pack of Super Skins for Slither
- Paw Puppy Run Subway Surf
- Pixel Survival – Zombie Apocalypse
- Players Unknown Battle Ground
- San Andreas City Craft
- San Andreas Gangster Crime
- Shin Hero Boy Adventure Game
- Spinner Toy for Slither
- Stickman Fighter 2018
- Subway Banana Run Surf
- Subway Bendy Ink Machine Game
- Subway Run Surf
- Temple Bandicoot Jungle Run
- Temple Crash Jungle Bandicoot
- Temple Runner Castle Rush
- Virtual Family – Baby Craft
- Woody Pecker
- Zombie Island Craft Survival
Malicious Activities of AdultSwine Malware
AdultSwine malware, and the apps that infect users, were identified and analyzed by security researchers at CheckPoint. The researchers note that once downloaded onto a device, the malware sends information about the user to its command and control server and performs three malicious activities: Displaying advertisements, signing up users to premium services, and installing scareware to fool victims into paying for security software that is not necessary. Information is also stolen from the infected device which can potentially be used for a variety of malicious purposes.
The advertisements are displayed when users are playing games or browsing the Internet, with the adverts coming from legitimate ad networks and the AdultSwine library. The AdultSwine malware library includes extreme adverts containing hardcore pornographic images. Those images appear on screen without warning.
The scareware claims the victim’s device has been infected with a virus that requires the download of an anti-malware app from the Google Play Store, although the virus removal tool is a fake app. Users are told that their phone will be rendered unusable if the app is not downloaded, with a countdown timer used to add urgency.
Registering for premium services requires the user to supply further information, which is done through pop-up phishing adverts. The user is told they have won a prize, but that they must answer four questions to claim their prize. The information they supply is used to register for premium services.
Preventing Infection of Mobile Devices
Generally, users can reduce the risk of a malware infection by only downloading apps from official app stores, although this latest malware campaign has shown that even official stores can be compromised and have malicious apps uploaded.
Google does scan all apps for malware, but new forms of malware can be sneaked into Google Play Store on occasion. Google has announced that from the end of January it will be rolling out a new service called Google Play Protect that is capable of scanning previously downloaded apps to ensure they are still safe to use.
Google recommends only downloading apps for children that have been verified by Google as being ‘Designed for Families’. Those apps may contain adverts, but they have been vetted and strict rules apply covering the advertisements that can be displayed.
It is also important to install some form of anti-malware solution – from a reputable and well-known company – that will scan downloaded content and apps for malware.
Digimine malware is a new threat that was first identified from a campaign in South Korea; however, the attacks have now gone global.
Ransomware is still a popular tool that allows cybercriminals to earn a quick payout, but raised awareness of the threat means more companies are taking precautions. Ransomware defenses are being improved and frequent backups are made to ensure files can be recovered without paying the ransom. Not only is it now much harder to infect systems with ransomware, rapid detection means large-scale attacks on companies are prevented. It’s harder to get a big payday and the ability to restore files from backups mean fewer organizations are paying up.
The surge in popularity of cryptocurrency, and its meteoric rise in value, have presented cybercriminals with another lucrative opportunity. Rather than spread ransomware, they are developing and distributing cryptocurrency miners. By infecting a computer with a cryptocurrency miner, attackers do not need to rely on a victim paying a ransom.
Rather than locking devices and encrypting files, malware is installed that starts mining (creating) the cryptocurrency Monero, an alternative to Bitcoin. Mining cryptocurrency is the verification of cryptocurrency transactions for digital exchanges, which involves using computers to solve complex numeric problems. For verifying transactions, cryptocurrency miners are rewarded with coins, but cryptocurrency mining requires a great deal of processing power. To make it profitable, it must be performed on an industrial scale.
The processing power of hundreds of thousands of devices would make the operation highly profitable for cybercriminals, a fact that has certainly not been lost on the creators of Digimine malware.
Infection with Digimine malware will see the victim’s device slowed, as its processing power is being taken up mining Monero. However, that is not all. The campaign spreading this malware variant works via Facebook Messenger, and infection can see the victim’s contacts targeted, and could potentially result in the victim’s Facebook account being hijacked.
The Digimine malware campaign is being spread through the Desktop version of Facebook Messenger, via Google Chrome rather than the mobile app. Once a victim is infected, if their Facebook account is set to login automatically, the malware will send links to the victim’s contact list. Clicking those links will result in a download of the malware, the generation of more messages to contacts and more infections, building up an army of hijacked devices for mining Monero.
Infections were first identified in South Korea; however, they have now spread throughout east and south-east Asia, and beyond to Vietnam, Thailand, Philippines, Azerbaijan, Ukraine, and Venezuela, according to Trend Micro.
A similar campaign has also been detected by FortiGuard Labs. That campaign is being conducted by the actors behind the ransomware VenusLocker, who have similarly switched to Monero mining malware. That campaign also started in South Korea and is spreading rapidly. Rather than use Facebook Messenger, the VenusLocker gang is using phishing emails.
Phishing emails for this campaign contain infected email attachments that download the miner. One of the emails claims the victim’s credentials have been accidentally exposed in a data breach, with the attachment containing details of the attack and instructions to follow to mitigate risk.
These attacks appear to mark a new trend and as ransomware defenses continue to improve, it is likely that even more gangs will change tactics and switch to cryptocurrency mining.
In this article we explore the cost of HIPAA noncompliance for healthcare organizations, including the financial penalties and data breach costs, and one of the most important technologies to deploy to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA)
In the United States, healthcare organizations that transmit health information electronically are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was introduced in 1996 with the primary aim of improving healthcare coverage for employees between jobs, although it has since been expanded to include many privacy and security provisions following the introduction of the HIPAA Privacy and Security Rules.
These rules require HIPAA-covered entities – health plans, healthcare providers, healthcare clearinghouses and business associates – to implement a range of safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Those safeguards include protections for stored PHI and PHI in transit.
HIPAA is not technology specific, if that were the case, the legislation would need to be frequently updated to include new protections and the removal of outdated technologies that are discovered not to be as secure as was initially thought. Instead, HIPAA leaves the actual technologies to the discretion of each covered entity.
In order to determine what technologies are required to keep PHI secure, covered entities must first conduct a risk analysis: A comprehensive, organization-wide analysis of all risks to the confidentiality, integrity, and availability of PHI. All risks identified must be managed and reduced to an appropriate and acceptable level.
The risk analysis is one of the most common areas where healthcare organizations fall afoul of HIPAA Rules. Healthcare organizations have been discovered not to have included all systems, hardware and software in the risk analysis, or fail to conduct the analysis on the entire organization. Vulnerabilities are missed and gaps remain in security controls. Those gaps allow hackers to take advantage and gain access to computers, servers, and databases.
When vulnerabilities are exploited, and a data breach occurs, HIPAA-covered entities must report the security breach to the Department of Health and Human Services’ Office for Civil Rights (OCR): The main enforcer of HIPAA Rules. OCR investigates data breaches to determine whether they could realistically have been prevented and if HIPAA Rules have been violated.
What is the Cost of HIPAA Noncompliance?
When healthcare organizations are discovered not to have complied with HIPAA Rules, financial penalties are often issued. Fines of up to $1.5 million per violation category (per year that the violation has been allowed to persist) can be issued by OCR. The cost of HIPAA noncompliance can therefore be severe. Multi-million-dollar fines can, and are, issued.
The cost of HIPAA noncompliance is far more than any financial penalty issued by OCR, or state attorneys general, who are also permitted to issue fines for noncompliance. HIPAA requires covered entities to notify individuals impacted by a data breach. The breach notification costs can be considerable if the breach has impacted hundreds of thousands of patients. Each patient will need to be notified by mail. If Social Security numbers or other highly sensitive information is exposed, identity theft protection services should be offered to all breach victims.
Forensic investigations must be conducted to determine how access to data was gained, and to establish whether all malware and backdoors have been removed. Security must then be enhanced to prevent similar breaches from occurring in the future.
A data breach often sees multiple lawsuits filed by the victims, who seek damages for the exposure of their information. Data breaches have a major negative impact on brand image and increase patient churn rate. Patients often switch providers after their sensitive information is stolen.
On average, a data breach of less than 50,000 records costs $4.5 million to resolve according to the Ponemon Institute and has an average organizational cost of $7.35 million.
The 78.8 million-record breach experienced by Anthem Inc. in 2015 is expected to have cost the insurer upwards of $200 million. That figure does not include lost brand value and reputation damage, and neither a HIPAA fine from OCR.
A summary of the cost of HIPAA noncompliance, including recent fines issued by attorneys general and OCR has been detailed in the infographic below.
The Importance of Protecting Email Accounts
There are many ways that unauthorized individuals can gain access to protected health information – via remote desktop applications, by exploiting vulnerabilities that have not been patched, accessing databases that have been left exposed on the Internet, or when devices containing unencrypted PHI are stolen. However, the biggest single threat to healthcare data comes from phishing.
Research from PhishMe indicates more than 90% of data breaches start with a phishing email, and a recent HIMSS Analytics survey confirmed that phishing is the biggest threat, with email ranked as the most likely source of a healthcare data breach.
Protecting email accounts is therefore an essential part of HIPAA compliance. OCR has already fined healthcare organizations for data breaches that have resulted from phishing emails.
Healthcare organizations should implement a solution that blocks malicious emails and scans for malware and ransomware. In addition to technology, employees must also be trained how to identify malicious emails and taught to be more security aware.
How TitanHQ Can Help with HIPAA Compliance
TitanHQ developed SpamTitan to keep inboxes secure and prevent email spam, phishing messages, and malware from being delivered to inboxes. SpamTitan blocks more than 99.9% of spam email, and dual anti-virus engines ensure emails with malicious attachments are identified and quarantined. With SpamTitan, your organization’s email accounts will be protected – an essential part of HIPAA compliance.
WebTitan compliments SpamTitan and offers an additional layer of protection. WebTitan is a web filtering solution that allows you to carefully control the websites that your employees visit. WebTitan will prevent employees from visiting malicious websites via emailed hyperlinks, general web browsing, malvertising or redirects, protecting your organization from web-based attacks, drive by downloads of ransomware and malware, and exploit kit attacks.
For more information on TitanHQ’s cybersecurity solutions for healthcare, contact the TitanHQ team today.
Black Friday deals and Cyber Monday discounts see consumers head online in droves looking for bargain Christmas presents, but each year many thousands of consumers are fooled by holiday season email scams. This year will be no different. Scammers are already hard at work developing new ruses to fool unwary online shoppers into parting with their credentials or installing malware.
In the rush to purchase at discounted rates, security awareness often goes out the window and cybercriminals are waiting to take advantage. Hidden among the countless emails sent by retailers to advise past customers of the latest special offers and deals are a great many holiday season email scams. To an untrained eye, these scam emails appear to be no different from those sent by legitimate retailers. Then there are the phishing websites that capture credentials and credit card numbers and websites hosting exploit kits that silently download malware. It is a dangerous time to be online.
Fortunately, if you take care, you can avoid holiday season email scams, phishing websites, and malware this holiday period. To help you stay safe, we have compiled some tips to avoid holiday season email scams, phishing websites and malware this festive period.
Tips to Keep You Safe This Holiday Season
In the run up to Christmas there will be scams aplenty. To stay safe online, consider the following:
Always carefully check the URL of websites before parting with your card details
Spoofed websites often look exactly like the genuine sites that they mimic. They use the same layouts, the same imagery, and the same branding as retail sites. The only thing different is the URL. Before entering your card details or parting with any sensitive information, double check the URL of the site and make sure you are not on a scam website.
Never allow retailers to store your card details for future purchases
It is a service that makes for quick purchases. Sure, it is a pain to have to enter your card details each time you want to make a purchase, but by taking an extra minute to enter your card details each time you will reduce the risk of your account being emptied by scammers. Cyberattacks on retailers are rife, and SQL injection attacks can give attackers access to retailer’s websites – and a treasure trove of stored card numbers.
Holiday season email scams are rife – Be extra vigilant during holiday season
While holiday season email scams used to be easy to detect, phishers and scammers have become a lot better at crafting highly convincing emails. It is now difficult to distinguish between a genuine offer and a scam email. Emails contain images and company branding, are free from spelling and grammatical errors, and the email requests are highly convincing. Be wary of unsolicited emails, never open email attachments from unknown senders, and check the destination URL of any links before clicking.
If a deal sounds too good to be true, it probably is
What better time than holiday season to discover you have won a PlayStation 4 or the latest iPhone in a prize draw. While it is possible that you may have won a prize, it is very unlikely if you haven’t actually entered a prize draw. Similarly, if you are offered a 50% discount on a purchase via email, there is a high chance it is a scam. Scammers take advantage of the fact that everyone loves a bargain, and never more so than during holiday season.
If you buy online, use your credit card
Avoid the holiday season crowds and buy presents online, but use your credit card for purchases rather than a debit card. If you have been fooled by a holiday season scam or your debit card details are stolen from a retailer, it is highly unlikely that you be able to recover stolen funds. With a credit card, you have better protections and getting a refund is much more likely.
Avoid HTTP sites
Websites secured by the SSL protocol are safer. If a website starts with HTTPS it means the connection between your browser and the website is encrypted. It makes it much harder for sensitive information to be intercepted. Never give out your credit card details on a website that does not start with HTTPS.
Beware of order and delivery confirmations
If you order online, you will no doubt want to check the status of your order and find out when your purchases will be delivered. If you recent an email with tracking information or a delivery confirmation, treat the email as potentially malicious. Always visit the delivery company’s website by entering in the URL into your browser, rather than clicking links sent via email. Fake delivery confirmations and parcel tracking links are common. The links can direct you to phishing websites and sites that download malware, while email attachments often contain malware and ransomware downloaders.
Holiday season is a busy, but take your time online
One of the main reason that holiday season email scams are successful is because people are in a rush and fail to take the time to read emails carefully and check attachments and links are genuine. Scammers take advantage of busy people. Check the destination URL of any email link before you click. Take time to think before you take any action online or respond to an email request.
Don’t use the same password on multiple websites
You may choose to buy all of your Christmas gifts on Amazon, but if you need to register on multiple sites, never reuse your password. Password reuse is one of the easiest ways that hackers can gain access to your social media networks and bank accounts. If there is a data breach at one retailer and your password is stolen, hackers will attempt to use that password on other websites.
Holiday season is a time for giving, but take care online and when responding to emails to make sure your hard-earned cash is not given to scammers.
All organizations should take steps to mitigate the risk of phishing, and one of those steps should be training employees how to spot a phishing email. Employees will frequently have their phishing email identification skills put to the test.
Since all it takes is for one employee to fall for a phishing scam to compromise a network, not only is it essential that all employees are trained how to spot a phishing email, their skills should assessed post-training, otherwise organizations will not know how effective the training has been.
How Common are Phishing Attacks?
Phishing is now the number one security threat faced by businesses in all sectors. Research conducted by the security awareness training company PhishMe suggests that more than 90% of cyberattacks start with a phishing or spear phishing email. While all industry sectors have to deal with the threat from phishing, the education and healthcare industries are particularly at risk. They are commonly targeted by scammers and spammers, and all too often those phishing attacks are successful.
The Intermedia 2017 Data Vulnerability Report showed just how common phishing attacks succeed. Workers were quizzed on security awareness training and successful phishing attacks at their organizations. 34% of high level execs admitted falling for a phishing scam, as did 25% of IT professionals – Individuals who should, in theory, be the best in an organization at identifying phishing scams. The same study revealed 30% of office workers do not receive regular security awareness training. 11% said they were given no training whatsoever and have not been taught how to spot a phishing email.
Overconfidence in Phishing Detection Capabilities Results in Data Breaches
Studies on data breaches and cybersecurity defenses often reveal that many organizations are confident in their phishing defenses. However, many of those companies still suffer data breaches and fall for phishing attacks. Overconfidence in phishing detection and prevention leaves many companies at risk. This was recently highlighted by a study conducted by H.R. Rao at the University of Texas at San Antonio. Rao explained that many people believe they are smarter than phishers and scammers, which plays into the scammers’ hands.
Training Should be Put to The Test
You can train employees how to spot a phishing email, but how can you tell how effective your training has been? If you do not conduct phishing simulation exercises, you cannot be sure that your training has been effective. There will always be some employees that require more training than others and employees that do not pay attention during training. You need to find these weak links. The best way to do that is with phishing simulation exercises.
Conduct dummy phishing exercises and see whether your employees are routinely putting their training into action. If an employee fails a phishing test, you can single them out to receive further training. Each failed simulation can be taken as a training opportunity. With practice, phishing email identification skills will improve.
How to Spot a Phishing Email
Most employees receive phishing emails on a daily basis. Some are easy to identify, others less so. Fortunately spam filters catch most of these emails, but not all of them. It is therefore essential to train employees how to spot a phishing email and to conduct regular training sessions. One training session a year is no longer sufficient. Scammers are constantly changing tactics. It is important to ensure employees are kept up to speed on the latest threats.
During your regular training sessions, show your employees how to spot a phishing email and what to do when they receive suspicious messages. In particular, warn them about the following tactics:
Spoofed Display Names
The 2017 Spear Phishing Report from GreatHorn indicates 91% of spear phishing attacks spoof display names. This tactic makes the recipient believe the email has been sent from a trusted colleague, friend, family member or company. This is one of the most important ways to spot a phishing email.
Mitigation: Train employees to hover their mouse arrow over the sender to display the true email address. Train employees to forward emails rather than reply. The true email address will be displayed.
Email Account Compromises
This year, business email compromise (BEC) scams have soared. These scams were extensively used to obtain W-2 Form tax information during tax season. This attack method involves the use of real email accounts – typically those of the CEO or senior executives – to send requests to employees to make bank transfers and send sensitive data.
Mitigation: Implement policies that require any email requests for sensitive information to be verified over the phone, and for all new bank transfer requests and account changes to be verified.
Hyperlinks to Phishing Websites
The Proofpoint Quarterly Threat Report for Q3 showed there was a 600% increase in the use of malicious URLs in phishing emails quarter over quarter, and a 2,200% increase from this time last year. These URLs usually direct users to sites where they are asked to login using their email credentials. Oftentimes they link to sites where malware is silently downloaded.
Mitigation: Train employees to hover their mouse arrow over the URL to display the true URL. Encourage employees to visit websites by entering the URL manually, rather than using embedded links.
Security Alerts and Other Urgent Situations
Scammers want email recipients to take action quickly. The faster the response the better. If employees stop and think about the request, or check the email carefully, there is a high chance the scam will be detected. Phishing emails often include some urgent request or immediate need for action. “Your account will be closed,” “You will lose your credit,” “Your parcel will not be delivered,” “Your computer is at risk,” Etc.
Mitigation: Train employees to stop and think. An email request may seem urgent and contain a threat, but this tactic is commonly used to get people to take quick action without engaging their brains.
Look for Spelling Mistakes and Grammatical Errors
Many phishing scams come from African countries, Eastern Europe and Russia – Places where English is not the main language. While phishing scams are becoming more sophisticated, and more care is taken crafting emails, spelling mistakes and poor grammar are still common and are a key indicator that emails are not genuine.
Mitigation: Train employees to look for spelling mistakes and grammatical errors. Companies check their emails carefully before sending them.
Why a Spam Filter is Now Essential
Training employees how to spot a phishing email should be included in your cybersecurity strategy, but training alone will not prevent all phishing-related data breaches. There may be a security culture at your organizations, and employees skilled phish detectors, but every employee can have an off day from time to time. It is therefore important to make sure as few phishing emails as possible reach employees’ inboxes, and for that to happen, you need an advanced spam filtering solution.
SpamTitan blocks more than 99.9% of spam email and includes dual anti-virus engines to ensure malicious messages are blocked. The low false positive rate also ensures genuine emails do not trigger the spam filter and are delivered.
If you want to improve your security defenses, train employees how to spot a phishing email and implement SpamTitan to stop phishing emails from reaching inboxes. With technological and human solutions you will be better protected.
Handy Infographic to Help Train Staff How to Spot a Phishing Email
We have compiled a useful infographic to highlight how important it is to train staff how to spot a phishing email and some of the common identifiers that an email is not genuine:
A serious MS Office remote code execution vulnerability has been patched by Microsoft – One that would allow malware to be installed remotely with no user interaction required. The flaw has been present in MS Office for the past 17 years.
The flaw, which was discovered by researchers at Embedi, is being tracked as CVE-2017-11882. The vulnerability is in the Microsoft Equation Editor, a part of MS Office that is used for inserting and editing equations – OLE objects – in documents: Specifically, the vulnerability is in the executable file EQNEDT32.exe.
The memory corruption vulnerability allows remote code execution on a targeted computer, and would allow an attacker to take full control of the system, if used with Windows Kernel privilege exploits. The flaw can be exploited on all Windows operating systems, including unpatched systems with the Windows 10 Creators Update.
Microsoft addressed the vulnerability in its November round of security updates. Any unpatched system is vulnerable to attack, so it is strongly advisable to apply the patch promptly. While the vulnerability could potentially have been exploited at any point in the past 17 years, attacks exploiting this MS Office remote code execution vulnerability are much more likely now that a patch has been released.
The flaw does not require the use of macros, only for the victim to open a specially crafted malicious Office document. Malicious documents designed to exploit the vulnerability would likely arrive via spam email, highlighting the importance of implementing a spam filtering solution such as SpamTitan to block the threat.
End users who are fooled into opening a malicious document can prevent infection by closing the document without enabling macros. In this case, malware would be installed simply by opening the document.
Microsoft has rated the vulnerability as important, rather than critical, although researchers at Embedi say this flaw is “extremely dangerous.” Embedi has developed a proof of concept attack that allowed them to successfully exploit the vulnerability. The researchers said, “By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g. to download an arbitrary file from the Internet and execute it),”
EQNEDT32.exe is run outside of the Microsoft Office environment, so it is therefore not subject to Office and many Windows 10 protections. In addition to applying the patch, security researchers at Embedi recommend disabling EQNEDT32.EXE in the registry, as even with the patch applied, the executable still has a number of other vulnerabilities. Disabling the executable will not impact users since this is a feature of Office that is never needed by most users.
2017 has seen a major rise in malicious spam email volume. As the year has progressed, the volume of malicious messages sent each month has grown. A new report from Proofpoint shows malicious spam email volume rose by 85% in Q3, 2017.
A deeper dive into the content of those messages shows cybercriminals’ tactics have changed. In 2017, there has been a notable rise in the use of malicious URLs sent via email compared to malicious attachments containing malware. URL links to sites hosting malware have jumped by an astonishing 600% in Q3, which represents a 2,200% increase since this time last year. This level of malicious URLs has not been seen since 2014.
The links direct users to malicious websites that have been registered by cybercriminals, and legitimate sites that have been hijacked and loaded hacking toolkits. In many cases, simply clicking on the links is all that is required to infect the user’s computer with malware.
While there is a myriad of malware types now in use, the biggest threat category in Q3 was ransomware, which accounted for 64% of all email-based malware attacks. There are many ransomware variants in use, but the undisputed king in Q3 was Locky, accounting for 55% of total message volume and 86% of all ransomware attacks. There was also a rising trend in destructive ransomware – ransomware that encrypts files but does not include the option of letting victims’ recover their files.
The second biggest malware threat category was banking Trojans, which accounted for 24% of malicious spam email volume. Dridex has long been a major threat, although in Q3 it was a Trojan called The Trick that become the top banking Trojan threat. The Trick Trojan was used in 70% of all banking Trojan attacks.
Unsurprisingly, with such as substantial rise in malicious spam email volume, email fraud has also risen, up 12% quarter over quarter and up 32% from this time last year.
Cybercriminals are constantly changing tactics and frequently switch malware variants and attack methods, but for the time being at least, exploit kits are still not favored. Exploit kit attacks are at just 10% of the level of last year’s high, with spam email now the main method of malware delivery.
With malicious spam email volume having increased once again, and a plethora of new threats and highly damaging malware attacks posing a very real risk, it is essential that businesses double down on their defenses. The best way to defend against email threats is to improve spam defenses. An advanced spam filtering solution is essential for blocking email threats. The more malicious emails that are captured and prevented from being delivered, the lower the chance of end users clicking on malicious links and downloading malware.
SpamTitan blocks more than 99.9% of spam emails and is one of the most advanced and best spam filters for business use. SpamTitan helps keep inboxes free from malware threats. No single solution can block all email threats, so a spam filtering solution should be accompanied with endpoint security solutions, web filters to block malicious links from being visited, antimalware and antivirus solutions, and email authentication technology.
While it is easy to concentrate on technology to protect against email threats, it is important not to forget to train employees to be more security aware. Regular training sessions, cybersecurity newsletters and bulletins about the latest threats, and phishing simulation exercises can help employees improve their threat detection skills and raise cybersecurity awareness.
On Friday, the U.S. Department of Homeland Security’s (DHS) computer emergency readiness team (US-CERT) issued a new warning about phishing attacks on energy companies and other critical infrastructure sectors.
Advanced persistent threat (APT) actors are conducting widespread attacks on organizations in the energy, aviation, nuclear, water, and critical manufacturing sectors. Those attacks, some of which have been successful, have been occurring with increasing frequency since at least May 2017. The group behind the attack has been called Dragonfly by AV firm Symantec, which reported on the attacks in September.
DHS believes the Dragonfly group is a nation-state sponsored hacking group whose intentions are espionage, open source reconnaissance and cyberattacks designed to disrupt energy systems.
These cyberattacks are not opportunistic like most phishing campaigns. They are targeted attacks on specific firms within the critical infrastructure sectors. While some firms have been attacked directly, in many cases the attacks occur through a ‘staging’ company that has previously been compromised. These staging companies are trusted vendors of the targeted organization. By conducting attacks through those companies, the probability of an attack on the target firm succeeding is increased.
DHS warns that the attackers are using several methods to install malware and obtain login credentials. The phishing attacks on energy companies have included spear phishing emails designed to get end users to reveal their login credentials and malicious attachments that install malware.
In the case of the former, emails direct users to malicious websites where they are required to enter in their credentials to confirm their identity and view content. While some websites have been created by the attackers, watering hole attacks are also occurring on legitimate websites that have been compromised with malicious code. DHS warns that approximately half of the attacks have occurred through sites used by trade publications and informational websites “related to process control, ICS, or critical infrastructure.”
Phishing emails containing malicious attachments are used to directly install malware or the files contain hyperlinks that direct the user to websites where a drive-by malware download occurs. The links are often shortened URLS creating using the bit.ly and tinyurl URL shortening services. The attackers are also using email attachments to leverage Windows functions such as Server Message Block (SMB) protocol to retrieve malicious files. A similar SMB technique is also used to harvest login credentials.
The malicious attachments are often PDF files which claim to be policy documents, invitations, or resumés. Some of the phishing attacks on energy companies have used a PDF file attachment with the name “AGREEMENT & Confidential.” In this case, the PDF file does not include any malicious code, only a hyperlink to a website where the user is prompted to download the malicious payload.
US-CERT has advised companies in the targeted sectors that the attacks are ongoing, and action should be taken to minimize risk. Those actions include implementing standard defenses to prevent web and email-based phishing attacks such as spam filtering solutions and web filters.
Since it is possible that systems may have already been breached, firms should be regularly checking for signs of an intrusion, such as event and application logs, file deletions, file changes, and the creation of new user accounts.
FormBook malware is being used in targeted attacks on the manufacturing and aerospace sectors according to researchers at FireEye, although attacks are not confined to these industries.
So far, the attacks appear to have been concentrated on organizations in the United States and South Korea, although it is highly likely that attacks will spread to other areas due to the low cost of this malware-as-a-service, the ease of using the malware, and its extensive functionality.
FormBook malware is being sold on underground forms and can be rented cheaply for as little as $29 a month. Executables can be generated using an online control panel, a process that requires next to no skill. This malware-as-a-service is therefore likely to be used by many cybercriminals.
FormBook malware is an information stealer that can log keystrokes, extract data from HTTP sessions and steal clipboard content. Via the connection to its C2 server, the malware can receive and run commands and can download files, including other malware variants. Malware variants discovered to have already been downloaded by FormBook include the NanoCore RAT.
FireEye researchers also point out that the malware can steal passwords and cookies, start and stop Windows processes, and force a reboot of an infected device.
FormBook malware is being spread via spam email campaigns using compressed file attachments (.zip, .rar), .iso and .ace files in South Korea, while the attacks in the United States have mostly involved .doc, .xls and .pdf files. Large scale spam campaigns have been conducted to spread the malware in both countries.
The U.S campaigns detected by FireEye used spam emails related to shipments sent via DHL and FedEx – a common choice for cybercriminals. The shipment labels, which the emails say must be printed in order to collect the packages, are in PDF form. Hidden in the document is a tny.im URL that directs victims to a staging server that downloads the malware. The campaigns using Office documents deliver the malware via malicious macros. The campaigns conducted in South Korea typically include the executables in the attachments.
While the manufacturing industry and aerospace/defense contractors are being targeted, attacks have been conducted on a wide range of industries, including education, services/consulting, energy and utility companies, and the financial services. All organizations, regardless of their sector, should be alert to this threat.
Organizations can protect against this new threat by adopting good cybersecurity best practices such as implementing a spam filtering solution to block malicious messages and stop files such as ISOs and ACE files from being delivered to end users. Organizations should also alert their employees to the threat of attack and provide training to help employees recognize this spam email campaign. Macros should also be disabled on all devices if they are not necessary for general work duties, and at the very least, should be set to be run manually.
Today is the start of the 14th National Cyber Security Month – A time when U.S. citizens are reminded of the importance of practicing good cyber hygiene, and awareness is raised about the threat from malware, phishing, and social engineering attacks.
The cybersecurity initiative was launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) with the aim of creating resources for all Americans to help them stay safe online.
While protecting consumers has been the main focus of National Cyber Security Month since its creation, during the past 14 years the initiative has been expanded considerably. Now small and medium-sized businesses, corporations, and healthcare and educational institutions are assisted over the 31 days of October, with advice given to help develop policies, procedures, and implement technology to keep networks and data secure.
National Cyber Security Month Themes
2017 National Cyber Security Month focuses on a new theme each week, with resources provided to improve understanding of the main cybersecurity threats and explain the actions that can be taken to mitigate risk.
Week 1: Oct 2-6 – Simple Steps to Online Safety
It’s been 7 years since the STOP. THINK. CONNECT campaign was launched by the NCSA and the Anti-Phishing Workshop. As the name suggests, the campaign encourages users learn good cybersecurity habits – To assume that every email and website may be a scam, and to be cautions online and when opening emails. Week one will see more resources provided to help consumers learn cybersecurity best practices.
Week 2: Oct 9-13 – Cybersecurity in the Workplace
With awareness of cyber threats raised with consumers, the DHS and NCSA turn their attention to businesses. Employees may be the weakest link in the security chain, but that need not be the case. Education programs can be highly effective at improving resilience to cyberattacks. Week 2 will see businesses given help with their cyber education programs to develop a cybersecurity culture and address vulnerabilities. DHS/NCSA will also be promoting the NIST Cybersecurity Framework and explaining how its adoption can greatly improve organizations’ security posture.
Week 3: Oct 16-20 –Predictions for Tomorrow’s Internet
The proliferation of IoT devices has introduced many new risks. The aim of week three is to raise awareness of those risks – both for consumers and businesses – and to provide practical advice on taking advantage of the benefits of smart devices, while ensuring they are deployed in a secure and safe way.
Week 4: Oct 23-27 –Careers in Cybersecurity
There is a crisis looming – A severe lack of cybersecurity professionals and not enough students taking up cybersecurity as a profession. The aim of week 4 is to encourage students to consider taking up cybersecurity as a career, by providing resources for students and guidance for key influencers to help engage the younger generation and encourage them to pursue a career in cybersecurity.
Week 5: Oct 30-31 – Protecting Critical Infrastructure
As we have seen already this year, nation-state sponsored groups have been sabotaging critical infrastructure and cybercriminals have been targeting critical infrastructure to extort money. The last two days of October will see awareness raised of the need for cybersecurity to protect critical infrastructure, which will serve as an introduction to Critical Infrastructure Security and Resilience Month in November.
European Cyber Security Month
While National Cyber Security Month takes place in the United States, across the Atlantic, European Cyber Security Month is running in tandem. In Europe, similar themes will be covered with the aim of raising awareness of cyber threats and explaining the actions EU citizens and businesses can take to stay secure.
This year is the 5th anniversary of European Cyber Security Month – a collaboration between The European Union Agency for Network and Information Security (ENISA), the European Commission DG CONNECT and public and private sector partners.
As in the United States, each week of October has a different theme with new resources and reports released, and events and activities being conducted to educate the public and businesses on cybersecurity.
European Cyber Security Month Themes
This year, the program for European Cyber Security Month is as follows:
Week 1: Oct 2-6 – Cybersecurity in the Workplace
A week dedicated to helping businesses train their employees to be security assets and raise awareness of the risks from phishing, ransomware, and malware. Resources will be provided to help businesses teach their employees about good cyber hygiene.
Week 2: Oct 9-13 – Governance, Privacy & Data Protection
With the GDPR compliance date just around the corner, businesses will receive guidance on compliance with GDPR and the NIS Directive to help businesses get ready for May 2018.
Week 3: Oct 16-20 – Cybersecurity in the Home
As more IoT devices are being used in the home, the risk of cyberattacks has grown. The aim of week 3 is to raise awareness of the threats from IoT devices and to explain how to keep home networks secure. Awareness will also be raised about online fraud and scams targeting consumers.
Week 4: Oct 23-27 – Skills in Cyber Security
The aim in week 4 is to encourage the younger generation to gain the cyber skills they will need to embark upon a career in cybersecurity. Educational resources will be made available to help train the next generation of cybersecurity professionals.
Use October to Improve Your Cybersecurity Defenses and Train Your Workforce to Be Security Titans
This Cyber Security Month, why not take advantage of the additional resources available and use October to improve your cybersecurity awareness and train your employees to be more security conscious.
When the month is over, don’t shelve cybersecurity for another 12 months. The key to remaining secure and creating a security culture in the workplace is to continue training, assessments, and phishing tests throughout the year. October should be taken as a month to develop and implement training programs and to work toward creating a secure work environment and build a cybersecurity culture in your place of work.
A warning has been issued to digital civil liberties activists by the Electronic Frontier Foundation about the risk of targeted spear phishing attacks. The phishing warning comes after spate of phishing attacks on digital civil liberties groups over the summer, at least one of which resulted in the disclosure of login credentials.
The attacks were directed at two NGOs – Free Press and Fight for Future – both of which are advocates of net neutrality. The campaign appears to have been conducted by the same individual and included at least 70 phishing attempts between July and August. The attacks started on July 12, which is Save Net Neutrality Day of Action – a day of protest against the FCC’s proposed rollback of net neutrality protections.
While phishing emails are often sent with the purpose of installing malware, in this case the aim was to obtain login credentials to LinkedIn, Google, and Dropbox accounts.
Spear phishing emails were sent using a variety of themes from standard phishing emails to sophisticated and highly creative scams. While most of the attempts failed, the scammer was able to obtain the credentials of at least one account. The compromised Google account was used to send further spear phishing emails to other individuals in the organization. It is unclear what other goals the attacker had, and what the purpose of gaining access to the accounts was.
The phishing campaign was analysed by Eva Galperin and Cooper Quintin at the Electronic Frontier Foundation. They said some of the phishing emails were simple phishing attempts, where the attacker attempted to direct end users to a fake Google document. Clicking the link would direct the user to a site where they were required to enter their Google account details to view the document. Similar phishing emails were sent in an attempt to obtain LinkedIn credentials, using fake LinkedIn notifications. Others contained links to news stories that appeared to have been shared by contacts.
As the campaign progressed, the attacker got more inventive and the attacker started researching the targets and using personal information in the emails. One email was sent in which the scammer pretended to be the target’s husband, signing the email with his name. Another email was sent masquerading as a hateful comment on a video the target had uploaded to YouTube.
A pornography-related phishing scam was one of the most inventive attempts to gain access to login credentials. Emails were sent to targets masquerading as confirmations from well-known pornographic websites such as Pornhub and RedTube. The emails claimed the recipient had subscribed to the portals.
The initial email was then followed up with a further email containing a sexually explicit subject line. The sender name was spoofed to make it appear that the email was sent from Pornhub. The unsubscribe link on the email directed the user to a Google login page where they were asked for their credentials.
It is not clear whether the two NGOs were the only organizations targeted. Since these attacks may be part of a wider campaign, EFF is alerting all digital civil liberties activists to be aware of the threat. Indicators of compromise have been made available here.
Ransomware developers have leveraged the EternalBlue exploit, now the criminals behind the Retefe banking Trojan have added the NSA exploit to their arsenal.
The EternalBlue exploit was released in April by the hacking group Shadow Brokers and was used in the global WannaCry ransomware attacks. The exploit was also used, along with other attack vectors, to deliver the NotPetya wiper and more recently, has been incorporated into the TrickBot banking Trojan.
The Retefe banking Trojan is distributed via malicious Microsoft Office documents sent via spam email. In order for the Trojan to be installed, the emails and the attachments must be opened and code must be run. The attackers typically use Office documents with embedded objects which run malicious PowerShell code if clicked. Macros have also been used in some campaigns to deliver the malicious payload.
Researchers at Proofpoint have now obtained a sample of the Retefe banking Trojan that includes the EternalBlue SMBv1 exploit. The EternalBlue module downloads a PowerShell script and an executable. The script runs the executable, which installs the Trojan.
The researchers noted the module used in the WannaCry attacks that allowed rapid propagation within networks – Pseb – was lacking in Retefe, although that may be added at a later date. It would appear that the criminals behind the campaign are just starting to experiment with EternalBlue.
Other banking Trojans such as Zeus have been used in widespread attacks, although so far attacks using the Retefe banking Trojan have largely been confined to a limited number of countries – Austria, Sweden, Switzerland, Japan, and the United Kingdom.
Businesses in these countries will be vulnerable to Retefe, although due to the number of malware variants that are now using EternalBlue, all businesses should ensure they mitigate the threat. Other malware variants will almost certainly be upgraded to include EternalBlue.
Mitigating the threat from EternalBlue (CVE-2017-0144) includes applying the MS17-010 patch and also blocking traffic associated with the threat through your IDS system and firewall. Even if systems have been patched, a scan for vulnerable systems should still be conducted to ensure no devices have been missed.
Since the Retefe Trojan is primarily being spread via spam email, a spam filter should be implemented to prevent malicious messages from reaching end users. By implementing SpamTitan, businesses can protect their networks against this and other malware threats delivered via spam email.
Consumers should be wary of Equifax phishing scams in the wake of the massive data breach announced earlier this month. The 143 million records potentially stolen in the breach will be monetized, which means many will likely be sold to scammers.
Trend Micro has suggested a batch of data of this scale could easily be sold for $27 million on underground marketplaces and there would be no shortage of individuals happy to pay for the data. The records include the exact types of information that is sought by identity thieves, phishers, and scammers.
However, it is not necessary to have access to the stolen records to pull of scams. Many opportunistic cybercriminals are taking advantage of consumer interest in the breach and are preparing phishing websites to fool the unwary into revealing their sensitive information. Equifax’s response to the breach has also made it easier for phishers to ply their trade.
Equifax has taken the decision not to inform all breach victims by mail. Only the 209,000 individuals whose credit card numbers were exposed will be receiving a breach notification letter in the mail. All the remaining breach victims will have to check the Equifax website to find out if their information was compromised in the breach. With almost half the population affected, and next to no one being directly informed, virtually the entire population of the United States will need to head online to find out if they have been affected by the breach.
Equifax has set up a new domain where information is provided to consumers on the steps they can take to secure their accounts and minimize the risk of financial harm. The official website is equifaxsecurity2017.com. Via this website, U.S consumers can get regular updates and enroll in the free credit monitoring services being offered.
To obtain the free credit monitoring services, consumers will be routed to a website with the domain trustedidpremier.com and will need to enter their name and the last six digits of their social security number to start the process. Cybercriminals have been quick to take advantage and have registered swathes of websites and are using them to phish for sensitive information.
Consumers Should Be Wary of Equifax Phishing Scams
USA Today reports that 194 domains closely resembling the site used by Equifax have already been registered in the past few days. Those domains closely mimic the site used by Equifax, with transposed letters and common typos likely to be made by careless typists. Many of the sites have already been shut down, but more are likely to be registered.
The purpose of these sites is simple. To obtain sensitive information such as names, addresses, Social Security numbers and dates of birth.
The technique is called typosquatting. It is extremely common and very effective. The websites use the same logos and layouts as the genuine sites and they fool many visitors into revealing their sensitive information. Links to the websites are sneaked into malicious adverts displayed via third-party ad networks and are emailed out in large scale phishing campaigns. Consumers should therefore exercise extreme caution and be alert to Equifax phishing scams sent via email and text message.
Consumers should also be careful about revealing sensitive information online and should treat all email attachments and emailed hyperlinks as potentially malicious. Consumers should look for the warning signs of phishing attacks in any email received, especially if it appears to have been sent from Equifax or another credit monitoring bureau, a credit card company, bank or credit union. Email, text messages and telephone scams are likely to be rife following an attack on this scale.
Additionally, all U.S. citizens should closely monitor their credit and bank accounts, Explanation of Benefits Statements, and check their credit reports carefully. Criminals already have access to a large amount of data and will be using that information for identity theft and fraud over the coming days, weeks, months and years.
Cyberattacks on Office 365 users are increasing and Office 365 email security controls are not preventing account compromises at many businesses. If you want to block phishing and malware attacks and prevent costly data breaches, there is no better time than the present to improve Office 365 email security.
Microsoft Office 365 – An Attractive Target for Cybercriminals
Microsoft’s figures suggest there are now more than 70 million active users of Office 365 making it the most widely adopted enterprise cloud service by some distance. 78% of IT decision makers say they have already signed up to Office 365 or plan to do so in 2017 and Microsoft says it is now signing up a further 50,000 small businesses to Office 365 every month. 70% of Fortune 500 companies are already using Office 365 and the number of enterprises transitioning to Office 365 is likely to significantly increase.
Office 365 offers many advantages for businesses but as the number of users grows, the platform becomes and even bigger target for hackers. Hackers are actively seeking flaws in Office 365 and users of the service are increasingly coming under attack. The more users an operating system or service has, the more likely hackers are to concentrate their resources on developing new methods to attack that system.
Cyberattacks on Office 365 are Soaring
Microsoft is well aware of the problem. Its figures show that malware attacks on Office 365 users increased by a staggering 600% last year and a recent survey conducted by Skyhigh Networks showed 71.4% of Office 365 business users have to deal with at least one compromised email account every month. Surveys often overestimate security problems due to having a limited sample size. That is unlikely to be the case here. The survey was conducted on 27 million users of Office 365 and 600 enterprises.
The majority of new malware targets Windows systems simply because there are substantially more users of Windows than Macs. As Apple increases its market share, it becomes more profitable to develop malware to attack MacOS. Consequently, MacOS malware is becoming more common. The same is true for Office 365. More users means successful attacks are much more profitable. If a flaw is found and a new attack method developed, it can be used on millions of users, making searching for flaws and developing exploits well worth the time and effort.
Phishers and hackers are also studying how the security functions of O365 work and are searching for flaws and developing exploits to take advantage. For a few dollars a month, hackers can sign up for accounts to study Office 365. Hackers are also taking advantage of poor password choices to gain access to other users’ accounts to trial their phishing campaigns to ensure they bypass Office 365 email security controls.
Office 365 Email Security Controls are Often Lacking
Given the resources available to Microsoft and its frequent updates, you would expect Office 355 email security to be pretty good. While Office 365 email security is not terrible, for standard users it is not great either. Standard subscriptions include scant security features. To get enhanced security, the enterprise subscription must be purchased or extra email security add-ons must be purchased separately at a not insignificant cost.
Pay for the enterprise subscription and you will get a host of extra security features provided through the Advanced Threat Protection (ATP) security package. This includes message sandboxing, phishing protection, URL tracking and reporting, and link reputation checking. Even when Advanced Threat Protection is used, getting the settings right to maximize protection is not always straightforward.
APT will certainly improve email security, but it is worth bearing in mind that hackers can also sign up for those features and have access to the sandbox. That makes it easier for them to develop campaigns that bypass Office 365 security protections.
Even with both layers of security, the level of protection against malware and phishing is only OK. A 2017 study by SE Labs revealed that even with Microsoft’s Exchange Online Protection and Advanced Threat Protection enabled, email security only achieved a similar score to solutions in the low-middle level of the market. Far lower than the level of protection provided by advanced third party email spam filters such as SpamTitan that work alongside Office 365 to provide even greater protection from malicious email threats.
The Cost of Mitigating an Cybersecurity Incident is Considerable
The cost of mitigating a cyberattack can be considerable, and certainly substantially more than the cost of prevention. The Ponemon Institute/IBM Security 2017 Cost of a Data Breach study shows the average cost of mitigating a cyberattack is $3.62 million.
The recent NotPetya and WannaCry attacks also highlighted the high cost of breach mitigation. The NotPetya attack on Maersk, for example, has been estimated to cost the company up to $300 million, the vast majority of which could have been saved if the patches released by Microsoft in March had been applied promptly.
These large companies can absorb the cost of mitigating cyberattacks to a certain extent, although smaller businesses simply do not have the funds. It is no therefore no surprise that 60% of SMBs end up permanently closing their doors within 6 months of experiencing a cyberattack. Even cash-strapped businesses should be able to afford to improve security to prevent email-based attacks – The most common vector used by cybercriminals to gain access to systems and data.
Increase Office Email 365 Security with a Specialist Email Security Solution
No system can be made totally impervious to hackers and remain usable, but it is possible to improve Office 365 email security and reduce the potential for attacks to an minimal level. To do that, many enterprises are turning to third-party solution providers – specialists in email security – to increase Office 365 email security instead of paying extra for the protection offered by APT.
According to figures from Gartner, an estimated 40% of Microsoft Office 365 deployments will incorporate third-party tools by the end of 2018 with the figure predicted to rise to half of all deployments by 2020.
One of the best ways of improving Office 365 email security is to use an advanced, comprehensive email spam filtering solution developed by a specialist in email security, TitanHQ.
TitanHQ’s SpamTitan offers excellent protection against email-based attacks. The solution has also been developed to perfectly compliment Office 365 to block more attacks and keep inboxes spam and malware free. SpamTitan filters out more than 99.97% of spam and malicious emails, giving businesses the extra level of protection they need. Furthermore, it is also one of the most cost-effective enterprise email security solutions for Office 365 on the market.
SpamTitan Offers Defense In Depth for Office 365 Users
Even with Office 365 Advanced Threat Protection, there are areas where Office 365 does not perform well. According to a study by Osterman Research, Office 365 is capable of blocking all known malware threats. The solution is nowhere near as effective at blocking new malware variants, which are constantly being released. When these new threats are detected and the signatures are added to the database, the threats can be blocked. Until that point, users will be vulnerable. SpamTitan on the other hand is capable of detecting and blocking new malware threats. SpamTitan is able to anticipate new attacks thanks to pattern learning and intelligence. These predictive capabilities ensures protection against the latest malware variants that signature-based email security solutions fail to detect. By using Bayesian analysis, heuristics and machine learning, new types of spear phishing, whaling, and zero day attacks can be detected and blocked that would otherwise be delivered to inboxes.
SpamTitan includes URL reputation analysis to assess all embedded hyperlinks in an email, including shortened URLs. SURBL filtering and URL detection mechanisms offer superior protection against malicious links contained in emails. Heuristics are used to identify phishing emails from message headers and are constantly updated to detect the latest emerging threats. SpamTitan also includes a greylisting option. Greylisting involves the rejection of all messages along with a request for the message to be resent. Most email servers respond and redeliver messages quickly. Email servers used for spamming are usually busy and these requests are ignored. This is included as an optional feature in SpamTitan, and can be used in combination with whitelists to ensure trusted senders’ messages are always delivered without any delay. Spam confidence levels can be set by user, user group or domain and the solution integrates with Active Directory and LDAP for easy synchronization.
These combinations of features provide superior protection against phishing, spear phishing, ransomware, malware, BEC, impersonation, and zero-day attacks via email, ensuring businesses are protected and messages do not reach end users’ inboxes.
To find out more about SpamTitan and how it can improve Microsoft Office 365 email security at your business, contact TitanHQ today.
MSPs Can Profit from Providing Additional Office 365 Email Security
The days when MSPs could offer out of the box email services to clients and make big bucks are sadly gone. MSPs can sell Office 365 subscriptions to their clients, but the margins are small and there is little money to be made. However, there are good opportunities for selling support services for MS products and also for providing enhanced email security for Office 365 users.
SpamTitan can be sold as an add-on service to enhance security for clients subscribing to Office 365, and since the solution is easy to implement and has a very low management overhead, it allows MSPs to easily boost monthly revenues.
SpamTitan can also be provided in white label form; ready to accept MSP branding. The solution can even be hosted within an MSPs infrastructure. On top of that, there are generous margins for MSPs.
With SpamTitan it is easy for MSPs to provide valued added service, enhance Office 365 email services, and improve Microsoft Office 365 email security for all customers.
To find out more about how you can partner with SpamTitan and improve Office 365 email security for your customers, contact the MSP Sales team at TitanHQ today.
Vous pouvez lire cet article sur le site TitanHQ.fr.
Dropbox phishing attacks are relatively common and frequently fool employees into revealing their sensitive information or downloading malware.
Dropbox is a popular platform for sharing files and employees are used to receiving links advising them that files have been shared with them by their colleagues and contacts and phishers are taking advantage of familiarity with the platform.
There are two main types of Dropbox phishing attacks. One involves sending a link that asks users to verify their email address. Clicking the link directs them to a spoofed Dropbox website that closely resembles the official website. They are then asked to enter in their login credentials as part of the confirmation process.
Dropbox phishing attacks are also used to deliver malware such as banking Trojans and ransomware. A link is sent to users relating to a shared file. Instead of accessing a document, clicking the link will result in malware being downloaded.
Over the past few days, there has been a massive campaign using both of these attack methods involving millions of spam email messages. Last week, more than 23 million messages were sent in a single day.
Most of the emails were distributing Locky ransomware, with a smaller percentage used to spread Shade ransomware. There is no free decryptor available to unlock files encrypted by Locky and Shade ransomware. If files cannot be recovered from backups, victioms will have to dig deep.
Due to the rise in value of Bitcoin of late the cost of recovery is considerable. The malicious actors behind these attacks are demanding 0.5 Bitcoin per infected device – Around $2,400. For a business with multiple devices infected, recovery will cost tens if not hundreds of thousands of dollars.
According to F-Secure, the majority of malware-related spam messages detected recently – 90% – are being used to distribute Locky. Other security researchers have issued similar reports of a surge in Locky infections and spam email campaigns.
To prevent Locky ransomware attacks, businesses should install an advanced spam filtering solution to prevent malicious emails from being delivered to end users’ inboxes. Occasional emails are likely to make it past spam filtering defenses so it is important that all users receive security awareness training to help them identify malicious emails.
A web filter can be highly effective at blocking attempts to visit malicious websites where malware is downloaded, while up to date antivirus and anti-malware solutions can detect and quarantine malicious files before they are opened.
Backups should also be made of all data and systems and those backups should be stored on an air-gapped device. Ransomware variants such as Locky can delete Windows Shadow Volume Copies and if a backup device remains connected, it is probable that backup files will also be encrypted.
Best practices for backing up data involve three backup files being created, on two different media, with one copy stored offsite and offline. Backups should also be tested to make sure files can be recovered in the event of disaster.
The increase in ransomware attacks has prompted the National Institute of Standards and Technology (NIST) to develop new guidance (NIST SPECIAL PUBLICATION 1800-11) on recovering from ransomware attacks and other disasters. The draft guidance can be downloaded on this link.
Scenes of the devastation caused by Hurricane Harvey are all over the newsstands and Internet. Videos of the devastation are being broadcast around the globe. The hurricane hit the Texas coast two days ago, forcing tens of thousands of Texas residents to flee their homes. While the hurricane has now been downgraded to a tropical storm, meteorologists are predicting the heavy rainfall will continue at lease for a couple more days and flood waters are continuing to rise.
Following any natural disaster, email scams are rife and extra care must be taken. Hurricane Harvey is no exception. While homeowners were preparing for the worst, cybercriminals were developing Hurricane Harvey phishing scams to fool the unwary into revealing their sensitive information or downloading malware.
Just as looters take advantage of abandoned homes, scammers take advantage of interest in the disaster and send malicious emails that direct users to phishing websites and exploit kits that silently download malware. Scammers capitalize on interest in disasters to conduct malicious activities.
The expected deluge of malicious emails has prompted US-CERT to issue a warning about Hurricane Harvey phishing scams, urging Americans to be extra vigilant. Similar warnings have also been issued by the Better Business Bureau and Federal Trade Commission (FTC).
Hurricane Harvey phishing scams are likely to have eye-catching subject lines offering updates on Hurricane Harvey and stories relating to the disaster or relief efforts. The scam emails contain malicious hyperlinks that will direct users to phishing websites and sites where malware is downloaded. Malicious email attachments are also used to install malware and ransomware.
Users should be extremely wary about opening any emails relating to Hurricane Harvey, especially emails sent from unknown senders. The best advice is not to click on any hyperlink in an email relating to Hurricane Harvey and not to open email attachments sent in those messages.
While email is favored by many scammers, Hurricane Harvey phishing scams can be found on social media sites. Facebook posts and tweets may direct users to phishing websites where credit card details can be obtained or to fake charity websites where donations can be made.
How to Give to Charity to Support the Victims and Avoid Being Scammed
A natural disaster such as this causes devastation for tens of thousands of families. Homes and businesses are lost and families are forced to take refuge in shelters. Displaced families need support and many charities are accepting donations to help the victims.
However, all may not be as it seems. Scammers spoof legitimate charities and set up bogus websites where donations can be made. Oftentimes, legitimate charities are spoofed and donations never make it to the victims.
The advice offered by the Federal Trade Commission is to be wary of any request for donations to support the victims of Hurricane Harvey. Rather than respond directly to email and social media requests for donations, visit the charity webpage directly and independently verify the charity is legitimate.
The Better Business Bureau is maintaining a list of BBB-accredited charities that are accepting donations to support the victims of Hurricane Harvey, as is Guidestar. By checking the legitimacy of the charity, users can make sure their donations reach the victims of the hurricane and do not end up lining criminals’ pockets.
If you are considering donating to a charity that is not on either list, before making a donation, check that the charity is registered by contacting the National Association of State Charity Officials.
Two new Locky ransomware spam campaigns have been detected this month, each being used to spread a new variant of the cryptoransomware. The campaigns have been launched after a relatively quiet period for ransomware attacks, although the latest campaigns show that the threat of ransomware attacks in never far away.
Previously, Locky ransomware spam campaigns have been conducted using the Necurs botnet – one of the largest botnets currently in use. One of the campaigns, spreading the Locky variant Lukitus is being conducted via Necurs. The other campaign, which is spreading the Diablo Locky variant, is being sent via a new botnet consisting of more than 11,000 infected devices. Those devices are located in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been built quickly and is understood to be growing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.
The failure to backup files is likely to prove costly. The ransom demand issued by the attackers ranges between 0.5 and 1 Bitcoin per infected device – approximately $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to restore files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.
The Diablo Locky variant renames encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant adds the .lukitus extension.
The two new Locky ransomware spam campaigns differ in their method of delivery of the ransomware, although both involve spam email. The Diablo campaign, which started on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs via malicious macros.
Opening the infected documents will present the user with indecipherable data and a prompt to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and downloads the Locky payload.
The email subjects in this campaign are varied, although in many of the emails the attackers claim the attachment is a missed invoice or purchase order.
The Lukitus campaign was first detected on August 16 and has been mostly used in attacks in the United States, UK, and Austria, although there have also been successful attacks in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.
As with all ransomware attacks via spam email, the best defense is an advanced spam filter to block the emails and prevent them from being delivered to end users. Employees should already have been trained on the threat from ransomware. Now would be a good time to issue a reminder via email to all employees of the current threat.
Recovery without paying the ransom depends on viable backup copies existing. Since Locky can encrypt backup files, backup devices should be disconnected after a backup has been made. Organizations should also ensure three copies of backups exist, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.
The retail industry is under attack with cybercriminals increasing their efforts to gain access to PoS systems. Retail industry data breaches are now being reported twice as frequently as last year, according to a recent report from UK law firm RPC.
Retailers are an attractive target. They process many thousands of credit card transactions each week and store huge volumes of personal information of consumers. If cybercriminals can gain access to Point of Sale systems, they can siphon off credit and debit card information and stolen consumer data can be used for a multitude of nefarious purposes.
Many retailers lack robust cybersecurity defenses and run complex systems on aging platforms, making attacks relatively easy.
While cyberattacks are common, the increase in data breaches does not necessarily mean hacks are on the rise. RPC points out that there are many possible causes of data breaches, including theft of data by insiders. Retailers need to improve they defenses against attacks by third parties, although it is important not to forget that systems need to be protected from internal threats.
Preventing retail industry data breaches requires a range of cybersecurity protections, but technology isn’t always the answer. Errors made by staff can easily result in cybercriminals gaining easy access to systems, such as when employees respond to phishing emails.
Employees are the last line of defense and that defensive line is frequently tested. It is therefore essential to improve security awareness. Security awareness training should be provided to all employees to raise awareness of the threat from phishing, malware and web-based attacks.
Phishing emails are the primary method of spreading malware and ransomware. Training staff how to identify phishing emails – and take the correct actions when email-based threats are received – will go a long way toward preventing retail industry data breaches. Employees should be taught the security basics such as never opening email attachments or clicking hyperlinks in emails from unknown individuals and never divulging login credentials online in response to email requests.
Employees can be trained to recognize email-based threats, although it is important to take steps to prevent threats from reaching inboxes. An advanced spam filtering solution is therefore a good investment. Spam filters can block the vast majority of spam and malicious emails, ensuring employees security awareness is not frequently put to the test. SpamTitan blocks more than 99.9% of spam and malicious emails, ensuring threats never reach inboxes.
Web-based attacks can be blocked with a web filtering solution. By carefully controlling the types of websites employees can access, retailers can greatly reduce the risk of malware downloads.
As the recent WannaCry and NotPetya malware attacks have shown, user interaction is not always required to install malware. Both of those global attacks were conducted remotely without any input from employees. Vulnerabilities in operating systems were exploited to download malware.
In both cases, patches had been released prior to the attacks that would have protected organizations from the threat. Keeping software up to date is therefore essential. Patches must be applied promptly and regular checks conducted to ensure all software is kept 100% up to date.
This is not only important for preventing retail industry data breaches. Next year, the General Data Protection Regulation (GDPR) comes into force and heavy fines await retailers that fail to do enough to improve data security. Ahead of the May 25, 2018 deadline for compliance, retailers need to improve security to prevent breaches and ensure systems are in place to detect breaches rapidly when they do occur.
Security researchers have discovered a wave of cyberattacks on hotel WiFi networks that leverage an NSA exploit – EternalBlue – for a vulnerability that was fixed by Microsoft in March.
The same exploit was used in the WannaCry ransomware attacks in May and the NotPetya wiper attacks in June. Even though the malware campaigns affected hundreds of companies and caused millions (if not billions) of dollars of losses, there are still companies that have yet to apply the update.
The recent cyberattacks on hotel WiFi networks have affected establishments in the Middle East and Europe. Once access is gained to hotel networks, the attackers spy on guests via hotel WiFi networks and steal their login credentials.
Researchers at FireEye discovered the new campaign, which they have attributed to the Russian hacking group APT28, also known as Fancy Bear. Fancy Bear is believed to receive backing from the Russian government and has performed many high profile cyberattacks in recent years, including the cyberattack on the World Anti-Doping agency (WADA). Following that attack, Fancy Bear published athletes’ therapeutic use exemption (TUE) data.
In contrast to the WannaCry and NotPetya attacks that were conducted remotely without any user involvement, the latest campaign is being conducted via a spear phishing campaign. The hacking group sends malicious emails to hotel employees and uses email attachments to download their backdoor – Gamefish. In this case, the attachment appears to be a reservation form for a hotel booking. Gamefish is installed if hotel employees run the macros in the document.
Once the backdoor is installed, the hackers search for internal and guest WiFi networks using EternalBlue and spread to other devices. Once embedded in computers that control the WiFi networks, the attackers can launch attacks on devices that attempt to connect to the hotel WiFi network.
The hackers use the open-source Responder tool to listen for MBT-NS (UDP/137) broadcasts from devices that are attempting to connect to WiFi network resources. Instead of connecting, they connect to Responder which obtains usernames and hashed passwords. That information is transferred to a computer controlled by the attackers. Once the hashed passwords have been cracked they can be used to attack hotel guests.
The names of the affected hotels have not been disclosed, although FireEye has confirmed that at least one Middle Eastern hotel and seven in Europe have been attacked. The hotels were well respected establishments likely to be frequented by high-net worth guests and business travellers.
The advice for travellers is to exercise caution when connecting to hotel WiFi networks, such as avoiding accessing online bank accounts or better still, avoiding connecting to hotel WiFi networks altogether. While the use of a VPN when connecting to hotel WiFi networks is a good idea, in this case the attack can occur before a secure VPN connection is made.
FireEye reports that this type of attack is difficult to detect and block. The attackers passively collect data and leave virtually no traces. Once login credentials have been obtained, guests are vulnerable and not just while they are at the hotel. FireEye believes the credentials are then used to attack individuals when they return home and connect to their home networks.
The best way for hotels to prevent cyberattacks on hotel WiFi networks such as this is by blocking the phishing and spear phishing attacks that lead to installation of the malware. Hotels should ensure all employees are provided with security awareness training and a spam filtering solution such as SpamTitan is deployed to stop malicious emails from being delivered to employees’ inboxes.
Smishing attacks are on the rise. Cybercriminals have been turning to the Short Message Service – SMS – to conduct phishing campaigns to gather personal information for identity theft and fraud. Smishing is also used to fool mobile device users into installing malware.
Like phishing emails, smishing attacks use social engineering techniques to get users to complete a specific action, often to click on a link that will direct them to a webpage where they are asked to provide sensitive information or to download a file to their device. Most commonly, the aim of smishing is to obtain personal information such as usernames and passwords to online bank accounts.
Many organizations have implemented spam filtering solutions that capture phishing emails and prevent them from being delivered to end users’ inboxes. Security awareness training is also provided, with the threat of phishing explained to employees. However, the best practices that are taught are not always applied to SMS messages and spam controls do not block SMS messages.
In contrast to emails, which are often ignored, people also tend to access their SMS messages much more rapidly than emails. Text messages are typically opened within seconds, or minutes, of them being received. Cybercriminals are well aware that their malicious MS messages will be opened and read.
Cybercriminals use the same techniques for smishing attacks that are used on email phishing scams. The messages inject a sense of urgency, requiring an action to be taken quickly. The messages are designed to grab attention, with security threats one of the most common themes. The attackers typically impersonate banks, credit card companies, email providers, social media networks or online retailers and warn of security issues such as potential fraudulent activity, imminent charges that will be applied or they threaten account closure.
Messages may even appear to have been sent by a contact, either using a stolen mobile or by spoofing someone who is known and trusted. Messages may include a link to an interesting article, a photograph or a social media post for example.
Smishing attacks started with SMS messages, although similar scams are now being conducted on other messaging platforms such as WhatsApp, Skype and Facebook Messenger.
Blocking smishing attacks is difficult. The key to avoiding becoming a victim is awareness of the threat and adopting the same security best practices that can protect end users on email.
- As with email, when receiving an odd message, stop and think about the request. Could it be a scam?
- Even if the message suggests urgent action is required, take time to consider what is being asked. Smishing attacks work because people respond without thinking.
- It is important not to respond to a SMS message that has been sent from an unknown sender. If you respond, the person who sent the message will be aware that messages are being received.
- If a message containing a hyperlink is received, do not click on the link. Delete the message.
- Never send any sensitive information via text message. Legitimate companies will not ask you to send sensitive information by text message.
- If you are concerned about the contents of a text message, check with the institution concerned, but do not use links or telephone numbers sent in the message. Independently verify the phone number and call or find the correct website via the search engines.
- If you are a business that provides employees with access to a WiFi network, it is possible to prevent employees from visiting malicious websites linked in smishing campaigns. WebTitan Cloud for WiFi is a web filter for WiFi networks that prevents users from visiting malicious websites, such as those used in smishing attacks.
Law firms in Eire and Northern Ireland are being targeted with a new Supreme Court phishing campaign that is being used to fool recipients into visiting a malicious website.
The email appears to have been sent from the Supreme Court and refers to a new/updated Statutory Instrument. The emails that have been detected so far include a PDF file containing further details, although the attachment will divert the recipient to a malicious domain.
The Supreme Court phishing emails add a sense of urgency, as is common in phishing campaigns, telling the recipient to read the information in the attached document by this Friday.
The emails that have been reported have the subject line – Supreme Court (S.I. No691/2017) – although it is possible there are other variations along the same theme. The Courts Service has confirmed that the emails are not genuine and should be deleted without being opened. The phishing scam has been reported to the Gardaí and the Courts Service IT team is also investigating and a warning has been issued.
Supreme Court phishing scams are common. In February this year, the UK Supreme Court also issued a warning after numerous emails were received claiming to be subpoenas for court appearances in relation to a crime that the recipient had committed. In that case, a link was included to provide the court with all of the necessary information about the case. Receipents of the email were told to submit the information within 12 days or the case would proceed in their absence.
As the UK Supreme Court pointed out, it does not issue subpoenas to appear in court for criminal cases, although many law-abiding citizens would be aware of typical procedures associated with criminal cases. The fear generated by a potential court appearance for an unknown crime would likely see many email recipients open the message, click on the link and reveal their personal information.
The purpose of Supreme Court phishing emails is usually to obtain sensitive information under the guise of confirming the recipient’s identity. The information gathered by the phishing emails can be used for identity theft or other forms of fraud. Emails such as this are also used to spread malware or ransomware.
The emails are designed to scare people into responding and they can be highly effective. However, there are usually a variety of telltale signs that the email is not genuine. Before clicking or taking any requested action, it is important to stop, think and not to panic. Check the email for misspellings, grammatical errors and anything out of the ordinary.
If a link is included in the email, hover the mouse arrow over it to find out the true URL to see if it will direct you to a genuine domain. If the email contains an attachment, do not open it. If you are worried about the email, contact the organization that claims to have sent the message by obtaining the correct contact details from the Internet and verify the authenticity of the request.
In the most part, any serious matter such as a subpoena or important change to legislation would be unlikely to be communicated via email, and certainly not in an email attachment or via a link to a domain.
Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.
The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.
Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.
The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings. The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”
Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.
The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.
Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.
The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.
Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.
Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.
Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.
IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The IRS recommends several measures to reduce risk:
- Educate all employees on the risk from spear phishing and phishing in general
- Ensure strong passwords are used
- Always question emails – Never take them at face value
- Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
- Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
- Use security software to block phishing emails and malware and ensure the software is updated automatically
- Use the security settings in tax preparation software
- Report suspicious emails to the IRS
A new Facebook phishing scam has been detected that attempts to fools end users into believing they are on the genuine Facebook site using a technique called URL padding. The attack method is being used in targeted attacks on users of the mobile Facebook website.
As with other Facebook phishing scams, the aim of the attackers is to get end users to reveal their Facebook login credentials. The scam takes advantage of poor security awareness and a lack of attentiveness.
URL padding – as the name suggests – involves padding the URL with hyphens to mask the real website that is being visited. The URLs being used by the attackers start with m.facebook.com, which is the correct domain for the genuine Facebook website. In a small URL bar on mobile phones, this part of the URL will be clearly visible.
What follows that apparent domain is a series of hyphens: m.facebook.com————-. That takes the latter part of the domain outside the viewable area of the address bar. End users may therefore be fooled into thinking they are on the genuine website as they will not see the last part of the URL. If they were to check, they would see that m.facebook.com————- is actually a subdomain of the site they are visiting.
The hyphens would be a giveaway that the site is not genuine, but the attackers add in an additional word into the URL such as ‘validate’ or ‘secure’ or ‘login’ to add authenticity.
The attackers have lifted the login box and branding from Facebook, so the login page that is presented appears to be the same as is used on the genuine site.
One telltale sign that all is not as it appears is the use of hxxp:// instead of https:// at the start of the URL, a sure sign that the site is not genuine. Even so, many Facebook users would be fooled by such a scam. URL padding is also being used to target users of other online services such as Apple iCloud and Comcast.
Facebook accounts contain a wealth of information that can be used in future spear phishing campaigns or attacks on the victims’ contacts. PhishLabs, which discovered the new scam, says the attackers are currently using this phishing scam for the latter and are using the account access to spam end users’ contacts and conduct further phishing campaigns.
While the scam has been detected, it is currently unclear how links to the phishing website are being distributed. While it is possible that they are arriving via spam email, Phishlabs suggests SMS messages or messenger services are being used.
The Texas-based online hotel booking website Hotels.com is notifying customers that some of their sensitive information has been exposed. The Hotels.com breach potentially involved usernames and passwords, email addresses, and the last four digits of site users’ credit card numbers.
Users’ accounts were hacked between May 22 and May 29, although at this stage it is unclear exactly how many individuals have been affected. While full credit card numbers were not obtained, the Hotels.com breach will see users face an elevated risk of phishing attacks.
Phishing emails come in many guises, although it is common for users of a site that has experienced a data breach or security incident to receive warning emails about the attack. The emails rightly claim that a user’s sensitive information has been compromised; however, the emails do not come from the company that experienced the breach. Instead, it is the cybercriminals who conducted the attack, or individuals who have bought stolen data from the attackers, that send the emails.
A typical phishing scenario sees individuals informed that their usernames and passwords have been compromised. A link is included in the emails to allow the user to reset their password or activate additional security controls on their account.
That link will direct the user to a phishing website where further information is obtained – the missing digits from their credit card number for example – or other personal information. Alternatively, the link could direct the user to a malicious website containing an exploit kit that downloads malware onto their computer.
Hotels.com customers were targeted in a 2015 phishing campaign which resulted in many site users divulging information such as names, phone numbers, email addresses and travel details. That information could be used in further scams or even for robberies when victims are known to be on vacation.
The Hotels.com breach is the latest in a number of attacks on online companies. While it is currently unclear how access to customers’ accounts was gained, a letter emailed to affected users suggests the attacks could be linked to breaches at other websites. The letter suggests access to online accounts could have resulted from password reuse.
Reusing passwords on multiple online platforms is a bad idea. While it is easier to remember one password, a breach at any online website means the attackers will be able to access accounts on multiple sites.
To prevent this, strong, unique passwords should be used for each online account. While these can be difficult to remember, a password manager can be used to store those passwords. Many password managers also help users generate strong, unique passwords. Users should also take advantage of two-factor authentication controls on sites whenever possible to improve security.
Since many businesses use hotel booking websites such as Hotels.com, they should be particularly vigilant for phishing emails over the coming weeks, especially any related to hotels.com. To protect against phishing attacks, we recommend using SpamTitan. SpamTitan blocks more than 99.9% of phishing and other spam emails, reducing the risk of those messages being delivered to end users. Along with security awareness training and phishing simulation exercises, businesses can successfully defend against phishing attacks.
In the United States, the healthcare industry is being targeted by cybercriminals, with phishing attacks on healthcare organizations one of the easiest and most common methods of gaining access to email accounts and protected health information. A phishing email is sent to a healthcare employee along with a seemingly legitimate reason for revealing their login credentials. Doing so will give the attackers access to an email account and the protected health information of patients in those emails. Emails accounts contain a wealth of information that can be used for further attacks. A compromised email account can be used to send further phishing emails within a company. One response to a phishing email can see many email accounts compromised. A single phishing email can result in a major security incident and costly data breach.
There have been many phishing attacks on healthcare organizations this year and the past 12 months has seen numerous phishing-related data breaches added to the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal. Any breach of protected health information that results in more than 500 records being exposed is investigated by OCR. During investigations of phishing attacks on healthcare organizations, OCR often finds that Health Insurance Portability and Accountability Act Rules have been violated. Healthcare organizations are discovered not to have performed risk assessments – as is required by the HIPAA Security Rule – and have failed to identify the risk of phishing and take appropriate steps to reduce risk to an acceptable level.
When organizations are found to have violated HIPAA Rules, heavy fines may follow. Recently, OCR has investigated several healthcare phishing attacks and has taken some cases forward to settlement. The HIPAA fines can be considerable.
In 2015, OCR announced its first HIPAA settlement for a phishing attack. University of Washington Medicine was fined $750,000 as a result of a malware installation that occurred when an employee responded to a phishing email. In that case, 90,000 patients had their information revealed to the attackers. A HIPAA penalty for a phishing attack was also announced last month, with the Colorado based Metro Community Provider Network (MCPN) having to pay OCR $400,000 to resolve HIPAA violations discovered during the investigation of the phishing attack. The phishing attack resulted in an email account being compromised, and along with it, the protected health information of 3,200 patients. The employee did not reveal their email credentials in that case, at least not directly. Instead, the response to the email resulted in a malware installation that gave the attacker access to the email account. Phishing attacks on healthcare organizations are to be expected. OCR is aware that it may not be possible to prevent 100% of phishing attacks, 100% of the time. Not all phishing attacks on healthcare organizations will therefore result in a HIPAA fine. However, failing to reduce risk to an acceptable level is another matter. If healthcare organizations do not do enough to prevent phishing attacks, fines are likely to result.
So, how can phishing attacks on healthcare organizations be prevented and what can healthcare organizations do to reduce risk to a level that will be deemed acceptable by OCR? The HIPAA Security Rule requires protections to be put in place to safeguard the confidentiality, integrity, and availability of PHI. While the Security Rule does not specify exactly which security solutions should be used, there are two essential anti-phishing controls that should be employed.
A spam filtering solution should be used to prevent phishing and other malicious emails from being delivered to end users’ inboxes. It would be hard to argue that the threat from phishing has been reduced to an acceptable level if no controls are in place to block phishing emails from being delivered. Healthcare employees must also receive security awareness training. All employees should be informed of the risk of phishing and the methods used by cybercriminals to gain access to computers and data. They should be taught best practices and shown how to identify phishing emails and other malicious email threats. By blocking phishing emails and training end users, the risk from phishing can be significantly reduced.
Cybercriminals have started sending WannaCry phishing emails, taking advantage of the fear surrounding the global network worm attacks.
An email campaign has been identified in the United Kingdom, with BT customers being targeted. The attackers have spoofed BT domains and made their WannaCry phishing emails look extremely realistic. BT branding is used, the emails are well written and they claim to have been sent from Libby Barr, Managing Director, Customer Care at BT. A quick check of her name on Google will reveal she is who she claims to be. The WannaCry phishing emails are convincing, cleverly put together, and are likely to fool many customers.
The emails claim that BT is working on improving its security in the wake of the massive ransomware campaign that affected more than 300,000 computers in 150 countries on May 12, 2017. In the UK, 20% of NHS Trusts were affected by the incident and had data encrypted and services majorly disrupted by the ransomware attacks. It would be extremely hard if you live in the UK to have avoided the news of the attacks and the extent of the damage they have caused.
The WannaCry phishing emails provide a very good reason for taking prompt action. BT is offering a security upgrade to prevent its customers from being affected by the attacks. The emails claim that in order to keep customers’ sensitive information secure, access to certain features have been disabled on BT accounts. Customers are told that to restore their full BT account functionality they need to confirm the security upgrade by clicking on the upgrade box contained in the email.
Of course, clicking on the link will not result in a security upgrade being applied. Customers are required to disclose their login credentials to the attackers.
Other WannaCry phishing emails are likely to be sent claiming to be from other broadband service providers. Similar campaigns could be used to silently download malware or ransomware.
Cybercriminals often take advantage of global news events that are attracting a lot of media interest. During the Olympics there were many Olympic themed spam emails. Phishing emails were also rife during the U.S. presidential elections, the World Cup, the Zika Virus epidemic, and following every major news event.
The golden rule is never to click on links sent in email from individuals you do not know, be extremely careful about clicking links from people you do know, and assume that any email you receive could be a phishing email or other malicious message.
A single phishing email sent to an employee can result in a data breach, email or network compromise. It is therefore important for employers to take precautions. Employees should be provided with phishing awareness training and taught the tell-tale signs that emails are not genuine. It is also essential that an advanced spam filtering solution is employed to prevent the vast majority of phishing emails from reaching end users inboxes.
On that front, TitanHQ is here to help. Contact the team today to find out how SpamTitan can protect your business from phishing, malware and ransomware attacks.
A recent wave of DocuSign phishing emails has been linked to a data breach at the digital signature technology provider. A hacker gained access to a ‘non-core’ system that was used to send communications to users via email and stole users’ email addresses.
DocuSign reports that the peripheral system was compromised and only email addresses were accessed and stolen. No other data has been compromised as a result of the cyberattack. The data breach only affected DocuSign account holders, not registered users of eSignature.
It is currently unclear exactly how many email addresses were stolen, although the DocuSign website indicates the firm has more than 200 million users.
The attacker used customers’ email addresses to send specially crafted DocuSign phishing emails. The emails containing links to documents requiring a signature. The purpose of the emails was to fool recipients into downloading a document containing a malicious macro designed to infect computers with malware.
As is typical in phishing attacks, the DocuSign phishing emails appeared official with official branding in the headers and email body. The subject lines of the email were also typical of recent phishing campaigns, referring to invoices and wire transfer instructions.
The san Francisco based firm has been tracking the phishing emails and reports there are two main variations with the subject lines: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature,” or “Completed *company name* – Accounting Invoice *number* Document Ready for Signature.”
The emails have been sent from a domain not linked to DocuSign – a sign that the emails are not genuine. However, due to the realism of the emails, many end users may end up clicking the link, downloading the document and infecting their computers.
Recipients are more likely to click on links and open infected email attachments if they relate to a service that the recipient uses. Since DocuSign is used by many business users, there is a significant threat of a network compromise if end users open the emails and follow the instructions provided by the threat actors.
Businesses can reduce the risk of malicious emails reaching end users inboxes by implementing an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam emails and 100% of known malware using dual antivirus engines for maximum protection.
To find out more about SpamTitan and other antimalware controls to protect your business, contact the TitanHQ team today.
A new email-borne threat has recently been discovered. Fatboy ransomware is a new ransomware-as-a-service (RaaS) being offered on darknet forums in Russia. The RaaS offers would-be cybercriminals the opportunity to conduct ransomware campaigns without having to develop their own malicious code.
RaaS has proven incredibly popular. By offering RaaS, malicious code authors can infect more end users by increasing the number of individuals distributing the ransomware. In the case of Fatboy ransomware, the code author is offering limited partnerships and is dealing with affiliates directly via the instant messaging platform Jabber.
Fatboy ransomware encrypts files using AES-256, generating an individual key for the files and then encrypting those keys using RSA-2048. A separate bitcoin wallet is used for each client and a promise is made to transfer funds to the affiliates as soon as the money is paid. By offering to deal directly with the affiliates, being transparent about the RaaS and offering support, it is thought that the code author is trying to earn trust and maximize the appeal of the service.
Further, the ransomware interface has been translated into 12 languages, allowing campaigns to be conducted in many countries around the world. Many RaaS offerings are limited geographically by language.
Fatboy ransomware also has an interesting new feature that is intended to maximize the chance of the victim paying the ransom demand. This RaaS allows attackers to set the ransom payment automatically based on the victim’s location. In locations with a high standard of living, the ransom payment will be higher and vice versa.
To determine the cost of living, Fatboy ransomware uses the Big Mac Index. The Big Mac Index was developed by The Economist as a method of determining whether currencies were at their correct values. If all currencies are at their correct value, the cost of a product in each country should be the same. The product chosen was a Big Mac. In short, the higher the cost of a Big Mac in the victim’s country, the higher the ransom demand will be.
So far, Recorded Future – the firm that discovered the ransomware variant – says the code author has generated around $5,000 in ransom payments since February. That total is likely to rise considerably as more affiliates come on board and more end users are infected. There is no known decryptor for Fatboy ransomware at this time.
New ransomware variants are constantly being developed and RaaS allows many more individuals to conduct ransomware campaigns. Unsurprisingly, the number of ransomware attacks has grown.
The cost of resolving a ransomware infection can be considerable. Businesses therefore need to ensure they have defenses in place to block attacks and ensure they can recover fast.
Backups need to be made regularly to ensure files can be easily recovered. Staff need to be trained on security best practices to prevent them inadvertently installing ransomware. Antispam solutions should also be implemented to prevent malicious emails from reaching end users’ inboxes. Fortunately, even with a predicted increase in ransomware attacks, businesses can effectively mitigate risk if appropriate defenses are implemented.
For advice on security solutions that can block ransomware attacks, contact the TitanHQ team today.
The Internet Crime Complaint Center (IC3) has issued a new alert to businesses warning of the risk of business email compromise scams.
The businesses most at risk are those that deal with international suppliers as well as those that frequently perform wire transfers. However, businesses that only issue checks instead of sending wire transfers are also at risk of this type of cyberattack.
In contrast to phishing scams where the attacker makes emails appear as if they have come from within the company by spoofing an email address, business email compromise scams require a corporate email account to be accessed by the attackers.
Once access to an email account is gained, the attacker crafts an email and sends it to an individual responsible for making wire transfers, issuing other payments, or an individual that has access to employees PII/W-2 forms and requests a bank transfer or sensitive data.
The attackers often copy the format of emails previously sent to the billing/accounts department. This information can easily be gained from the compromised email account. They are also able to easily identify the person within the company who should be sent the request.
Not all business email compromise scams are concerned with fraudulent bank transfers. IC3 warns that the same scam is also used to obtain the W-2 tax statements of employees, as has been seen on numerous occasions during this year’s tax season.
Phishing scams are often sent out randomly in the hope that some individuals click on malicious links or open infected email attachments. However, business email compromise scams involve considerable research on the company to select victims and to identify appropriate protocols used by the company to make transfer requests.
Business email compromise scams often start with phishing emails. Phishing is used to get end users to reveal their login credentials or other sensitive information that can be used to gain access to business networks and perform the scam. Malware can also be used for this purpose. Emails are sent with links to malicious websites or with infected email attachments. Opening the attachments or clicking on the links downloads malware capable of logging keystrokes or provides the attackers with a foothold in the network.
IC3 warns that business email compromise scams are a major threat for all businesses, regardless of their size. Just because your business is small, it doesn’t mean that you face a low risk of attack.
Between January 2015 and December 2016, IC3 notes there was a 2,370% increase in BEC scams. While funds are most commonly sent to bank accounts in China and Hong Kong, IC3 says transfers have been made to 103 countries in the past two years.
The losses reported by businesses are staggering. Between October 2013 and December 2016, more than $5 billion has been obtained by cybercriminals. United States businesses have lost $1,594,503,669 in more than 22,000 successful scams. The average loss is $71,528.
IC3 lists the five most common types of business email compromise scams as:
- Businesses receiving requests from frequently used suppliers requesting transfers be made to a new bank account.This is also known as a bogus invoice scam.
- An executive within the company (CFO or CTO for example) requests a transfer be made by a second employee in the company. This is also known as a business executive scam.
- A compromised email account is used to send a payment request/invoice to a vendor in the employees contact list.
- The attackers impersonate an attorney used by the firm and request the transfer of funds. These scams are common at the end of the week or end of the business day. They are also known as Friday afternoon scams.
- A request is sent from a compromised email account to a member of the HR department requesting information on employees such as W-2 Forms or PII. These scams are most common during tax season.
There are a number of strategies that can be adopted to prevent business email compromise attacks from being successful.
- Using a domain-based email account rather than a web-based account for business email accounts
- Exercising caution about the information posted to social media accounts. This is where the attackers do much of their research
- Implement a two-step verification process to validate all transfer requests
- Use two-factor authentication for corporate email accounts
- Never respond to an email using the reply option. Always use forward and type in the address manually
- Register all domains that are similar to the main domain used by the company
- Use intrusion detection systems and spam filters that quarantine or flag emails that have been sent with extensions similar to those used by the company – Blocking emails sent from xxx_company.com if the company uses xxx-company.com for example
- Be wary of any request that seems out of the ordinary or requires a change to the bank account usually used for transfers
A Google phishing scam has been spreading like wildfire over the past couple of days. Emails have been sent in the millions inviting people to edit Google Docs files. The emails appear to have been sent by known individuals, increasing the likelihood of the messages being opened and the links being clicked.
In contrast to many email scams that include a link to a spoofed website, this scam directs the recipient to Google Docs. When the user arrives at the site they will be presented with a legitimate Google sign-in screen.
The Google phishing scam works within the Google platform, taking advantage of the fact that individuals can create a third-party app and give it a misleading name. In this case, the app has been named ‘Google Docs.’
This makes it appear that Google Docs is asking for permission to read, send, delete, and manage emails and access the user’s contacts. However, it is the creator of the app that is asking to be granted those permissions. If users check the developer name, they will see that all is not as it seems. Many individuals will not check, since the permission screen also includes Google logos.
Signing in will give the attacker access to the user’s Google account, including their emails, Google Docs files, and contact list. Further, signing in on the website will also result in the victim’s contact list being sent similar invitations. Unsurprisingly, many have fallen for the Google phishing scam and countless emails are still circulating.
The scam appears to have started at some point on Wednesday. Google has now issued an official statement saying it is taking action to protect users and has disabled the accounts that are being used to conduct the scam.
Google confirmed the actions it has taken in response to the phishing scam, saying “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”
Anyone who receives a request to edit a Google Doc should treat the request with suspicion, even if it has been sent from someone known to the recipient.
If you think you may have fallen for this phishing scam it is likely that emails will already have been generated and sent to your contacts. However, you can take action to block the threat by revoking the access rights you have given to the app through the Connected Apps and Sites page.
The Google phishing scam is highly convincing and clearly shows how sophisticated cybercriminals are getting in their attempts to gain access to sensitive information and why it is imperative that email users be permanently on their guard.
Training employees on basic cybersecurity is essential. Conventional cybersecurity solutions such as antivirus software are no longer as effective at blocking threats as they once were and employees are targeted by cybercriminals.
Cybercriminals are well aware that employees are easy to fool. Social engineering techniques are used to create highly convincing phishing scams. Those emails contain images of well-known brands and text that would not look out of place in an official communication. Believable reasons are given for the need to disclose login credentials, click on hyperlinks or open email attachments. The emails are effective.
Email is now the number one attack vector for cybercriminals and the biggest cybersecurity threat for businesses.
Employees Still Lack Security Awareness
Even though the threat from phishing has been widely reported in the media, many employees still take major security risks at work.
A recent survey conducted by Glassdoor on UK office workers highlights how serious the risk of email cyberattacks is. 1,000 office workers from mid to large-sized businesses in the UK were asked questions about cybersecurity. 58% of respondents said they usually opened email attachments sent from unknown individuals.
Cybercriminals often mask email addresses to make the emails appear as if they have been sent from someone in the recipient’s contact list. Those tactics are even more effective at getting an end user to take the desired action – clicking on a hyperlink or opening an email attachment. The former directs the end user to a malicious website where malware is silently downloaded. Opening the email attachment results in code being run that downloads a malicious payload.
When asked how often email attachments from known senders were opened, 83% of respondents said they always or usually opened email attachments. Office workers were also asked whether their organization had experienced a cyberattack. 34% of respondents said it had.
How often are malicious emails getting past organizations security defenses? 76% of respondents said suspicious emails had been sent to their work email inboxes.
The survey suggests cybersecurity training is either not being conducted or that it is in effective and email security solutions are not in place or have not been configured correctly.
20% of respondents said their organization had no policy on email attachments, or if it did, it had not been communicated to them. 58% said they would feel much safer if their organization had the appropriate technology in place to protect them from email attacks.
How to Improve Defenses Against Email Attacks
Organizations must ensure appropriate technology is in place to block malicious emails and that employee cybersecurity training programs are developed to raise awareness of the risks of cyberattacks via email.
Policies should be developed – and communicated to staff – covering email attachments and hyperlinks. If staff are unaware of the risks, they cannot be expected to be able to identify an email as suspicious and take the appropriate action. It must also be made clear to employees what actions should be taken if suspicious emails are received.
Cybersecurity training programs should also be evaluated. If those programs are not tested, employers will not know how effective their training is. Sending dummy phishing emails is a good way to determine whether training programs are effective.
A powerful spam filtering and anti-phishing solution should also be employed to prevent malicious emails from reaching end users’ inboxes. SpamTitan, for instance, is an advanced antispam solution for SMEs that blocks over 99.7% of spam emails and 100% of known malware. By preventing malicious emails from reaching end users’ inboxes, employee cybersecurity training will not be put to the test.
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters can be configured to block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
If you would like further information on the range of cybersecurity protections that can be put in place to prevent phishing attacks on schools and other educational institutions, call TitanHQ today for an informal chat.
A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.
The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.
OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.
These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as an essential security control.
The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.
HIPAA Penalties for Phishing Attacks
OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.
The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.
In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware. OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”
Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.
The Solicitors Regulation Authority in the United Kingdom has recently issued a warning about law firm email scams following a sharp rise in law firm cyberattacks.
According to SRA figures, almost 500 UK law firms have been targeted by cybercriminals. One of the most common law firm email scams seen in recent weeks involves an attacker sending an email to a solicitor pretending to be a new client. While the attacker could claim to have any number of legal problems in the initial email, one of the favored themes is a property or business that is about to be purchased or sold.
Legal services are requested and, when the solicitor replies, the attacker sends an email containing a malicious email attachment. The email attachment does not contain the malware, instead a malicious macro is embedded in the document. A believable explanation for the inclusion of the macro is provided in the document to allay suspicion. If the macro is enabled, a script is run that downloads the malicious payload. The download occurs silently so the solicitor is unlikely to be aware that their computer has been infected.
The malware then collects and exfiltrates sensitive data, or provides access to the solicitor’s computer allowing the attacker to search for any useful data. Keyloggers can also be installed to log keystrokes on the infected computer and collect login information for email and bank accounts.
The SRA has emphasized there is a high risk of attack, suggesting UK solicitors should treat cybercrime as a priority risk. Action should be taken promptly to mitigate the risk and ensure that the firm’s data are secured. The SRA warns that a cyberattack can cause considerable damage to a firm’s reputation and could result in significant harm to clients. Clients and the law firm can suffer considerable financial losses as a result of these scams.
Not all cyberattacks on law firms involve malware. Phishing is also a major risk. Many law firm email scams attempt to get solicitors to reveal sensitive information such as login credentials, passwords, or other confidential information. These law firm email scams are not easy to identify. Cybercriminals invest considerable time and effort into building up relationships with solicitors via email or over the telephone to build trust. Once a personal relationship has been established it is far easier for the scammers to fool solicitors into revealing sensitive information.
The seriousness of the threat is clear from the reports of cybercrime received by the SRA from solicitors over the past year. The SRA says more than £7 million of clients’ money has been stolen from solicitors in 2016.
The advice to law firms on reducing cybersecurity risk is:
- Make sure all data are backed up and stored securely on a drive that is not connected to a computer
- Make use of secure cloud services for storing sensitive data and accessing and processing information
- Keep software up to date. Patches and software/system updates should be applied promptly
- Solicitors should consider using encryption services for all stored data, especially on mobile devices
- Antivirus and antimalware systems should be installed and set to update definitions automatically. Regular scans of systems should also be scheduled.
As an additional protection against law firm email scams, solicitors should implement an advanced antispam solution to prevent phishing and other malicious emails from being delivered.
To protect against malicious links and redirects from malvertising, solicitors should consider implementing a web filtering solution. A web filter can be used to block visits to webpages known to contain malware.
Spammers and scammers are constantly updating their malware distribution tactics to ensure their malicious payloads are delivered to unsuspecting end users. However, Microsoft has spotted a major change to malware distribution tactics used by cybercriminals. The change has prompted the software giant to issue a new warning.
Malware, including ransomware, is commonly distributed via spam email. Links to malicious websites are used in an attempt to bypass spam filter controls; however, malicious attachments are the delivery mechanism of choice for many cybercriminal gangs. Malicious links are commonly blocked by web filtering solutions – WebTitan for example prevents all users from visiting websites known to be malicious.
To bypass spam filter controls, attachments rarely include the actual malware or ransomware files, instead the files contain scripts that download the malicious payload.
Due to the ease at which these malicious downloaders are being identified, malware distribution tactics have been changed. Rather than use these suspect files, cybercriminals have switched to file types that are less obviously malicious. Microsoft has noticed a trend for using LNK files and SVG files containing malicious PowerShell scripts.
LNK files are Windows shortcut files which usually point to some form of executable file. SVG (Scalable Vector Graphics) files are image files, and are much more innocuous. These files are typically opened with image software such as Adobe Creative Suite or Illustrator. Double clicking on these malicious LNK and SVG files will launch PowerShell scripts that download malware or ransomware.
Protecting against these types of attacks may seem fairly straightforward. It is possible, for example, to set restrictions on PowerShell commands to prevent them from running. However, even with restrictions in place, those policies can be easily bypassed. Intel Security has recently explained one such method: “PowerShell’s Get-Content can access the content of a .ps2 malware script and pass it to Invoke-Expression (iex) for execution.”
A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.
Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.
At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.
It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.
Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again. While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.
The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.
A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.
This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.
Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.
Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.
An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.
Research conducted by the anti-phishing training company PhishMe has shown a worrying increase in phishing attacks in 2016 and has highlighted the importance of taking steps to reduce the risk of spear phishing attacks.
Unfortunately, cybercriminals are becoming much more adept at crafting highly convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails and the campaigns are becoming much harder to identify.
Unfortunately responding to these emails can result in email and network credentials being compromised, malware and ransomware being installed on corporate networks, and sensitive data being emailed to the attackers.
The study of phishing attacks in 2016 showed attacks increased by 55% year on year. PhishMe research shows that out of the successful data breaches in 2016, 90% started with a spear phishing email.
In 2016, business email compromise attacks rose by an incredible 1300%, while ransomware attacks increased 400%. Cybercriminals are attacking companies with a vigor never before seen and unfortunately many of those attacks have been successful.
The figures from the U.S. Department of Health and Human Services’ Office for Civil Rights – which tracks U.S. healthcare data breaches – show that 2016 was the worst ever year on record for healthcare data breaches. At least 323 breaches of more than 500 records occurred in 2016. Undoubtedly many more breaches have yet to be discovered.
Cybercriminals and hackers have employees firmly in their crosshairs. Unfortunately, employees are easy targets. A recent survey conducted by cybersecurity firm Avecto showed that 65% of employees are now wary about clicking on links emailed to them by strangers. Alarmingly, that means 35% are not.
The same survey showed that 68% of respondents have no concerns about clicking on links sent by their friends and colleagues. Given the extent to which email addresses and passwords have been compromised in the last year, this is incredibly worrying. 1 billion Yahoo accounts were breached and 117 million email addresses were compromised as a result of the LinkedIn breach. Gaining access to email accounts is not a problem for cybercriminals. If those accounts are used to send spear-phishing emails, the chance of links being clicked are very high. Unfortunately, all it takes is for one email account to be compromised for access to a network to be gained.
The risk of spear phishing attacks was clearly demonstrated in 2015 when the largest ever healthcare data breach was discovered. 78.8-million health plan members’ records were stolen from Anthem Inc. That breach occurred as a result of an employee of one of the insurer’s subsidiaries responding to a spear phishing email.
Anthem Inc., is the second largest health insurer in the United States and the company spends many tens of millions of highly complex cybersecurity defenses. Those multi-million dollar defenses were undone with a single email.
Organizations must take steps to reduce the risk of speak phishing attacks. Unfortunately, there is no single solution to eradicate risk. A multi-layered defense strategy is required.
An advanced anti-spam solution is essential to prevent the vast majority of spam and phishing emails from being delivered to end users. SpamTitan for example, blocks 99.97% of spam email and 100% of known malware.
Employees must be trained and their training must be tested with phishing exercises. Practice really does make perfect when it comes to identifying email scams. Endpoint defenses should also be employed, along with anti-virus and antimalware software.
The risk of spear phishing attacks will increase again in 2017. Doing nothing to improve cybersecurity defenses and combat the spear phishing risk could prove to be a very costly mistake.
All antispam solutions and spam filters check inbound messages for common spam signatures; however, it is also important to choose a solution that performs outbound email scanning. Outbound email scanning ensures spam emails, or emails containing malware, are not sent from an organization’s email accounts or domains.
Your employees would be unlikely to knowingly use their corporate email accounts to send spam emails, but malware infections can allow cybercriminals to gain access to email accounts and use them to send high volumes of spam email messages. Cybercriminals could also compromise email accounts and use an organization’s domain to send malware and ransomware to clients and customers.
Should this happen, it can have a seriously detrimental effect on an organization’s reputation and may result in corporate email accounts or an entire domain being blacklisted.
Blacklists are maintained by a number of organizations – spamhaus.org for example. Internet Service Providers (ISPs), web servers, and antispam solutions check these blacklists before allowing emails to be delivered to end users. If a particular IP address, email account, or domain is listed in one of the blacklist databases, emails sent from the domain, IP address or email account will not be delivered.
Blacklists are updated in real-time and contain many millions of blocked domains and email addresses that have been reported as having been used for unwanted activity such as the sending of spam emails. If emails are sent from a blacklisted account, domain, or IP address those emails will either be directed to a quarantine folder, deleted, or will simply be rejected.
If a business has its domain added to a spam blacklist important emails to clients and customers will not get through. This can prove costly, as real estate firm Keller Williams has recently discovered.
Blacklisted Domains and Email Accounts Can Prove Costly for Businesses
Over the past few days, email messages sent from the kw.com domain used by Keller Williams have been rejected by AOL. Yahoo has been blocking emails from the kw.com account for some time. The problem appears to be the addition of the kw.com domain to spam blacklists.
If a Keller Williams real estate agent needs to send an email to a customer who has an AOL or Yahoo account, it will not be delivered. Agents have therefore been forced to get customers to open Google email accounts in order to send online paperwork or documents requiring e-signatures.
The issue also affects online paperwork sent via the transaction management software program Ziplogix, with one Keller Williams agent also claiming Dotloop is also affected. Some agents at Keller Williams have reportedly had to send important paperwork for listings and sales via personal email accounts to ensure emails are delivered.
The AOL website explains that when domains have been flagged as being abusive, the server will be temporarily blocked until the spamming stops. Until a domain is removed from its blacklist, AOL account holders will be prevented from receiving emails from the blocked domain. Removing the domain from the blacklist can take up to a week.
Removing a domain from the 80+ commonly used spam blacklists can be a time-consuming task; furthermore, if spam emails are sent from the account again, the domain will simply be added to the blacklists once more.
Outbound Email Scanning Prevents the Blacklisting of an Organization’s Domain
Unlike many third-party antispam solutions, SpamTitan checks incoming email messages for spam signatures as well as performing outbound email scanning. If an email account has been compromised and is being used to send spam emails, if malware is sending spam, those messages will be blocked and will not be sent. Outbound email scanning is an important protection that will prevent an organization’s domain or email accounts from being used to send spam or malware.
Organizations can therefore avoid the embarrassment and reputation damage that results from being suspected as engaging in spamming or malware delivery. They can also rest assured that in addition to blocking 99.97% of inbound email spam, their domains and email accounts will not be added to spam blacklists.
The Federal Trade Commission (FTC) in the United States has responded to the current ransomware epidemic by issuing ransomware advice for businesses and consumers. The FTC ransomware advice for businesses comes following a spate of high profile ransomware attacks on U.S businesses. The threat has prompted many U.S. government agencies to release ransomware advice for businesses in the past few months.
Ransomware is a form of malware that encrypts files on a victim’s computer and prevents them from being accessed. After a computer is infected, the attackers issue a ransom demand. In order to obtain the key to unlock the encryption the victim is required to pay a ransom. The ransom amount can be set by the attackers, although it is often around $500 per infected computer.
Ransomware has proved incredibly popular with cybercriminals as it offers a quick source of revenue. Since payment is made in an anonymous cryptocurrency such as Bitcoin, money can be collected without fear of being caught.
The scale of the problem has been shown by numerous reports by security firms. This month, SentinelOne released the results of a global survey that showed 48% of organizations had experienced at least one ransomware attack in the past 12 months. The companies that had been attacked had been forced to deal with an average of 6 ransomware incidents in the past year.
A report released by Beazley’s Breach Response Unit suggests ransomware attacks between January and September were four times higher than in 2015, while a report from Kaspersky Lab suggests there has been an eightfold increase in attacks in the past year.
Ransomware is installed via a number of different attack vectors. Ransomware gangs use exploit kits on websites that probe for vulnerabilities in browsers. Those vulnerabilities are leveraged to download ransomware. Malvertising is also used. This is the use of third party ad networks to spread malware. Adverts are created containing malicious code which directs users to websites that silently download ransomware. Ransomware downloaders were also allegedly sent out via Facebook Messenger this week.
While not all ransomware attacks result in files being encrypted, attacks carry a significant cost. SentinelOne suggests that in the United States, organizations spend an average of 38 man-hours restoring files from backups after a ransomware attack. Additional investment in security is also required after an attack.
Since ransomware can spread laterally across a network, a single infection can result in many computers being infected. Ransom demands of the order of tens of thousands of dollars are not uncommon. The recent ransomware attack on the San Francisco ‘Muni’ rail system saw a ransom demand of $73,000 issued.
Ransomware Advice for Businesses
Unfortunately, antivirus software can be ineffective at preventing ransomware attacks. Businesses looking to defend against ransomware must therefore use a range of techniques. These include:
- Ensuring all software is kept up to date and patches applied promptly
- Setting antivirus and antimalware programs to update definitions automatically
- Use endpoint security controls to prevent ransomware installations
- Implement a robust spam filter to prevent malicious emails from being delivered to end users
- Use a web filtering solution to prevent employees from visiting malicious websites and to monitor users’ online activities to identify high risk activities
- Use intrusion prevention software
- Train the workforce on security best practices and test knowledge to ensure training has been effective
- Ensure all members of staff are aware who to contact and what to do if they believe they have inadvertently installed malicious software
To avoid paying a ransom, it is essential to ensure that regular backups of data are performed. Multiple backups should be made to minimize the risk of data loss. Those backups should be stored on an air-gapped device to avoid backup files also being encrypted. A ransomware response plan should also be developed to reduce disruption to the business in the event of an attack.