Our spam news section provides up to date news on the latest threats that are likely to hit the inboxes of your employees. Cybercriminals are constantly changing tactics with new spam email campaigns, different social engineering techniques and new methods of installing malware and ransomware. By keeping up to date on the latest spam news, organizations can take timely action to mitigate risk.
In that regard, a spam filtering solution is essential. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be compromised. A spam filter will check all incoming email messages and search for common spam signatures in addition to checking senders’ email accounts against blacklists of known spammers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of known malicious domains.
Armed with the latest spam news, information security teams can send email alerts to their employees warning of pertinent threats that they need to be aware of.
This section also includes news on industry-specific attacks, in particular those that are being used to target the healthcare, education, financial services, legal and hospitality sectors.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.
Microsoft has announced it has taken control of the U.S. infrastructure of the Necurs botnet and has taken steps to prevent the botnet operators from registering new domains and the rebuilding the Necurs infrastructure.
The Scale of the Necurs Botnet
The Necurs botnet first appeared in 2012 and has grown into one of the largest spam and malware distribution networks. The botnet consists of around 9 million devices that have been infected with Necurs malware. Each device within the botnet is under the control of the cybercrime group behind the botnet.
The Necurs botnet is used to commit a wide range of cybercrimes by the operators of the botnet as well as other cybercriminal groups who rent out parts of the botnet as a service. The Necurs botnet was used for malware and ransomware distribution, cryptocurrency mining, and attacks on other computers to steal credentials and confidential data. The Necurs botnet also has a distributed Denial of Service (DDoS) module capable of performing massive DDoS attacks, although this function is yet to be used.
The main use of the botnet is spamming. The botnet has been used to send vast quantities of spam email, including emails pushing fake pharmaceutical products, pump and dump stock scams, and Russian dating scams. To give an example of the scale of the spamming, over a 58-day period of observation, Microsoft found that a single Necurs malware-infected computer had sent out 3.8 million spam emails to 40.6 million email accounts. That is just one infected device out of 9 million! In 2017, the botnet was being used to spread Dridex and Locky ransomware at a rate of around 5 million emails an hour and between 2016 and 2019 the botnet was responsible for 90% of email-based malware attacks.
The Takedown of Necurs Infrastructure
Microsoft has tracked the criminal activity of the Necurs botnet operators for 8 years. The gang is believed to be Evil Corp, the Russian cybercriminal group behind the Dridex banking Trojan. Evil Corp has been named the most harmful cybercrime group in the world.
The takedown of the Necurs botnet involved a coordinated effort by Microsoft and partners in 35 countries. Microsoft obtained an order from the U.S. District Court for the Eastern District of New York on March 5, 2020 to seize the U.S. domains used by the botnet operators. These domains were used to issue commands to the 9 million infected computers.
Simply seizing the domains would not be sufficient to take down the botnet, as the botnet’s command and controls servers could be rapidly rebuilt. Domains used by the threat actors are often taken down, so new domains are constantly registered weeks or months in advance.
The key to long-term disruption of the botnet was cracking the algorithm used by the threat actors to generate new domains. Microsoft analyzed the algorithm and calculated more than 6 million domains that would be used by the threat actors over the next 25 months. Steps have been taken to prevent those domains from being registered and becoming part of the Necurs infrastructure.
The 9 million devices around the world are still infected with Necurs malware. Microsoft and its partners have identified the infected devices and are working with ISPs and CERT teams around the world to rid those devices of the malware.
Just a few days after new figures from the FBI confirmed business email compromise scams were the biggest cause of losses to cybercrime, news broke of a massive cyberattack on a Puerto Rico government agency. Cybercriminals had gained access to the email account of an employee, understood to work in the Puerto Rico Employee Retirement System.
The compromised email account was used to send requests to other government agencies requesting changes be made to standard bank accounts for remittance payments. Since the email account used was trusted, the changes to bank accounts were made. Scheduled payments were then made as normal and millions of dollars of remittance payments were wired to attacker-controlled bank accounts.
The Puerto Rico Industrial Development Company, a state-owned corporation that drives economic development of the country, was one of the worst hit. Emails were received requesting changes to bank accounts and two payments were made. The first payment of $63,000 was made in December and another payment of $2.6 million in January. Other departments were also targeted, including the Tourism Company. The latter made a payment of $1.5 million. In total, the scammers attempted to steal around $4.73 million.
The business email compromise scam was uncovered when those payments were not received by the correct recipients. Prompt action was then taken to block the transfers and some of the payments were frozen, but the government has not been able to recover around $2.6 million of the stolen funds.
A full investigation has been launched to determine how the attackers gained access to the email account to pull off the scam. While the method used has not been confirmed, BEC attacks usually start with a spear phishing email.
A phishing email is sent to a person of interest requesting urgent action be taken to address a problem. A link is supplied in the email that directs the user to a website that requests their email account credentials. The account can then be accessed by the attacker. Attackers often set up mail forwarders to receive a copy of every email sent to and from the account. This enables them to learn about the company and typical payments and construct highly convincing scam emails.
Once access to a corporate email account is gained, the BEC scam is much harder to identify and block. The best defense is to ensure that the initial phishing emails are not delivered, and that is an area where TitanHQ can help.
A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.
The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.
A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.
A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.
The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.
If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.
To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.
More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.
Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.
For further information on protecting your email system, contact TitanHQ today.
It has been well documented how much time businesses waste dealing with spam and there is no denying the threat that malicious spam emails (malspam) pose, but it is not just a problem for big business. Spam in academia is also a major problem.
A recent study published in the journal, Scientometrics, explores the cost of spam in academia. The study was primarily focused on spam emails sent by new, non-peer reviewed journals that are attempting to gain a share of the market. These journals are adopting the same spam tactics often used by scammers to sell cheap watches, cut price medications, and for phishing and spreading malware.
Three researchers – Jaime A. Teixeira da Silva, Aceil Al-Khatib, and Panagiotis Tsigaria – attempted to quantify the amount of time that is being wasted dealing with those messages and the losses that result.
To assess the extent of the problem, the researchers used figures from several studies on spamming to obtain an average number of targeted spam emails that academics receive each day. They opted for a conservative figure of 4-5 messages, per academic, per day. Most of those messages take just a few seconds to open and read but that time mounts up. They assumed an average time of 5 seconds per message – less than half a minute per day. That equates to $100 per researcher, per year at an average hourly rate of $50. Using the United Nations estimate of the number of researchers in academia globally, the total global cost of spam in academia was estimated to be $1.1 billion a year.
That figure is based on the lost time alone and does not factor in non-targeted spam emails – bulk unsolicited emails not specifically targeting researchers. Add in the time dealing with those messages and the global cost reaches $2.6 billion a year. To put the cost into perspective, $2.6 million is much more than the time researchers devote to peer review, which has been estimated at costing $1.9 billion a year. The figures do not include the considerable losses due to phishing, malware, and ransomware attacks. Factor in those costs and the losses would be several orders of magnitude higher.
Co-author of the study, Panagiotis Tsigaris, a professor of economics at Thompson Rivers University in Canada, explained that there is no silver bullet when it comes to dealing with spam and suggested several ways that the cost of spam in academia could be reduced.
Tsigaris suggests that penalties should be increased for publishing in predatory journals, and that academics should be educated about spam email and improvements should be made to email filtering technology.
Here at TitanHQ we are well aware of the problem of spam, both in terms of the productivity losses that spam causes, and harm caused by malicious spam emails.
To help prevent losses and downtime due to spam and email-based threats, TitanHQ has developed a powerful, easy -to-use, and cost-effective cloud-based spam filtering solution called SpamTitan. SpamTitan has been independently tested and shown to block in excess of 99.9% of spam email, 100% of known malware and ransomware threats, and thanks to a host of detection measures and sandboxing, SpamTitan is also effective at blocking zero-day (new) malware and ransomware threats.
To find out more about SpamTitan and how you can block more spam and ensure malicious emails do not reach your researchers’ inboxes, give the TitanHQ team a call today.
Over the past 2 decades TitanHQ has been developing powerful cybersecurity solutions for SMBs and managed service providers (MSPs) that serve the SMB market. Naturally at TitanHQ we have great belief in our email security solution, SpamTitan. We believe it is the ideal spam filtering solution for SMBs and MSPs for preventing a myriad of email threats from reaching inboxes.
TitanHQ is the leading provider of cloud-based email security to MSPs serving the SMB market. We regularly receive positive feedback from MSPs and SMBs about how the solution has saved them hours of work compared to other email security solutions and has helped them improve email security and block more spam and stop malware and ransomware from reaching inboxes.
Positive feedback from end users proves we are getting it right and it inspires us to continue improving the solution to ensure it will keep on protecting our customers from malware, ransomware, viruses, botnets, and social engineering and phishing attacks for many years to come.
The positive feedback is not only provided to our engineers and customer service and sales teams. IT decision makers have posted highly positive reviews on the top business software review platforms and are letting other IT professionals know about their experiences implementing the solution, integrating it with their other cybersecurity solutions and management platforms, and what it is like to use SpamTitan on a daily basis.
In fact, across the different business review sites, SpamTitan has consistently received high scores. There is no other email security product on the market that has achieved such a wealth of positive reviews and feedback from end users.
Some of the positive reviews across the leading business software review sites are detailed below:
Gartner Peer Insights
Gartner Peer insights is one of the most highly respected review platforms from the world’s leading business advisory and research company. While Gartner strictly polices the review site, Gartner is unbiassed and has no hidden agenda. The review platform gives IT professionals the opportunity to give their honest feedback on software solutions that they have implemented to help other IT professionals save time and money in their search.
36 qualified users of SpamTitan have left reviews on the site and the solution has achieved highly positive feedback with an average user score of 4.7 out of 5.
“SpamTitan has been a very responsive vendor to work with, both during the sales process and with post-sales support. Tickets are responded to within several hours and often resolved within a day. The product itself is very MSP-friendly supporting delegation to client admins, multiple delivery pools, and attractive pricing. The catch rate is better than Exchange Online.” Microsoft Team Lead in the Services Industry
“SpamTitan takes a little technical knowhow, but it’s powerful, flexible and affordable.” Director of IT and Telecom in the Healthcare Industry.
“SpamTitan is superb giving control back to the user and giving time back to IT staff. The product is amazing, it stopped 99% of spam and gives total control back to the user, it is web based and was easy to migrate to. The support and migration management from TitanHQ was brilliant.” IT Security Manager in the Manufacturing Industry.
G2 Crowd is one of the leading business software review sites. 139 verified users of SpamTitan have left reviews on the site and the solution has achieved an overall score of 4.6 out of 5. SpamTitan has been rated consistently highly in all rating categories, achieving 9.3 out of 10 for meets requirements and ease of doing business with, 9.2 for ease of setup and quality of support, 9.1 for ease of use, and 9.0 for ease of admin.
Additionally, each quarter, G2 Crowd compiles its Email Security Grid and rates solutions based on customer feedback and market presence. For four consecutive quarters, SpamTitan has been the Top Email Security Solution.
“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used.” Jeff Banks, Director Of Technology.
Antispam that is affordable, flexible and powerful.” Mike S, Director of IT and Telecommunications.
“Cloud Version is Great for Managed Service Providers.” Andrew B, Vice President.
“Minimizes our exposure to harmful malware and junk emails.” David C, Outreach Specialist.
112 users of SpamTitan have taken the time to submit their feedback to Google Reviews. The solution is consistently given top marks by users and has achieved an overall review score of 4.9 out of 5.
Some of the positive feedback from users includes:
“TitanHQ is an excellent solution which ticks many boxes. It’s simple to setup, and gives a huge range of functionality all from within one place. My experience of the Support help desk has been great with a team that really do know their product. I highly recommend TitanHQ.” Chris Bell.
“The Titan Span filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy.” Joseph Walsh.
“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme.
Capterra is a leading software review site that has been active for 20 years. The site has now been purchased by Gartner which moderates reviews on the site. Capterra includes more than 700 categories of software products and is one of the most highly respected business software review sites. It is relied upon by IT decision makers the world over.
SpamTitan has been reviewed by 379 users and has achieved an overall review score of 4.6 out of 5.
“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since. Whitelisting and blacklisting domains and specific emails are super easy. Support Staff are awesome and go into detail when resolving problems if they were to arise or even if you just have a question. They have always been friendly and courteous and super personable and have been some of the best people to work with in all my years doing IT.” Benjamin Jones, Director Of Information Technology.
“SpamTitan has saved me, saved my company time, and has some of the best support people around. It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes.” Benjamin J, Director of Information Technology.
Members of the Spiceworks community have also rated SpamTitan highly. The solution has been reviewed by 56 users and has an overall rating of 4.6 out of 5.
The software review site Software Advice includes 350 reviews of SpamTitan from business users and has achieved an average score of 5.58 out of 5.
According to SpamFilterReviews, SpamTitan is the top-rated spam filtering solution on the site with a score of 4.9 out of 5.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019 and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented them from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First the MSP was attacked, then its remote administration tools were used deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SFP and DMARC to block email impersonation attacks, uses dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real time, and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
A new phishing campaign has been detected that is targeting Office 365 admins, whose accounts are far more valuable to cybercriminals than standard Office 365 accounts.
A standard Office 365 email account can used for spamming or conducting further phishing attacks on the organization or business contacts. However, there is a problem. When the account is used for phishing, the sent messages are likely to be noticed by the user. Failed delivery messages will also arrive in the user’s inbox. The account may only be able to be used for a short time before an account compromise is detected.
The attackers targeting Office 365 admins aim to compromise the entire domain. Office 365 admins can create new accounts on the domain, which are then used for phishing. Since the only person using that account is the attacker, it is likely the malicious actions will not be noticed, at least not as quickly. The only person who will see the failed delivery messages and sent emails is the attacker.
The newly created account abuses trust in the business domain. Any individual to receive such a phishing message may mistakenly believe the email is a legitimate message from the company. The messages also take advantage of the reputation of a business. Since the business domain will have been used only to send legitimate messages, the domain will have a high trust score. That makes it far more likely that the emails being sent from the new account will be delivered to inboxes and will not be picked up by Office 365 spam filters. The Office 365 admin may also have access to all email accounts on the domain, which will allow the attacker to steal a huge amount of email data.
In theory, Office 365 admins should be better at identifying phishing emails than other employees in the organization as they usually work in the IT department; however, these emails are very realistic and will likely fool many Office 365 admins.
The lure being used is credible. The emails appear to have been sent by Microsoft and include the Microsoft and Office 365 logos. The emails claim that the organization’s Office 365 Business Essentials invoice is ready. The user is told to sign into the Office 365 admin center to update their payment information, set their Message Center preferences, and edit their release preferences or join First Release and set these up if they have not done so already. The emails include an unsubscribe option and are signed by Microsoft and include the correct contact information. The emails also link to Microsoft’s privacy statement.
The embedded hyperlinks in the emails link to an attacker-controlled domain that is a carbon copy of the official Microsoft login page. If the user’s credentials are entered, they are captured by the attacker.
This campaign highlights how important it is to have layered email security defenses in place to block phishing attacks. Many phishing emails bypass standard Office 365 anti-phishing controls so additional protection is required.
An advanced anti-phishing solution such as SpamTitan should be layered on top of Office 365 to provide greater protection against sophisticated phishing attacks. Approximately 25% of all phishing emails bypass standard Office 365 phishing protections.
Another anti-phishing layer that many businesses have yet to implement is a web filter. A web filter, such as WebTitan, provides protection when messages are delivered to inboxes, as it blocks attempts by employees to visit phishing websites. When a link to a known phishing website is clicked, or the user attempts to visit a questionable domain, they will be directed to a block page and the phishing attack will be blocked.
The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The sandbox his used to detect and block zero-day malware – New, never-before seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.
Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.
In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.
This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.
Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.
The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).
The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.
The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.
The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.
Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.
Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes. SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.
SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.
With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.
A new Stripe phishing campaign has been detected that uses fake warnings advising users about an invalid account to lure people into divulging their credentials and bank account information.
Stripe is an online payment processor used by many online firms on their e-commerce websites to accept payments from their customers. As such, the company is perfect for spoofing as many people will be aware that the company processes payments and will think it reasonable that they need to provide credentials and bank account information to ensure payments are processed.
The scam starts with a phishing email supposedly from the Stripe Support department. The email advises the customer that the information associated with their account is currently invalid. The message is sent as a courtesy notice warning the user that their account will be placed on hold until the matter is corrected. The user is asked to review their details to correct the issue. A button is included in the email for users to click to do this.
The emails contain spelling mistakes and questionable grammar, so are likely to be identified as suspect by vigilant individuals. Security awareness training often teaches employees to hover their mouse arrow over a hyperlink to find out the true URL, but in this campaign it will not work. The attackers have added a title to the HTML tag of the embedded hyperlink so when the mouse arrow is hovered over the “Review your Details” button, that text will be displayed instead of the URL.
If that button is clicked, the user will be directed to a seemingly legitimate Stripe login page. The login box is a clone of the real login page and a series of boxes will be displayed, each requiring different information to be entered, including bank account and contact information.
When the user is required to enter their password, regardless of what is typed, the user will be advised that they have entered an incorrect password and will be asked to enter the password again. The user is then directed to the legitimate Stripe login page to make it appear they have been on the correct Stripe website all along.
Similar tactics are used in countless other phishing campaigns targeting other well-known companies. The presence of spelling mistakes and grammatical errors in messages should tip off end users that the email is a phishing attempt, but all too often end users fail to notice these errors and click and divulge sensitive information.
One issue is a lack of cybersecurity training in the workplace. If employees are not trained how to identify phishing emails, it is inevitable that some will end up falling for these scams and will divulge their credentials. Those credentials can be used to gain access to bank accounts or email accounts, with the latter often used to conduct further phishing attacks on the organization. One email account breach can easily lead to dozens of breached accounts.
For example, a phishing attack on a U.S. healthcare provider started with a single phishing email and led to 73 email accounts being compromised. As for cybersecurity awareness training, this is often nonexistent. One recent study on 2,000 employees in the United Kingdom revealed three quarters had received no workplace cybersecurity training whatsoever.
Protected by Microsoft Office 365 Anti-Phishing Controls? Are You Sure?
One in every 99 emails is a phishing email, so it is important to ensure your defenses are capable of blocking those messages. Many businesses mistakenly believe they are protected against these emails by Microsoft’s Office 365 anti-phishing controls. While those measures do block spam email and some phishing messages, one recent study by Avanan has shown 25% of phishing attacks sneak past Office 365 defenses and are delivered to inboxes. For an average firm that means several phishing emails will reach end users’ inboxes every day. To ensure your business is protected against phishing attacks, additional anti-phishing controls are required on top of Office 365.
Businesses can protect their Office 365 accounts against phishing by layering SpamTitan on top of Office 365. SpamTitan is an advanced anti-phishing and anti-malware solution that provides superior protection against phishing, malware, spear phishing, and zero-day attacks.
Heuristics rules are used to analyze message headers and these rules are constantly updated to include the latest threats. Bayesian analysis and heuristics are used to check message content, and along with machine learning techniques, new threats are blocked and prevented from reaching inboxes. Sandboxing is also used to assess email attachments for malicious code used to install malware in addition to dual-AV engines that scan for known malware.
These advanced measures ensure that Office 365 inboxes are kept free from malware and phishing emails. These advanced capabilities along with the ease of implementation and use and industry-leading customer support are why SpamTitan is the leading provider of anti-spam and anti-phishing solutions for SMBs and managed service providers that serve the SMB market.
For further information on SpamTitan, to book a product demonstration or set up a free trial, contact the TitanHQ team today.
G2 Crowd, the independent peer-to-peer business software review site, has published its G2 Crowd Grid® Summer 2019 Report for Cloud Email Security. For the third consecutive quarter, SpamTitan has been named the leading cloud email security provider having been awarded the highest score for customer satisfaction.
G2 Crowd is the largest tech marketplace for businesses. The site attracts more than 3 million visitors and contains more than 843,500 reviews from verified software users. The reviews and Grid Reports are relied upon by countless businesses to help them make better software buying decisions.
Each quarter, G2 Crowd produces Grid reports that highlight the key players in different software categories. The G2 Crowd Grids are used to rank software solutions based on market presence and user satisfaction and categorize each as wither a niche player, contender, high performer, or leader. To be named a leader, a product must have a strong market presence and high user satisfaction level.
Market presence is determined by the size of the company, its social impact, and market share. The user satisfaction score is calculated from amalgamated reviews from verified users of the software.
User reviews are important when choosing a software solution. If the software is difficult to use, fails to live up to expectations, or does not provide the required functionality, staff will avoid using it as much as possible. For a security solution that is particularly bad news.
The Summer 2019 report includes 9 email security solutions. SpamTitan achieved the highest overall customer satisfaction score – 97% – of all nine solutions by some distance. The next highest customer satisfaction scores were for Proofpoint Email Security & Protection (75%), Area 1 Security (69%), and Barracuda Email Security Gateway (61%).
In addition to the Grid reports, amalgamated scores are included for six different customer satisfaction criteria: Ease of setup, ease of use, ease of admin, ease of doing business, quality of support, and meets requirements. Once again, SpamTitan topped the list with the highest score for ease of setup (92%) and ease of use (92%) and was one of only two solutions that achieved scores of over 90% in each of the six categories.
“The overwhelmingly positive feedback on G2 Crowd from users of SpamTitan is indicative of our commitment to ensuring the highest levels of customer success,” said Ronan Kavanagh, CEO, TitanHQ. “That’s an incredible achievement for a product that is significantly more affordable than the market leaders.”
Cybercriminals are using SharePoint to send malicious documents to businesses in the United Kingdom. This tactic has seen many messages pass through email security defenses undetected and arrive in inboxes.
The campaign appears to be targeting businesses in the financial services and aims to obtain Office 365 credentials and username/password combos from other email service providers. Those credentials can be used to gain access to sensitive information in email accounts and cloud storage repositories such as OneDrive.
In the latest campaign, the attacker used a compromised email account at a London legal firm to send emails to employees of businesses in the financial services sector. The attacker uses SharePoint to send a request to review a document. In order to view the document, the user is required to click an embedded hyperlink in the email.
If that link is clicked, the user is directed to SharePoint and onto another malicious URL where they are requested to download a OneNote document. In order to download that document, the user is required to enter their login credentials.
Since the initial URL is for the SharePoint domain, many email security solutions fail to identify the link as malicious. Similar tactics have been used in phishing campaigns that link to OneDrive, Citrix ShareFile, Google Drive, and Windows.net. Since the domains are thought to be benign and the email messages do not contain any malware, the messages are delivered to end users.
The URL used in this campaign is likely to arouse suspicion even though it is a SharePoint domain, but not all users carefully check URLs and the full URL may not be visible on mobile devices, which increases the risk of an end user being fooled into disclosing their login credentials. The spoofed OneDrive for Business portal to which the user is directed is also a poor imitation, but it is sufficiently realistic to fool many end users. Other identified phishing campaigns using file sharing websites are far more convincing and are unlikely to be detected as malicious even by security conscious employees.
When credentials are compromised, the email account is often used to send further phishing emails to other individuals in the organization. Since those emails come from an internal account, users are more likely to respond. The attackers can also view past message threats in the compromised account and use those messages to continue a conversation. The messaging style of the account holder can also be mimicked to add further realism to the phishing emails. Typically, businesses discover one email account has been compromised, but the investigation reveals the attack is far more widespread and many email accounts have been compromised. Once recent phishing attack on a U.S. healthcare provider saw an astonishing 72 email accounts compromised!
To block these threats, an advanced email security solution is required. Businesses should look for a solution that incorporates DMARC. DMARC incorporates SPF and DKIM email authentication protocols and verifies that the IP address used to send the email is authorized to send emails from that domain. If that check fails, the email is blocked. This is one of the most important and most effective methods of detecting and blocking email impersonation attacks, including BEC attacks and lateral phishing attempts.
Fortunately, a combination of an advanced spam filtering solution and end user security awareness training will help to ensure that emails do not reach inboxes and, if they do, that employees will be alert to the threat and will avoid clicking the link and disclosing their credentials.
An innovative phishing campaign has been discovered that uses branded Microsoft Office 365 login pages to trick victims into believing they are logging into their genuine Office 365 account.
The phishing emails warn the user that a message synchronization failure has blocked the delivery of emails to the user’s account. A link is supplied with the anchor text “Read Message” which directs the user to a fake Office 365 login page where they can review the messages and decide what to do with them.
If the user clicks on the link, their email address will be checked and validated, and the user will be directed to the phishing page. What makes this campaign unique is the check allows the attackers to scrape the branded tenant Office 365 login page used by the company via HTTP GET requests. The company’s custom background and logo are added dynamically to the phishing page. If a company does not have a custom login page, the standard Office 365 background is used.
The login pages are clones of the tenant pages, so they are unlikely to be recognized as fake by users. The phishing pages are also hosted on legitimate cloud storage infrastructure. The domains include either the blob.core.windows.net or azurewebsites.net domains, which have valid Microsoft SSL certificates. The result is a highly convincing campaign that is likely to fool many employees into divulging their login credentials.
Microsoft Office 365 Users are Under Attack!
Microsoft Office 365 is the most widely adopted cloud service by user count and has more than 155 million active users. 1 in 5 U.S. employees use at least one Office 365 service and half of businesses that use cloud services use Office 365. With such high numbers it is no surprise that Office 365 users are being targeted.
What is of major concern is the number of phishing emails that are bypassing standard Office 365 phishing defenses. A study by Avanan this year showed 25% of phishing emails bypass Office 365 defenses and arrive in employees’ inboxes.
When access is gained to one email account, it can be used for lateral phishing attacks on other employees in the organization. The goal of the attackers is to compromise as many accounts as possible and, ideally, an administrator account. Compromised accounts can also be used for BEC attacks, credentials can be used to access other Office 365 resources, and email accounts can be plundered for sensitive data.
How to Protect Your Business and Block Office 365 Phishing Attacks
There are three key measures to take to improve your defenses against Office 365 phishing attacks. The most important step is to improve anti-phishing protections with a third-party anti-spam and anti-phishing solution.
SpamTitan can be implemented in minutes and will provide superior protection against phishing attacks on Office 365 accounts. The solution has been independently tested and shown to block more than 99.9% of spam emails and 100% of known malware. A sandboxing feature allows suspicious attachments to be detonated in a safe and secure environment where all actions are analyzed for malicious activity and DMARC authentication of emails provides protection from email impersonation attacks that usually bypass Office 365 filters.
No anti-phishing solution will provide total protection against phishing attacks, so it is important to ensure that employees receive security awareness training. The workforce should be taught about the risks of email attacks and how to identify phishing emails. With training, you can turn your employees into strong last line of defense.
Even the most security-conscious employee could be fooled into disclosing their Office 365 credentials by a sophisticated phishing email. It is therefore important to implement 2-factor authentication.
2-factor authentication requires a second method of authenticating users, other than a password, when they attempt to login from an unfamiliar location or new device. In the event of credentials being compromised, account access can be blocked by -factor authentication. However, 2-factor authentication is not infallible, so businesses should not rely on this measure alone to protect their Office 365 accounts.
If you want to find out more about improving Office 365 defenses, give the TitanHQ team a call today and book a product demonstration. SpamTitan is also available on a free trial to let you see the difference the solution makes before you make a purchase decision.
A new CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.
When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.
A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.
On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.
A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.
This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.
A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.
As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.
Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.
It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.
Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.
SpamTitan incorporates these features and more. Together they help to ensure a catch rate in excess of 99.9%, with a low false positive rate of 0.03%. With SpamTitan in place, you will be well protected against phishing attacks such as the latest CAPTCHA scam.
Hotels in America are being targeted by cybercriminals in a campaign spreading a remote access Trojan (RAT) called NetWiredRC. The RAT is delivered via malicious emails targeting financial staff in hotels in North America.
The campaign uses a typical lure to get recipients to open the attached file. The message claims there are invoices outstanding and the recipient is asked to validate payment. The invoices are included in a zip file attached to the email.
If the file is extracted and the executable is launched, the Trojan will be downloaded by a PowerShell script. The Trojan achieves persistence by loading itself into the startup folder and will run each time the computer boots. The malware gives the attacker full control over an infected computer. Files can be uploaded and downloaded, further malware variants can be installed, keystrokes can be logged, and credentials can be stolen.
The ultimate aim of the threat actors behind this campaign is not known, although most cyberattacks on hotels are conducted to gain access to guest databases and payment systems. If malware can be loaded onto POS systems, card details can be skimmed when guests pay for their rooms. It can be months before hotels discover their systems have been breached, by which time the card details of tens of thousands of guests may have been stolen. Hutton Hotel in Nashville, TN, discovered in 2016 that its POS system had been infected with malware for three years.
There have been several recent cases of cyberattacks on hotels resulting in guest databases being stolen and sold on darknet marketplaces. The data breach at Marriott resulted in the theft of 339 million records and Huazhu Hotels Group in China experienced a breach of 130 million records.
Data breaches can prove incredibly costly. The cost of the data breach at Marriott could well reach $200 million, but even smaller data breaches can prove costly to resolve and can cause serious damage to a hotel’s reputation.
The latest spam campaign shows just how easy it is to gain a foothold in a network that ultimately leads to a 3-year data breach or the theft of more than 300 records: The opening of an attachment by a busy employee.
Hotels can improve their defenses by implementing cybersecurity solutions that block the threats at source. SpamTitan protects businesses by securing the email system and preventing malicious messages from reaching end users’ inboxes. WebTitan is an advanced web filtering solution that allows hotels to block malware downloads and carefully control the websites that can be accessed by staff and guests.
For further information on TitanHQ’s cybersecurity solutions for hotels, contact the sale team today.
New figures have been released by the U.S. Financial Crimes Enforcement Network (FinCEN) on 2018 Business Email Compromise attacks. The latest FinCEN report highlighted the pervasiveness of the threat and potential for the attacks to result in serious financial harm.
Business Email Compromise (BEC) attacks are concerned with gaining access to a business email account and using that account to send messages to other individuals in an organization and business contacts. While compromised email accounts can be used for a variety of purposes, with BEC the primary goal is usually to convince an employee to make a fraudulent wire transfer or send sensitive information such as employee W-2 Forms.
Social engineering techniques are used to obtain the credentials of a high-level executive and convince an employee to make a fraudulent transfer. While at face value these scams are simplistic – they involve sending an email that requests a bank transfer be made – the scams are often highly sophisticated.
More than $300 Million a Month Was Lost to 2018 Business Email Compromise Attacks
The FinCEN report shows why these attacks are worth the effort. The average fraudulent transaction value in 2018 was $125,439 and $310 million per month was lost to BEC scams in 2018.
FinCEN received approximately 1,100 suspicious activity reports in 2018 that were attributed to BEC scams. It should be taken into consideration that many businesses are not obliged to report security breaches such as BEC scams, so the total losses will be considerably higher.
BEC attacks are also being conducted far more frequently and losses to the scams have skyrocketed. The 2016 FinCEN report indicates at least $110 million was lost to BEC scams. Losses to BEC scams have increased by 172% increase in just two years.
There has been a marked change in BEC scam tactics over the last two years, which has helped to increase the dollar amount of each fraudulent transaction.
As previously mentioned, the scams involve compromising an email account, which was commonly the email account of the CEO or CFO. The email accounts were used to send wire transfer requests and the average transaction value was $50,272. The 2018 figures show that there has been a shift from attacks that impersonate the CEO to attacks impersonating contractors and other vendors.
If a vendor’s email account is compromised, fake invoices can be sent to all companies that the vendor works for. Further, the typical amount of a vendor invoice is substantially higher than the transfer amounts typically requested by CEOs.
FinCEN’s figures show the average fake invoice transaction value was $125,439 for fake invoices from contractors, which is $75,167 more than the typical CEO email request.
FinCEN’s 2017 figures indicate 33% of BEC attacks involved impersonation of the CEO, but the percentage had fallen to just 12% in 2018. 39% of all BEC attacks in 2018 involved the impersonation of an outside entity such as a business associate, contractor, or vendor.
How to Improve Defenses Against BEC Attacks
With attacks increasing and losses spiraling, businesses need to take steps to reduce risk by improving email security and providing further training to employees. Employees should be made aware of the risk of BEC attacks, told about the latest threats, and should be taught how to identify a scam email. Policies should also be developed and implemented which require verification of all emailed transfer requests and bank account changes.
Training and policies will help to create a strong last line of defense, but the primary goal should be blocking the scam emails at the email gateway to ensure end users are not tested. That requires a powerful anti-spam and anti-phishing solution such as SpamTitan. SpamTitan blocks more than 99.97% of all spam and malicious emails to keep business inboxes threat free.
For further information on SpamTitan and other cybersecurity protections to reduce the risk of phishing and BEC attacks, contact TitanHQ today.
Two new Office 365 phishing scams have been detected in the past few days. One scam uses a fake Office 365 site to deliver the Trickbot Trojan and the other is a spear phishing campaign targeting Office 365 administrators to capture their credentials.
The Trickbot campaign uses a realistic domain – get.office365.live – that has all the typical elements of a genuine Microsoft website, including links to Microsoft resources. The website, identified by MalwareHunterTeam, detects the visitor’s browser and displays a popup within a few seconds of landing on the website.
A different warning is displayed for Firefox and Chrome users, with the associated logos. The warning comes from either the Chrome or Firefox Update Center. The message states that the user has an older version of the browser, which may cause incorrect site mapping, loss of all stored and personal data, and browser errors. An update button is supplied to download the browser update.
If the update button is clicked, it triggers the download of an executable file called upd365_58v01.exe. If that executable is run, the Trickbot Trojan will be downloaded and inserted into a svchost.exe process. That makes it harder for the user to detect the information stealer through Task Manager.
The Trickbot Trojan has several capabilities. It is a banking Trojan that can intercept banking credentials using webinjects. It also contains a password grabbing module which steals saved login credentials, autofill information, browsing history, and Bitcoin wallets. The malware also serves as a downloader for other malware variants and a module also been developed for propagation which includes the EternalBlue exploit.
Once installed, the malware stays in continuous contact with its C2. Due to the obfuscation methods used, the infection is unlikely to be detected by an end user, but the network admin may notice unusual traffic or attempts to connect to blacklisted domains.
This is a professional campaign that is likely to fool many end users. It is currently unclear whether traffic is being directed to the site through malvertising redirects or phishing emails.
Office 365 Admins Targeted
A phishing campaign has been detected which is targeting Office 365 administrators. Fake browser warnings are used to trick admins into disclosing their login credentials.
Emails have been constructed using the Microsoft and Office 365 logos which contain a warning about an aspect of Office 365 which requires the admin’s immediate attention. One message warns the admin about a mail redirect on an Office 365 inbox which indicates there has been an account compromise. Another advises the admin that the company’s Office 365 licenses have expired.
The emails contain a link for the admin to use to login to their Office 365 account to address the problem. The user will be directed to a webpage on the windows.net domain which has a valid certificate from Microsoft. The Microsoft login box is identical to that used on the Microsoft site.
Most admins will be vigilant and wary of warnings such as these. Even if the links are clicked, admins are likely to check the domain to make sure it is genuine. However, these scams are conducted because they do work. Some admins will be fooled and will disclose their credentials.
Admin credentials are highly valuable as they allow an attacker to create new office 365 accounts, access other user’s mailboxes, and send phishing emails from other accounts on the domain. These targeted attacks on admins are becoming more common due to the high value of the accounts and the range of attacks they allow a hacker to perform.
There is no single cybersecurity solution that will provide total protection from phishing attacks. What is needed is a defense in depth approach. End users should be provided with ongoing security awareness training to ensure they are aware of the most common threats and know how to identify potential scams. Phishing simulations are useful for gauging how effective training has been.
However, the priority must be to block these attacks and prevent end users from being tested. An advanced spam filter such as SpamTitan blocks more than 99.97% of spam and phishing emails. SpamTitan scans all incoming messages for malware and uses dual anti-virus engines for greater accuracy. A sandboxing feature has also now been added to allow the safe execution and analysis of suspicious email attachments.
WebTitan serves as an additional security layer that prevents end users from visiting malicious websites. The DNS filter can be used to exercise control over the types of websites that can be visited by employees and blocks all attempts to visit blacklisted websites, such as those that have been used for malware distribution, scams, or phishing.
Contact TitanHQ today to find out more about SpamTitan and WebTitan for SMBs and MSPs, the different deployment options, pricing information, and to book a product demonstration.
A serious outage has affected the spam filtering service, OnlyMyEmail, leaving customers without spam protection for several days.
The spam filtering service, also known as MXDefender, suddenly stopped working on Thursday and customers have been left in the dark about what has happened. Many have taken to online forums and social media to find answers but have only found hundreds of other customers asking the same questions. Customers have not been able to submit support tickets, the website is down, and the phone lines have been jammed.
MSPs know all too well that their clients are vulnerable to attack while their spam filtering service is down. Without the filter in place, spam, phishing, and malware-laced emails can flood into inboxes. All it takes is for one employee to respond to one of those messages for a costly breach to occur.
Several MSPs on forum such as Spiceworks have expressed their frustration about the prolonged outage and have already had to move their clients to alternative service providers to ensure they are protected until the issues are resolved. Two large MSPs have already switched to SpamTitan as a result of the OnlyMyEmail outage.
TitanHQ has received many enquiries about SpamTitan since the OnlyMyEmail service went down, as customers seek an alternative solution to protect their inboxes from email threats and spam. Many have given up waiting for an answer from OnlyMyEmail.
If you are a managed service provider or business that has been affected by the outage, it is important to implement a replacement spam filtering solution as soon as possible. The failure to do so will leave you extremely vulnerable to attack.
TitanHQ has developed an award-winning anti-spam and anti-phishing solution that has been shown to block more than 99.9% of spam in independent tests.
The 2019 G2 Crowd Report on Email Security Gateways named SpamTitan the leader for customer satisfaction. 97% of users awarded the product 4 or 5 stars and 92% of users would recommend the product to others.
TitanHQ ranked top for quality of support with an overall score of 94% – 10% more than the average score for support. SpamTitan clearly outperformed products from likes of Cisco, Barracuda, Mimecast, and SolarWinds.
SpamTitan is available as a cloud-based solution or gateway solution running on a virtual machine on your own hardware. MSPs have a range of hosting options and the solution can be easily integrated into existing MSP systems using TitanHQ’s APIs.
If you want an easy to implement anti-spam solution that provides enterprise-class protection at an affordable SMB price, SpamTitan is the ideal choice.
Sign up for the free trial and you can be protected in minutes. To ensure no time is wasted, contact the TitanHQ team today by telephone.
You may have heard of ransomware-as-a-service – where ransomware is rented for a cut of the profits generated – but now there are a growing number of hackers offering phishing-as-a-service.
Ransomware-as-a-service proved popular as it allowed people without the skill set to create their own ransomware to conduct attacks and take a share of the profits. Conducting phishing attacks is easier. It requires no knowledge of malware or ransomware. All that is required is a hosted web page that mimics a brand you want to target, a phishing kit, and an email account to send phishing emails far and wide.
There is still entry barrier to cross before it is possible to conduct phishing attacks. Phishing requires some knowledge and skill as a spoofed phishing web page must be created and emails crafted that will attract a click. The web page will also need to be hosted somewhere so a compromised domain will therefore be required.
Phishing-as-a-service provides all of that. To get started, you purchase one of several phishing templates based on what you are targeting – Office 365, SharePoint, OneDrive, Google, or DocuSign credentials for example. The phishing pages are sold complete with phishing kits loaded and one month’s hosting.
One group offering phishing-as-a-service guarantees the phishing page will be hosted for one month and includes a three-link backup. If one URL fails or is reported as a phishing website, a further two links can be provided on request followed by a further three after that.
Phishing-as-a-service takes all the time-consuming work out of starting a phishing campaign and allows phishing campaigns to be conducted by individuals with next to no specific skills. Once payment is made for the web page, all that is required is the ability to conduct a spam campaign. The service also comes with the option of purchasing lists of email addresses for the country of choice. All that is required to conduct a phishing campaign is payment ($30+) for phishing-as-a-service and a convincing phishing email.
With the entry barrier being substantially lowered, phishing attacks are likely to become much more frequent. It is therefore essential for businesses of all sizes to take steps to improve protections and reduce susceptibility to phishing attacks.
If you are defending against any attack it pays to know your enemy. It is therefore essential for all employees with an email account to be provided with security awareness training and be taught how to recognize a phishing attack.
It is also important to implement cybersecurity solutions that help to ensure your last line of defense will not be tested. You should have an advanced anti-spam solution in place to block the vast majority of phishing threats. If you use Office 365 for your business email, a third-party anti-spam solution will provide a greater level of protection.
An additional protection against phishing attacks that is often overlooked is a DNS filter or web filter. A web filter gives organizations control over what their employees can do online and which websites they can visit. Any website that has been reported as malicious is automatically blocked using blacklists and webpages are scanned in real-time and blocked if malicious. If a phishing email reaches an inbox and attracts a click, the attempt to access the phishing website can be blocked.
If you want to improve your email and web security posture or you are looking for better value cybersecurity solutions, TitanHQ can help. Contact TitanHQ today to discuss your email and web security requirements and you will be advised on the best solutions to meet your needs.
TitanHQ offers a free trial on all products and is happy to arrange product demonstrations on request.
DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?
There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes.
With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.
The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.
DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes.
DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.
The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.
If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.
DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. TitanHQ is happy to announce that both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks.
To find out more about improving your email security defenses, contact the TitanHQ team today.
A new strain of ransomware has been identified which has been used in multiple attacks over the past few weeks.
All of the attack vectors used to distribute the ransomware are not yet known, but samples of the ransomware have been distributed via a spam email campaign.
The spam email campaign uses a tried and test format to deliver the ransomware payload. A Word document called Info_BSV_2019.docm is attached to emails with requests that the recipient open the document. In order for the contents to be displayed, the user is told they must enable macros. Enabling macros will launch code that downloads an executable file, which is renamed LooCipher.exe and is executed.
The ransomware will encrypt a standard range of file types, but instead of deleting the original files, they are retained as zero-byte files. Encrypted files are given the extension .lcphr.
The ransomware creates a file on the Windows Desktop called c2056.ini, which includes the unique ID number of the computer, the time limit for paying the ransom, and the Bitcoin wallet address for payment. The ransom note warns that deletion of the ini file will prevent file recovery.
Users are given 5 days to pay the ransom or the key to unlock files will be permanently deleted. The ransom is €300 ($330) in Bitcoin per device. No option is provided to test to see whether a file can be decrypted.
LooCipher ransomware may not be particularly polished, but it has already claimed several victims. Recovery will depend on an organization’s ability to restore files from backups. It is not clear whether the attackers hold valid keys to decrypt encrypted files.
Ransomware attacks have been increasing following a decline in popularity of ransomware with hackers in 2018. There have been high profile attacks on U.S. cities and ransoms and hundreds of thousands of dollars have been paid in ransoms. Ransomware attacks on healthcare organizations have increased, and several new strains of ransomware have emerged.
Recently the Department of Homeland Security warned of the risk of wiper malware attacks by Iranian threat actors, as tensions between the United States and Iran continue to increase.
These malware threats may be delivered by a variety of different methods, but spam email is the delivery vector of choice. Protecting against these malware threats requires an advanced spam filtering solution capable of precision control over incoming email and the ability to scan messages and analyze attachments for malicious code.
SpamTitan uses twin AV engines to identify known malware and a sandbox to analyze suspicious attachments to identify malicious actions and provides superior protection against malware, ransomware, viruses, botnets, and phishing attacks.
To find out more about how you can improve email security with SpamTitan, contact the TitanHQ team today.
Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.
Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.
Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.
Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.
Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.
More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard. The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.
Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.
As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.
Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.
A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.
Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.
A phishing campaign targeting university employees has already claimed several victims and has seen many email accounts compromised.
Emails are tailored to the institution and use a range of social engineering tricks to convince employees to click a link in the email and enter their Office 365 login credentials to access online content. The credentials are captured and used to gain access to university email accounts.
Once credentials have been obtained, a treasure trove of sensitive data can be plundered. Emails and email attachments contain personally identifiable information of staff, students, and parents, which can be used to commit identity theft and other fraudulent acts. Proprietary information can be obtained, along with details of contacts. The compromised accounts can also be used to conduct further phishing attacks on the university and externally on business contacts and other educational institutions.
Campaigns convincing users to install malware can give the attackers full control of university computers and a foothold to move laterally throughout the network. Access to university email accounts and backdoors in university computers are sold on the dark web, along with a range of stolen and forged university documents.
The healthcare industry is heavily targeted by cybercriminals due to the high value of health data. Health data is versatile and can be used for a multitude of fraudulent purposes. It also has a long-life span and can be used for much longer than financial information. Cybercriminals are also now realizing the potential rewards from attacks on universities. Student data is similarly versatile, and the wealth of data stored in university email accounts provides plenty of opportunities for profit.
Oregon State University is the latest university to announce it is the victim of a phishing attack. The Office 365 email account of an employee was compromised, through which the attacker had access to the records of 636 students. The account was used to send phishing emails to other entities throughout the United States.
Graceland University in Iowa and Southern Missouri State University recently announced that several email accounts had been compromised in recent phishing attacks, which would have allowed access to be gained to sensitive information.
It is unclear whether this is a single campaign or part of a wave of separate attacks on universities. What is clear is the attacks are increasing, so universities should take steps to improve email and web security.
Employees are being targeted so it is important to ensure that staff members are taught email security best practices and are shown how to identify phishing emails.
Technological defenses can also be improved to prevent malicious messages from arriving in Office 365 inboxes. As an additional protection, a DNS filter can be used to prevent users from accessing phishing websites and other known malicious web pages.
TitanHQ has developed powerful anti-phishing and anti-malware solutions for universities that help them protect against email and web-based attacks.
SpamTitan is a powerful anti-spam solution that incorporates DMARC authentication and sandboxing to provide superior protection against impersonation and malware attacks for Office 365 users.
WebTitan is a DNS filtering solution that prevents users from accessing known malicious websites, such as those used for phishing and distributing malware.
To improve Office 365 phishing defenses and better protect your email accounts and networks from malware attacks, contact TitanHQ for further information on these two powerful cybersecurity solutions for educational institutions.
The largest managed service provider conference of 2019 will be taking place in San Diego on 17-19 June.
DattoCon is the premier conference for MSPs, bringing together a plethora of vendors and industry experts to help MSPs learn business building secrets, gain invaluable product insights, and learn technical best practices. The networking and learning opportunities at DattoCon are second to none. DattoCon19 is certainly an event not to be missed.
TitanHQ is a Datto Select Vendor and a proud sponsor of DattoCon19. TitanHQ has developed cybersecurity solutions to exactly meet the needs of MSPs. All solutions area easy to implement and maintain and can be integrated into MSP’s existing systems via a suite of APIs. TitanHQ provides the web security layer to Datto DNA and D200 boxes and is the only third-party security company trusted to work with Datto.
The TitanHQ team will be on hand at the conference to discuss your email and web security needs and will offer practical advice to help you better serve the needs of your customers and get the very most out of TitanHQ solutions.
Visitors to the TitanHQ stand (booth 23) will have the opportunity to learn about TitanHQ’s exclusive TitanShield Program for MSPs. Through the TitanShield program, members have access to SpamTitan email security and phishing protection; the WebTitan DNS filter; and the ArcTitan email archiving solution. Around 2,000 MSPs have already signed up to the program and are using TitanHQ solutions to protect their clients.
If you currently use Cisco Umbrella to provide web and malware protection, you may be paying far more for security than is necessary and could well be struggling with product support. Be sure to speak to the team about the savings from switching and the support provided by TitanHQ. A visit will also be useful for MSPs that are currently supporting Office 365, as the team will explain how spam, phishing and malware protection can be enhanced.
TitanHQ Executive Vice President-Strategic Alliances, Rocco Donnino, will be on the panel for the new, Datto Select Avendors event on Monday. The event runs from 3PM to 4PM and brings together experts from several select companies who will help solve some of the epic problems faced by MSPs today.
Additional Benefits at DattoCon19
New TitanHQ customers benefit from special show pricing.
A daily raffle for a free bottle of vintage Irish whiskey.
Two DattoCon19 parties: TitanHQ and BVOIP are sponsoring a GasLamp District Takeover on Monday 6/17 and Wed, 6/19.
DattoCon19 will be taking place in San Diego, California on June 17-19, 2019
If you are not yet registered for the event you can do so here.
TitanHQ will be at booth 23
Shade ransomware was first identified by security researchers in 2014, when it was primarily being used in attacks on Russian businesses; however the threat actors behind this ransomware variant have broadened their horizons and attacks are now being conducted around the world. The United States is now the most attacked country followed by Japan, India, Thailand, and Canada. Russia has now fallen from top spot to seventh.
Shade ransomware, like many ransomware variants, is primarily spread via email. Emails are sent to businesses which appear at first glance to be invoices or bills. The emails contain links to websites hosting malicious files which are downloaded to the user’s device. A variant of this method uses a PDF attachment which contains a link inside which must be clicked to download a fake invoice or bill.
An analysis of the latest campaigns was recently conducted by Palo Alto Networks Unit 42 team. That analysis revealed the attackers are concentrating their attacks on high-tech companies, retailers, wholesalers, telecommunications, and educational institutions and the threat actors behind the campaigns have been highly active in 2019.
Since Shade ransomware is most commonly spread via spam email, to reduce the risk of an attack, businesses should implement an advanced email gateway solution that is capable of identifying and blocking the malspam emails that ultimately deliver Shade ransomware.
SpamTitan protects businesses from Shade ransomware and other email-based malware attacks. SpamTitan includes dual antivirus engines to detect malicious files attached to emails and scans the content of messages and subjects them to a Bayesian analysis and heuristics to identify signatures of spam and malicious messages.
The solution now incorporates a Bitdefender-powered sandbox feature which allows files to be opened in a safe and secure environment where they can be analyzed for malicious activity. The solution also allows users to block attachments commonly used to deliver malware, such as zip files and executable files such as .exe and .js.
These and other protection mechanisms help to ensure that only legitimate emails are delivered and malicious messages are prevented from being delivered to end users’ inboxes.
If you want to protect your business against ransomware and malware attacks, contact TitanHQ today to find out more about SpamTitan and take the first step towards improving your security posture.
SpamTitan, TitanHQ’s business email security solution, has been named leader in the Spring G2 Crowd Grid Report for Email Security Gateways.
G2 Crowd is a peer-to-peer review platform for business solutions. G2 Crowd aggregates user reviews of business software and the company’s quarterly G2 Crowd Grid Reports provide a definitive ranking of business software solutions.
The amalgamated reviews are read by more than 1.5 million site visitors each month, who use the reviews to inform software purchases. To ensure that only genuine reviews are included, each individual review is subjected to manual review.
The latest G2 Crowd Grid Report covers email security gateway solutions. Gateway solutions are comprehensive email security platforms that protect against email-based attacks such as phishing and malware. The email gateway is a weak point for many businesses and it is one that is often exploited by cybercriminals to gain access to business networks. A powerful and effective email gateway solution will prevent the vast majority of threats from reaching end users and will keep businesses protected.
To qualify for inclusion in the report, email gateway solutions needed to scan incoming mail to identify spam, malware, and viruses, securely encrypt communications, identify and block potentially malicious content, offer compliant storage through archiving capabilities, and allow whitelisting and blacklisting to control suspicious accounts.
For the report, 10 popular email security gateway solutions were assessed from Cisco, Barracuda, Barracuda Essentials, Proofpoint, Mimecast, Symantec, McAfee, Solarwinds MSP, MobileIron, and TitanHQ. Customers of all solutions were required to give the product a rating in four areas: Quality of support, ease of use, meets requirements and ease of administration.
TitanHQ the leader in business email security, today announced it has been recognized as a leader in the G2 Crowd Grid? Spring 2019 Report for Email Security.
TitanHQ’s SpamTitan was named leader based on consistently high scores for customer satisfaction and market presence. 97% of users of SpamTitan awarded the solution 4 or 5 stars out of 5 and 92% said they would recommend SpamTitan to others.
SpamTitan scored 94% for quality of support and meeting requirements. The industry average in these two areas was 84% and 88% respectively. The solution scored 92% for ease of use against an industry average of 82%, and 90% for ease of admin against an average value of 83%.
“TitanHQ are honored that our flagship email security solution SpamTitan has been named a leader in the email security gateway category,” said Ronan Kavanagh, CEO, TitanHQ. “Our customers value the uncompromised security and real-time threat detection. The overwhelmingly positive feedback from SpamTitan users on G2 Crowd is indicative of our commitment to ensuring the highest levels of customer success.”
If you want to improve email security without breaking the bank and want a solution that your IT staff will like using, SpamTitan is the ideal choice.
SpamTitan is available on a 100% free trial to allow you to try before committing to a purchase; however, if you have any questions about the solution, contact the TitanHQ team who will be happy to help and can schedule a product demonstration.
Emotet malware was first identified in 2014 and its original purpose was to obtain banking credentials and other sensitive information; however, the malware is regularly updated and new functionality is added. Emotet malware is now one of the most prevalent and dangerous malware threats faced by businesses.
The malware can detect whether it is running in a virtual environment and will generate false indicators in such cases. The malware is polymorphic, which means it changes every time it is downloaded. That makes it difficult to detect using the signature-based detection methods employed by standard anti-virus software.
The malware also has worm-like features which allows it to rapidly spread to other networked computers. Emotet is also capable of spamming and forwarding itself to email contacts. As if infection with Emotet is not bad enough, it can also download other malware variants onto infected devices.
Emotet malware is one of the most destructive malware variants currently in use and cleaning up Emotet attacks can be incredibly costly. The Department of Homeland Security has reported that some attacks on state, local, tribal, and territorial governments have cost more than $1 million to resolve.
Emotet malware is primarily distributed via spam email, either through malicious attachments or hyperlinks to websites where the malware is silently downloaded. The lures used in the messages are highly varied and include most of the commonly used phishing lures such as shipping notifications, fake invoices, payment requests, PayPal receipts.
Now the threat actors behind the malware have adopted a new tactic to increase infection rates. Once installed on a device, the malware accesses email conversation threads and forwards the message to individuals named in the thread.
The original email conversation is unaltered, but a hyperlink is added to the top of the message. The link directs the recipient to a webpage where a file download is triggered. Opening the document and enabling macros will see Emotet downloaded. Email attachments may also be added to previous conversation threads in place of hyperlinks.
Since the messages come from a known individual with whom an email conversation has taken place in the past, the probability of the document being opened is greater than if messages come out of the blue or are sent from an unknown individual.
Several cybersecurity firms have identified a campaign using this tactic, including phishing intelligence provider Cofense and security researcher Marcus Hutchins (MalwareTech).
The current campaign uses revived conversations from before November 2018, although more recent conversations may be revived in further campaigns. Any revived old email conversation that contains a link or an attachment could indicate a user has been targeted and that at least one member of the email exchange has been infected with Emotet.
The current campaign is not only extensive, it is also proving to be extremely successful. Spamhaus reports that there have been 47,000 new infections in the past two months alone, while Cofense reports that it has identified more than 700,000 infections in the past 12 months.
Protecting against this dangerous malware requires a powerful anti-spam solution and good security awareness training for staff. SpamTitan’s new features can help to detect malicious emails spreading Emotet malware to better protect businesses from attack.
To find out more about SpamTitan and how the solution can protect your business, give TitanHQ a call today.
Monday April 15 is Tax Day in the United States – the deadline for submitting 2018 tax returns. Each year in the run up to Tax Day, cybercriminals step up their efforts to obtain users’ tax credentials. In the past few weeks, many tax-related phishing scams have been detected which attempt to install information stealing malware.
One of the main aims of these campaigns is to obtain tax credentials. These are subsequently used to file fraudulent tax returns with the IRS. Tax is refunded to accounts controlled by the attackers, checks are redirected, and a range of other methods are used to obtain the payments.
Attacks on tax professionals are commonplace. If access can be gained to a tax professional’s computer, the tax credentials of clients can be stolen, and fraudulent tax returns can be filed in their names. A single successful attack on a tax professional can see the attacker obtain many thousands of dollars in tax rebates.
There has been the usual high level of tax-related phishing scams during the 2019 tax season and businesses of all types have been targeted. It is not only tax credentials that cybercriminals are after. Many tax-themed phishing scams have been conducted which attempt to install malware and ransomware such as the TrickBot banking Trojan.
The TrickBot banking Trojan is a powerful malware variant which, once installed, can give an attacker full control of an infected computer. The malware is primarily an information stealer. A successful installation on one business computer can allow the attackers to move laterally and spread the malware across the whole network.
The primary purpose of the TrickBot trojan is to steal banking credentials which can be used to make fraudulent wire transfers: however, TrickBot is regularly updated with new features. In addition to stealing banking credentials, the malware can steal VNC. RDP, and PuTTY credentials.
The threat actors behind TrickBot are highly organized and well resourced. More than 2,400 command and control servers are used by the cybercriminal gang and that number continues to grow.
The three new TrickBot malware campaigns were detected since late January by IBM X-Force researchers. Spam email messages are carefully crafted to appear legitimate and look innocuous to business users and appear to have been sent by well-known accounting and payroll firms such as ADP and Paychex.
Spoofed email addresses are commonly used, although in these campaigns, the attackers have used domain squatting. They have registered domains that are very similar to those used by the accounting firms. The domains have transposed letters and slight misspellings to make the email appear to have been sent from a legitimate source. The domains can be highly convincing and, in some cases, are extremely difficult to identify as fake.
The emails are well written and claim to include tax billing records, which are included as attached spreadsheets. The spreadsheets contain malicious macros which, if allowed to run, will download the TrickBot Trojan.
To prevent attacks, several steps should be taken. Macros should be disabled by default on all devices. Prompt patching is required to keep all software and operating systems up to date to prevent vulnerabilities from being exploited.
End users should receive security awareness training and should be taught cybersecurity best practices and how to identify phishing emails. An advanced spam and anti-phishing solution should also be implemented to ensure phishing emails are identified and prevented from reaching end users inboxes. Further, all IoCs and IPs known to be associated with the threat actors should be blocked through spam filtering solutions, firewalls, and web gateways.
The latter is made easy with SpamTitan and WebTitan – TitanHQ’s anti-phishing and web filtering solutions for SMBs.
Current users of the SpamTitan email security solution and SMBs and MSPs that are considering implementing SpamTitan or offering it to their clients are invited to join a webinar in which TitanHQ will explains the exciting new features that have recently been incorporated into the anti-phishing and anti-spam solution.
SpamTitan has recently received a major update that has seen the incorporation of DMARC email authentication to better protect users from email impersonation attacks and the addition of a new Bitdefender-powered sandbox. The sandbox allows users to safely assess email attachments for malicious actions, to better protect them against zero-day malware and other malicious software delivered via email.
The webinar will explain these and other features of SpamTitan in detail and the benefits they offer to customers, including how they better protect SMBs and SMEs from phishing, spear phishing, spoofing, ransomware, malware, and zero-day attacks.
The webinar will also explain why SpamTitan is the leading email security solution for managed service providers serving the SMB and SME market and how the solution can help to enhance security for their clients and can easily be slotted into their service stacks.
The webinar will be taking place on Thursday April 4, 2019 at 12pm, EST and will last approximately 30 minutes.
This week, TitanHQ has rolled out two new features for its award-winning email security solution SpamTitan: Sandboxing and DMARC email authentication.
TitanHQ developed the technology behind its email security solution more than 20 years ago and over the past two decades SpamTitan has received many updates to improve features for end users and increase detection rates.
SpamTitan already blocks more than 99.9% of spam and malicious emails to prevent threats from reaching end users’ inboxes. The level of protection SpamTitan provides against email attacks has made it the gold standard in email security for the SMB market and managed service providers serving SMBs.
In order to provide even greater protection against increasingly sophisticated email threats, TitanHQ added a new sandboxing feature. The next-generation sandboxing feature, powered by Bitdefender, provides SpamTitan customers with a safe environment to run in-depth analyses of suspicious programs and files that have been delivered via email.
New SpamTitan Sandboxing Service
The sandbox is a powerful virtual environment totally separate from other systems. When programs are run in the sandbox, they behave as they would on an ordinary endpoint and can be assessed for suspicious behavior and malicious actions without causing harm.
Prior to being sent to the sandbox, files are first analyzed using SpamTitan’s anti-malware technologies. Only files that require further analysis make it to the sandbox where they are safely detonated. Tactics used by malware to evade detection and avoid analysis are logged and flagged. Purpose-built, advanced machine learning algorithms they assess the files and check their actions against an extensive array of known threats from a range on online repositories in a matter of minutes.
If the file is confirmed as benign, it can be released. If the file is determined to be malicious, the sandboxing service automatically sends a report to the Bitdefender’s Global Protective Network and all further instances of the threat will then be blocked globally to ensure the file does not need to be analysed again.
The sandbox provides advanced protection against zero-day exploits, polymorphic threats, APTs, malicious URLs, new malware samples that have yet to be identified as malicious, and new threats that have been developed for undetectable targeted attacks.
Incorporation of this feature into SpamTitan gives customers advanced emulation-based malware analysis capabilities without having to purchase a separate sandboxing solution and ensures customers are protected against rapidly evolving advanced threats.
DMARC Email Authentication Added to SpamTitan
Email spoofing is the term given to the use of a forged sender address. Email spoofing is used to increase the likelihood of an email being delivered and opened by an end user. The email address of a known contact, well known company, or government organization is usually spoofed to abuse trust in that individual, brand, or organization.
DMARC authentication is now essential for all businesses and is a powerful control to prevent spoofing attacks. DMARC is used to check email headers to provide further information about the true sender of an email. Through DMARC, the message is authenticated as having been sent from the organization that owns the domain. If authentication fails, the message is rejected.
While SPF provides a certain degree of protection against email spoofing, DMARC is far more dependable. SpamTitan now incorporates DMARC authentication to provide even greater protection against email spoofing attacks.
Both of these new features have been added in the latest update to SpamTitan and are available to users at no extra cost.
“We have listened to requests from customers to have new features added to SpamTitan, and by far the most requested improvements are anti-spoofing technology and sandboxing,” said Ronan Kavanagh, CEO, TitanHQ. “I’m delighted to say that both of these new features have now been added to provide enhanced security for customers at no extra cost.”
During tax season, tax phishing scams are rife. If cybercriminals can steal personal information such as the information contained on W2 forms, they can use the information to file fraudulent tax returns. Each set of credentials can net cybercriminals thousands of dollars. Attacks on businesses can be even more profitable. If an attack results in the theft of the tax credentials of a company’s entire workforce, hundreds of fraudulent tax returns can be filed.
The IRS works hard to combat fraud, but even so, many of these attacks are successful and fraudulent tax refunds are issued. This week, as part of its efforts to combat tax fraud, the IRS has launched its 2019 Dirty Dozen campaign. The campaign raises awareness of the threat of tax fraud and encourages taxpayers, businesses, and tax professionals to be vigilant.
The campaign features 12 common tax scams that attempt to obtain personal information or access to systems that contain such information. The campaign will see a different scam highlighted for 12 consecutive days. The campaign was launched on March 4 with the biggest threat in tax season: Tax phishing scams.
Common Tax Phishing Scams
Tax phishing scams are constantly evolving and each year several new tax phishing scams are identified. The most common scams and attacks are:
Business Email Compromise (BEC) attacks
Business Email Spoofing (BES) attacks
Email impersonation attacks
BEC attacks involve the use of a genuine business email account to send messages to employees requesting the W2 form information of employees, changes to business account information, requests to reroute direct deposits and make fraudulent wire transfers. The attackers often gain access to a high-level executive’s email account through a spear phishing campaign. BEC is one of the most common business tax phishing scams.
BES attacks are similar, except that no email account has been compromised. The email address of an executive or other employee is spoofed so that emails appears to have been sent from within an organization.
Email impersonation attacks are common during tax season. Scammers impersonate the IRS and use a variety of lures to obtain personal information. Common lures are threats of legal action or fines for outstanding taxes and offers of tax refunds. They often direct users to a website where they are required to enter their personal information. These phishing webpages are also linked to on social media websites. The clients of tax professionals may also be impersonated. Emails often request changes be made to direct deposit accounts or contain requests for sensitive information.
Malware is often used to gain access to the computers of tax professionals, and employees in the payroll and HR departments. Keyloggers are commonly used as they allow the attackers to steal login credentials. Malware can also transfer files containing sensitive information to the attackers’ servers. Malware is often installed via scripts in email attachments – malicious macros for instance – or via drive-by downloads from malicious websites.
New Phishing Scam Targeting Tax Professionals
One of the new tax phishing scams to emerge this year targets tax professionals. First the attackers gain access to tax professionals’ computers, either through spear phishing campaigns or by installing malware. Client tax information is then stolen and fraudulent tax returns are files in the clients’ names. When the IRS processes the refunds, payments are sent to taxpayers’ bank accounts. Those taxpayers then receive a call or an email demanding the return of the funds which have been paid in error. The attackers claim to be from a debt collection agency used by the IRS or the IRS itself.
Don’t Become a Victim of a Tax Phishing Scam
Many taxpayers and businesses fall victim to tax phishing scams each year, especially during tax season when attacks increase; however, by taking some simple steps and being vigilant it is possible to identify scams and keep financial and personal data secure.
Any email, text, or telephone call that requests personal/tax information should be treated as a potential scam. If an email or text message is received that claims to be from the IRS demanding payment of outstanding taxes, an offer of a tax refund, or a threat of legal action, bear in mind that the IRS does not initiate contact via email or text message asking for personal information. If such a message is received, forward the email to email@example.com and contact the IRS or check your online tax account to find out if there is a genuine problem. Never use the contact information or links in an email and do not open an email attachment in an email that appears to have been sent by the IRS.
Businesses can include information about tax phishing scams in their security awareness training sessions, but departments that are likely to be targeted by cybercriminals – payroll, human resources, finance and accounting Etc.) should receive specific training ahead off the start of tax season. Sending monthly reminders about phishing attacks and other tax scams each month via email is also a good best practice.
Since most attacks start with a phishing email, businesses should ensure that they have an advanced spam filtering solution in place to block phishing and other emails at the gateway before they can be delivered to end users. SpamTitan is an ideal anti-spam solution for businesses and tax professionals to protect against tax phishing scams. The solution blocks more than 99.9% of spam and phishing emails and includes outbound email scanning to ensure that compromised email accounts cannot be used for spamming.
To protect against internet phishing scams, a web filtering solution is ideal. WebTitan prevents end users from visiting phishing websites, including blocking visits to malicious websites via hyperlinks in scam emails. The solution also blocks drive-by malware downloads and other web-based threats.
If you are a tax professional or you run a business and are unhappy with your current anti-spam or web filtering solution provider, or you have yet to implement either of these solutions, give the TitanHQ team a call today for further information on how these solutions can protect your business, details of pricing, and to book a product demonstration.
It doesn’t take long after the release of a patch for hackers to take advantage, especially when the vulnerability potentially impacts 500 million users. It is therefore not surprising that at least one hacker is taking advantage of a recently disclosed WinRAR vulnerability.
Oftentimes, vulnerabilities are found in certain versions of software, but this vulnerability affects all WinRAR users and dates back 19 years. The WinRAR vulnerability was identified by researchers at Check Point. WinRAR was alerted and confirmed the vulnerability existed, and promptly issued an updated version of the file compression tool with the vulnerability removed. Details of the vulnerability were disclosed in a Check Point blog post on February 20, 2019.
The WinRAR vulnerability in question was present in a third-party DLL file which was included in WinRAR to allow ACE archive files to be uncompressed. The researchers found that by renaming a .rar archive to make it appear that the compressed file was an ACE archive, it was possible to extract a malicious file into the startup folder unbeknown to the user. That file would then run on boot, potentially giving an attacker full control of the device. The malicious file would continue to load on startup until discovered and removed.
All an attacker would need to do to exploit the WinRAR vulnerability is to convince a user to open a specially crafted .rar archive file attached to an email. Compressed files are often used in malspam campaigns to hide malicious executable files. Since .rar and .zip files are commonly used by businesses to send large files via email, they are likely to be recognized and may be opened by end users.
In this case, if the archive contents are extracted, the user would likely be unaware that anything untoward had happened, as the executable is loaded into the startup folder without giving any indication the file has been extracted. Due to the location of extraction, no further actions are required by the user.
In this case, the executable installs a backdoor, although only if the user has User Account Control (UAC) disabled. That said, this is unlikely to be the only campaign exploiting the WinRAR vulnerability. Other threat actors may develop a way to exploit the vulnerability for all users that have yet to update to the latest WinRAR version.
Many users will have WinRAR installed on their computer but will rarely use the program, so may not be aware that there is an update available. It is possible that a large percentage of users with the program installed have yet to update to the latest version and are vulnerable to attack.
This campaign illustrates just how important it is to patch promptly. As soon as a patch is released for a popular software program it is only a matter of time before that vulnerability is exploited, even just a few days.
Patching all devices in use in an organization can take time. It is therefore important to make sure that all employees receive security awareness training and are taught email security best practices and how to identify potentially malicious emails.
Unfortunately, social engineering techniques can be highly convincing, and many users may be fooled into opening email attachments, especially when the attacker spoofs the sender’s email address and the email appears to come from a known individual. It is therefore essential to have an advanced spam filtering solution in place that is capable of detecting malicious attachments at source, including malicious files hidden inside compressed files, and stop the messages from being delivered to inboxes.
The 2019 Cybersecurity Survey conducted by the Healthcare Information and Management Systems Society (HIMSS) has highlighted healthcare email security weaknesses and the seriousness of the threat of phishing attacks.
HIMSS conducts the survey each year to identify attack trends, security weaknesses, and areas where healthcare organizations need to improve their cybersecurity defenses. This year’s survey confirmed that phishing remains the number one threat faced by healthcare organizations and the extent that email is involved in healthcare data breaches.
This year’s study was conducted on 166 healthcare IT leaders between November and December 2018. Respondents were asked questions about data breaches and security incidents they had experienced in the past 12 months, the causes of those breaches, and other cybersecurity matters.
Phishing attacks are pervasive in healthcare and a universal problem for healthcare providers and health plans of all sizes. 69% of significant security incidents at hospitals in the past 12 months used email as the initial point of compromise. Overall, across all healthcare organizations, email was involved in 59% of significant security incidents.
The email incidents include phishing attacks, spear phishing, whaling, business email compromise, and other email impersonation attacks. Those attacks resulted in network breaches, data theft, email account compromises, malware infections, and fraudulent wire transfers.
When asked about the categories of threat actors behind the attacks, 28% named ‘online scam artists’ and 20% negligence by insiders. Online scam artists include phishers who send hyperlinks to malicious websites via email. It was a similar story the previous year when the survey was last conducted.
Given the number of email-related breaches it is clear that anti-phishing defenses in healthcare need to be improved. HIPAA requires all healthcare employees to receive security awareness training, part of which should include training on how to identify phishing attacks. While this is a requirement for compliance, a significant percentage (18%) of healthcare organizations do not take this further and are not conducting phishing simulations, even though they have been shown to improve resilience against phishing attacks by reinforcing training and identifying weaknesses in training programs.
The continued use of out of date and unsupported software was also a major concern. Software such as Windows Server and Windows XP are still extensively used in healthcare, despite the number of vulnerabilities they contain. 69% of respondents admitted still using legacy software on at least some machines. When end users visit websites containing exploit kits, vulnerabilities on those devices can easily be exploited to download malware.
It may take some time to phase out those legacy systems, but improving healthcare email security is a quick and easy win. HIMSS recommends improving training for all employees on the threat from phishing with the aim of decreasing click rates on phishing emails. That is best achieved through training, phishing simulations, and better monitoring of responses to phishing emails to identify repeat offenders.
At TitanHQ, we can offer two further solutions to improve healthcare email security. The first is an advanced spam filtering solution that blocks phishing emails and prevents them from being delivered to inboxes. The second is a solution that prevents employees from visiting phishing and other malicious websites such as online scams.
SpamTitan is an advanced anti-phishing solution that scans all incoming emails using a wide range of methods to identify malicious messages. The solution has a catch rate in excess of 99.9% with a false positive rate of just 0.03%. The solution also scans outbound messages for spam signatures to help identify compromised email accounts.
WebTitan Cloud is a cloud-based web filtering solution that blocks attempts by employees to visit malicious websites, either through web surfing or responses to phishing emails. Should an employee click on a link to a known malicious site, the action will be blocked before any harm is caused. WebTitan also scans websites for malicious content to identify and block previously known phishing websites and other online scams. Alongside robust security awareness training programs, these two solutions can help to significantly improve healthcare email security.
For further information on TitanHQ’s healthcare email security and anti-phishing solutions, contact TitanHQ today.
A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint.
The campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.
This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.
A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.
The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.
Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.
Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.
Businesses can take steps to avoid Office 365 phishing scams such as this.
Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
Use an endpoint protection solution that is capable of detecting phishing attacks.
Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.
A new email campaign is being conducted in the run up to Valentine’s Day which attempts to get users to open email attachments by fooling them into thinking they are love letters. The love letter email scam includes enticing subject lines such as ‘Love Letter’, ‘I Love You’, ‘This is my love letter to you’, ‘Always thinking about you’, and other love and love letter themes.
These types of scams are common in the run up to Valentine’s Day, and as the day draws closer, the likelihood of the scams succeeding grows.
A further four malware variants are subsequently downloaded to the victim’s device: The Phorpiex spambot, a Monero cryptocurrency miner (XMRig), a further malware downloader, and the latest version of GandCrab ransomware: A particularly nasty combination of malware.
The malspam campaign was detected by SANS ISC researcher Brad Duncan who determined the campaign has been running since at least November 2018. Several different subject lines and attachments have been identified and multiple spoofed sending addresses are used in this campaign.
To prevent email scams such as this from succeeding, businesses should ensure that their employees receive ongoing security awareness training. Regular email security alerts should be sent to the workforce to keep them abreast of the latest techniques that are being used by scammers to install malware and phish for sensitive information.
It is also essential for an advanced spam filter to be implemented. This will ensure the majority of malicious messages are blocked and not delivered to end users. SpamTitan scans all incoming and outgoing messages and uses a variety of techniques to identify spam and malicious messages. Those controls ensure a block rate in excess of 99.9%, while dual antivirus engines provide total protection against all known malware variants.
SpamTitan is available on a free trial with options to suit all businesses and managed service providers. For further information, to register for the no-obligation free trial, or to book a product demonstration, contact TitanHQ today.
The last weekend of 2018 has seen a major newspaper cyberattack in the United States that has disrupted production of several newspapers produced by Tribune Publishing.
The attacks were malware-related and affected the Saturday editions of the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, the New York Times, the Wall Street Journal, and others. The malware attack occurred on Thursday, December 27, and caused major problems throughout Friday.
All of the affected newspapers shared the same production platform, which was disrupted by the malware infection. While the type of malware used in the attack has not been publicly confirmed, several insiders at the Tribune have reported that the attack involved Ryuk ransomware.
Ransomware is a form of malware that encrypts critical files preventing them from being accessed. The primary goal of attackers is usually to obtain ransom payments in exchange for the keys to decrypt the encrypted files. It is also common for ransomware to be deployed after network access has been gained and sensitive information has been stolen, either to mask a data breach or in an attempt to make an attack even more profitable. It is also not unknown for ransomware attacks to be conducted to cause disruption. It is suspected that this newspaper cyberattack was conducted primarily to disable infrastructure.
The type of ransomware used in an attack is usually easy to identify. After encrypting files, ransomware changes file extensions to an (often) unique extension. In the case of Ryuk ransomware, extensions are changed to .ryk.
The Los Angeles Times has attributed it to threat actors based outside the United States, although it is unclear which group was behind the cyberattacks. If the attack was conducted to disable infrastructure it is probable that this was a nation-state sponsored attack.
The first Ryuk ransomware cyberattacks occurred in August. Three U.S. companies were attacked, and the attackers were paid at least $640,000 for the keys to unlock the data. An analysis of the ransomware revealed it shared code with Hermes malware, which had previously been linked to the Lazarus Group – An APT group with links to North Korea.
While many ransomware campaigns used mass spamming tactics to distribute the ransomware and infect as many end users as possible, the Ryuk ransomware attacks were much more targeted and involved considerable reconnaissance and extensive network mapping before the ransomware is finally deployed. As is the case with SamSam ransomware attacks, the campaign is conducted manually.
Several methods are used to gain access to networks, although earlier this year a warning about Ryuk ransomware was issued by the U.S. Department of Health and Human Services claiming email to be one of the main attack vectors, highlighting the importance of email security and end user training to help employees recognize email-based threats.
A new Netflix phishing scam has been detected that attempts to fool Netflix subscribers into disclosing their login credentials and other sensitive information such as Social Security numbers and bank account numbers.
This Netflix phishing scam is similar to others that have been intercepted over the past few months. A major campaign was detected in October and another in November. The latest Netflix phishing scam confirms that the threat actors are now launching large-scale phishing attacks on a monthly basis.
The number of recent Netflix scams and the scale of the campaigns has prompted the U.S. Federal Trade Commission (FTC) to issue a warning to raise awareness of the threat.
The latest campaign was detected by an officer in the Ohio Police Department. As with past campaigns, the attackers use a tried and tested method to get users to click on the link in the email – The threat of account closure due to issues with the user’s billing information.
In order to prevent closure of the user’s Netflix account a link in the email must be clicked. That will direct the user to the Netflix site where login credentials and banking information must be entered. While the web page looks genuine, it is hosted on a domain controlled by the attackers. Any information entered on that web page will be obtained by the threat actors behind the scam.
The emails appear genuine and contain the correct logos and color schemes and are almost identical to the official emails sent to users by Netflix. Netflix also includes links in its emails, so unwary users may click without first checking the authenticity of the email.
Image Source: FTC via Ohio Police Department
There are signs that the email is not what it seems. The email is incorrectly addressed “Hi Dear”; British English is used, even though the email is sent to U.S. citizens; the email is sent from a domain that is not used by Netflix; and the domain to which the email directs users is similarly suspect. However, the scam is sure to fool many users who fail to carefully check emails before taking any action.
Consumers need to exercise caution with email and should carefully check messages before responding, no matter how urgent the call for action is. It is a good best practice to always visit a website directly by entering in the domain into the address bar of a web browser, rather than clicking a link in an email.
If the email is determined to be a scam, it should be reported to the appropriate authorities in the country in which you reside and also to the company the scammers are impersonating. In the case of Netflix phishing scams, emails should be sent to firstname.lastname@example.org.
While this Netflix phishing scam targets consumers, businesses are also at risk. Many similar scams attempt to get users to part with business login credentials and bank account information. Businesses can reduce the risk of data and financial losses to phishing scams by ensuring all members of the company, from the CEO down, are given regular security awareness training and are taught cybersecurity best practices and are made aware of the latest threats.
An advanced spam filtering solution is also strongly recommended to ensure the vast majority of these scam emails are blocked and do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing emails and 100% of known malware.
For further information on anti-phishing solutions for businesses, contact the TitanHQ team today.
A major San Diego School District phishing attack has been discovered. The phishing attack stands out from the many similar phishing attacks on schools due to the extent of accounts that were compromised, the amount of data that was potentially obtained, and the length of time it took for the data breach to be detected.
According to a recent breach announcement, the login credentials of around 50 district employees were obtained by the attacker. It is not unusual for multiple accounts to be breached in school phishing attacks. Once access is gained to one account, it can be used to send internal phishing emails to other staff members. Since those emails come from within, they are more likely to be trusted and less likely to be detected. Investigations into similar phishing attacks often reveal many more email accounts have been compromised than was initially thought, although 50 sets of compromised credentials is particularly high.
Those accounts were compromised over a period of 11 months. The San Diego School District phishing attack was first detected in October 2018 after staff alerted the district’s IT department to phishing emails that had been received. Multiple reports tipped off the IT department that an ongoing cyberattack was occurring and there may have been a data breach.
The investigation revealed the credentials obtained by the attacker provided access to the district’s network services, which included access to the district’s database of staff and student records. The school district is the second largest in California and serves over 121,000 students each year. The database contained records going back to the 2008/2009 school year. In total, the records of more than 500,000 individuals were potentially obtained by the hacker. Given the length of time that the hacker had access to the network, data theft is highly probable.
The data potentially obtained was considerable. Student information compromised included names, addresses, dates of birth, telephone numbers, email addresses, enrollment and attendance information, discipline incident information, health data, legal notices on file, state student ID numbers, emergency contact information, and Social Security numbers. Compromised staff information also included salary information, health benefits data, paychecks and pay advices, tax data, and details of bank accounts used for direct deposits.
Data could be accessed from January 2018 to November 2018. While it is typical for unauthorized access to be immediately blocked upon discovery of a breach, in this case the investigation into the breach was conducted prior to shutting down access. This allowed the identity of the suspected hacker to be determined without tipping off the hacker that the breach had been detected. The investigation into the breach is ongoing, although access has now been blocked and affected individuals have been notified. Additional cybersecurity controls have now been implemented to block future attacks.
School district phishing attacks are commonplace. School districts often lack the resources of large businesses to devote to cybersecurity. Consequently, cyberattacks on school districts are much easier to pull off. Schools also store large volumes of sensitive data of staff and students, which can be used for a wide range of malicious purposes. The relative ease of attacks and a potential big payday for hackers and phishers make schools an attractive target.
The San Diego School District phishing attack is just one of many such attacks that have been reported this year. During tax season at the start of 2018, many school districts were targeted by phishers seeking the W-2 forms of employees. It is a similar story every year, although the threat actors behind these W-2 phishing attacks have been more active in the past two years.
In December this year, Cape Cod Community College suffered a different type of phishing attack. The aim of that attack was to convince staff to make fraudulent wire transfers. At least $800,000 was transferred to the attackers’ accounts in that attack.
These attacks clearly demonstrate the seriousness of the threat of phishing attacks on school districts and highlights the importance of implementing robust cybersecurity protections to protect against phishing.
If you want to improve your defenses against phishing, contact the TitanHQ team today for further information on anti-phishing solutions for schools.