Spam News

Exploit Kit Activity has Declined, but Spamming Activity Has Increased

Figures from Trustwave show there has been a steady decline in exploit kit activity over the past year. Exploit kits were once one of the biggest cybersecurity threats. In late 2015 and early 2016 exploit kits were being extensively used to spread ransomware and malware. Now exploit kit activity has virtually dropped to nothing.

Exploit kits are toolkits that are loaded onto malicious or hijacked websites that probe for vulnerabilities in browsers and plugins such as Adobe Flash Player and Java. When a new zero-day vulnerability was discovered, it would rapidly be added to exploit kits and used to silently download ransomware and malware onto web visitors’ computers. Any individuals that had failed to keep their browsers and plugins up to date would be at risk of being infected. All that would be required was make them – or fool them- into visiting a malicious website.

Links were sent via spam email, malvertising was used to redirect web visitors and websites were hacked and hijacked.  However, the effort required to develop exploits for vulnerabilities and host exploit kits was considerable. The potential rewards made the effort more than worthwhile.

Exploit kits such as Angler, Magnitude and Neutrino no longer pose such a big threat. The actors behind the Angler exploit kit, which was used to spread Locky ransomware in early 2016, were arrested. Law enforcement agencies across the world have also targeted gangs running these exploit kits. Today, exploit kit activity has not stopped entirely, but it is nowhere near the level seen in the first half of 2016.

While this is certainly good news, it does not mean that the threat level has reduced. Ransomware and malware are still major threats, all that has happened is cybercriminals have changed tactics for distributing the malicious programs. Exploit kits are not dead and buried. There has just been a lull in activity. New exploit kits are undoubtedly being developed. For the time being, exploit kit activity remains at a low level.

Now, the biggest threat comes from malicious spam email messages. Locky and other ransomware variants are now almost exclusively spread via spam email messages. Cybercriminals are also developing more sophisticated methods to bypass security controls, trick end users into opening infected email attachments, and improve infection rates.

Much greater effort is now being put into developing convincing phishing and spear phishing emails, while spam emails are combined with a wide range of social engineering tricks to get end users to open infected email attachments. End users are more knowledgeable and know not to click on suspicious email attachments such as executable files; however, malicious Word documents are another matter. Office documents are now extensively used to fool end users into installing malware.

With cybercriminals now favoring spam and phishing emails to spread malware and ransomware, businesses need to ensure their spam defenses are up to scratch. Employees should continue to be trained on cybersecurity, the latest email threats should be communicated to staff and advanced spam filters should be deployed to prevent messages from being delivered to end users.

Blank Slate Spam Campaign Distributing Cerber Ransomware

The SANS Internet Storm Center reports that the Blank Slate spam campaign which was first detected in July last year is now being used to spread Cerber ransomware, rather than previous favorites Locky and Sage 2.0.

In the majority of cases, emails used to spread ransomware and other nasties use a variety of social engineering techniques to trick end users into opening the email attachments and infecting their computers. However, the Blank Slate spam campaign opts for simplicity. The spam email messages contain no text, hence the name ‘blank slate’.

The email messages contain a double zip file attachment. A zip file is attached to the email, and within it is a second zip file containing JavaScript or a Word document with a malicious macro. The JavaScript or macro then downloads the malicious payload – Cerber ransomware – if it is run.

Without any social engineering tactics, infection rates are likely to be much lower. However, researchers suggest that more email messages are likely to get past security defenses using this technique. Since more emails are delivered to end users’ inboxes, this is likely to make up for the fact that fewer attachments will be opened.  The blank slate spam campaign is believed to be spread via botnets.

Cerber ransomware has been a major threat over the past 12 months. The ransomware is frequently updated to ensure it avoids detection. The latest blank slate spam campaign is being used to spread the latest form of the ransomware, which hides malicious code inside Nullsoft Scriptable Install System (NSIS) installers.

Security researchers at Palo Alto Network’s Unit 42 team report that Cerber ransomware is being hosted on around 500 separate domains. When domains are detected by hosting companies they are rapidly shut down; however, new domains are then registered by the criminals to take their place.

Since new domains can easily be registered using stolen credentials, the costs to cybercriminals are low. The cost of signing up for a new domain are negligible. Burner phones can be purchased cheaply and the numbers provided when registering domains, email addresses can be registered free of charge, and stolen credit card details can be used to make payment. There is no shortage of stolen credit card numbers to use. However, the rewards from Cerber ransomware infections are high. Now, the keys to decrypt data locked by Cerber ransomware costs victims 1 Bitcoin – around $1,000.

Organizations can protect against the threat by ensuring their spam filtering solutions are carefully configured and making sure all employees are instructed never to open JavaScript files or enable Word macros sent from unknown senders.

World’s Largest Spam Operation Exposed: Database of 1.37 Billion Email Addresses Uncovered

The world’s largest spam operation has been exposed, and along with it, a massive database of email addresses. More than 1.37 billion email addresses, names, addresses, and IP addresses were in the database, which was exposed as a result of an error made during a backup. The company behind the operation is the email marketing firm River City Media – A legitimate email marketing company that uses some decidedly shady email marketing practices.

So how large is the world’s largest spam operation? According to MacKeeper researchers, the company behind the massive spamming campaigns were sending up to one billion spam email messages every day. However, due to the leak, life is likely to get a lot tougher for the email marketing firm. Its entire infrastructure has now been added to the spamming blacklist maintained by Spamhaus: The world leader in providing up to date threat intelligence on email spam and related spamming activity.

So how does a database from the world’s largest spam operation get released on the Internet? Faulty backups! The company failed to configure their Rsync backups correctly, resulting in those backups being available online without any need for a password. The database was discovered by MacKeeper security researcher Chris Vickery.

The revelation that such a large database had been obtained was huge news. In fact, it even drew a response from the Indian government, which felt it necessary to explain that it was not the source of the leak. The Indian government’s federal ID system is one of a very small number of databases that contain that number of records.

The number of records in the database is so large that almost everyone that uses email would either be on the list or would know someone that is.

How does a company amass so many email addresses? According to Vickery, there are various methods used, although he said “credit checks, education opportunities, and sweepstakes,” are typically used to obtain the email addresses, as are legitimate marketing campaigns from major brands. Users divulge their email addresses during these campaigns in order to receive a free gift, special offer, or an online service. Hidden away in the terms and conditions, which few people read, is confirmation that the information collected will be shared with marketing partners. Those marketing partners then share addresses with their partners, and their partners’ partners, and so on. Before long, the email addresses will be made available to a great deal of spammers.

When spammers use those addresses, there is a high probability that the domains used for sending the marketing messages will be blocked. To get around this, companies such as RCM use warm up accounts to send out their campaigns.

New campaigns will be sent to the warm up accounts, and provided they do not generate complaints, the sender of the emails will be marked as a good sender. With a good reputation, the spammers will be able to scale up their operation and send out billions of messages. If at any point messages start to be rejected or complaints start to be received, the domain is dropped and the process starts again. That way, RCM is able to bypass spam filtering controls and continue to send messages.

A detailed insight into the world’s largest spam operation and the techniqus used to send spam messages has been published by CSO Online, which worked with Vickery, MacKeeper, and Spamhaus following the discovery of the huge database.

Businesses Are Not Taking Full Advantage of Anti-Phishing Technologies, Says FTC

A recently published study from the Federal Trade Commission’s (FTC) Office of Technology Research and Investigation has revealed that anti-phishing technologies are not being widely adopted by U.S. businesses.

While there are several anti-phishing technologies that could be adopted by businesses to reduce susceptibility to phishing attacks, relatively few businesses are taking full advantage of the latest anti-phishing solutions.

Phishing is a type of online scam primarily conducted via email, although the same type of scam can occur online on malicious websites. The email version of the scam involves sending an email request to an employee in which the attacker claims to be a well-known source. That could be an Internet service provider, a well-known company such as Amazon or Netflix, or the CEO or CFO of the employee’s company. The target is asked to send sensitive personal or business information.

Typically, the attackers request financial information, logins, or as we have seen on numerous occasions this year, employees’ W-2 Form data. The information is then used for identity theft and fraud. In the case of the W-2 Form phishing scams, the information is used to file fraudulent tax returns in employees’ names.

Phishing is one of the biggest cybersecurity threats that businesses must mitigate. A separate study conducted by PhishMe showed that the vast majority of cyberattacks start with a phishing email. The largest ever healthcare data breach – which resulted in the theft of 78.8 million health insurance members’ credentials from Anthem Inc. – occurred as a result of an employee responding to a phishing message.

The FTC’s research revealed that most businesses have now implemented authentication controls, but little else. The FTC study (performed by OTech) found that 86% of businesses were using the Sender Policy Framework (SPF) to determine whether emails that claim to have been sent from a business were actually sent from the domain used by that business.

While this is an important anti-phishing control, SPF alone is insufficient to protect businesses from phishing attacks. SPF controls can be bypassed.

The FTC study found that fewer than 10% of businesses were using Domain Message Authentication Reporting & Conformance (DMARC) to receive intelligence on the latest spoofing attempts used to bypass SPF controls. DMARC allows businesses to automatically reject unauthenticated messages, yet few use the technology.

While not covered by the FTC study, one of the best additional anti-phishing technologies is a spam filtering solution such as SpamTitan.

SpamTitan blocks 99.97% of spam email messages, 100% of known malware via its dual anti-virus engines, while a powerful anti-phishing component looks for common signatures of phishing emails and prevents them from being delivered.

The threat from phishing is growing. A study from the Anti-Phishing Working Group revealed there was a 65% increase in phishing attacks in 2016 compared to 2015. Last year, 1,220,523 phishing attacks were reported. With attacks increasing at such a rate, and given the number of phishing attacks on businesses so far in 2017, more must be done to prevent attacks.

Is your business doing enough to prevent phishing attacks? What anti-phishing technologies has your business adopted to prevent employees being scammed?

BugDrop Malware Turns on Microphones and Exfiltrates Recordings

BugDrop malware is a new and highly advanced email-borne threat detected in the past few days. While attacks are currently concentrated on companies in Ukraine, BugDrop malware attacks have already started in other countries. Companies in Austria, Russia and Saudi Arabia have also been attacked.

Due to the nature of the attacks, it is clear that the actors behind the new malware have access to significant resources. So far, BugDrop malware is known to have stolen an incredible 600 GB of data from around 70 confirmed targets. At the rate that the malware is stealing data, the storage required will be considerable. This is therefore unlikely to the work of an isolated hacker. A significant cybercriminal group or most likely, a foreign-government backed hacking group, is likely to be responsible for the attacks.

Companies involved in scientific research, critical infrastructure, news media, engineering, and even human rights organizations have been targeted.

The malware will steal documents stored on infected computers and networks to which the computer connects. Passwords are stolen and screenshots are taken. However, rather than simply gain access to intellectual property and other sensitive data, the malware has another method of obtaining information. BugDrop malware, as the name suggests, bugs organizations and records audio data.

The malware turns on the microphone on an infected computer and records conversations, which accounts for the huge volume of data stolen. The stolen files are then encrypted and uploaded to the attackers’ Dropbox account. Files are retrieved from the Dropbox account and are decrypted. The resources required for analyzing such huge volumes of data – including audio data – are considerable, as are the storage requirements.

The CyberX researchers who discovered the malware suggest that Big Data analytics are likely used rather than manually checking the stolen data. Either way, such an operation must be heavily staffed, which points to a state-sponsored group. CyberX says “Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience.”

Since data exfiltration occurs via Dropbox, data exfiltration may not be detected. Many companies allow their employees to access Dropbox and connections to the storage service are often not monitored. Encryption is used, preventing many anti-virus solutions from detecting attacks or sandboxing the malware. The attacks also involve reflective DLL injection – since code is run in the context of other processes, detection is made more difficult.

BugDrop malware is being distributed via spam email using malicious macros in Word documents. If macros are enabled, the malware will be installed when the document is opened. Since many companies now automatically block macros and require them to be enabled on each document, the attackers prompt the user to enable macros by saying the document was created in a newer version of Microsoft Office. To view the contents of the document, macros must be enabled. The Word documents contains a professional image from Microsoft, including branding and Office logos, to make the warning appear genuine.

New Statistics Released on Corporate Email Security Threats

Google has released its latest statistics on the main corporate email security threats, with the search engine giant’s report also delving into the latest email-borne attacks on corporate Gmail account users. The report follows on from a presentation at the RSA Conference, which provided more detail on the biggest corporate email security threats that now have to be blocked.

According to Google’s data, spam is still a major problem for businesses. While the barrage of unsolicited emails is a nuisance that results in many hours of lost productivity, corporate users face a much bigger threat from spam. Malicious messages are a major menace.

Cybercriminals are targeting corporate users to a much higher extent than personal email account holders. The reason is clear. There is more to be gained from infecting corporate computers with malware than personal computers. Businesses are much more likely to pay ransoms if data are encrypted by ransomware. The data stored by businesses has much higher value on the darknet, and plundering business bank accounts nets far higher rewards.

It is therefore no surprise to hear that Google’s stats show that businesses are 6.2 times as likely to receive phishing emails and 4.3 times as likely to be targeted with malware-infected emails. Spam on the other hand is more universal, with business emails accounts 0.4 times as likely to be spammed than personal accounts.

Main Corporate Email Security Threats by Business Sector

Corporate email security threats are not spread evenly. Cybercriminals are conducting highly targeted attacks on specific industry sectors. Google’s data show that nonprofits are most commonly targeted with malware, receiving 2.3 times as many malware-infected emails as business accounts. The education sector is also being extensively targeted. Schools, colleges and universities are 2.1 times as likely to be sent malware-infected emails, followed by government industries, which are 1.3 times as likely to be targeted than businesses.

However, when it comes to email spam and phishing attacks, it is the business sector which is most commonly targeted. Currently, email spam is the biggest problem for businesses in the IT, housing, and entertainment industries, while phishing attacks are much more commonly conducted on IT companies, arts organizations and the financial sector.

Malicious Spam Poses a Major Risk to Corporations

As we have seen on so many occasions in the past two years, email is a major attack vector for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and conduct credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.

Given the massive increase in malware and ransomware variants in the past two years, blocking spam and malicious messages is now more important than ever. Additionally, the cost of mitigating data breaches is rising year on year (According to the Ponemon Institute). Malware and ransomware infections can be extremely costly to resolve, while successful phishing attacks can net cybercriminals huge sums from selling stolen corporate data and making fraudulent bank transfers. Those costs must be absorbed by businesses.

Protecting Your Organization from Email-Borne Threats

Fortunately, it is possible to mitigate corporate email security threats by using an advanced spam filtering solution such as SpamTitan. SpamTitan blocks 99.97% of spam messages and boasts a low false positive rate of just 0.03%. A powerful anti-phishing component prevents phishing emails from being delivered to end users, while dual anti-virus engines (Kaspersky Lab/ClamAV) are used to scan all incoming (and outgoing) messages for malicious links and attachments.

If you want to improve your defenses against the latest corporate email security threats, contact the TitanHQ team today. Since SpamTitan is available on a 30-day free trial, you can also see for yourself how effective our product is at protecting your organization from email-borne threats before committing to a purchase.

Yahoo Breach Phishing Campaign Takes Advantage of Latest Yahoo Warnings

A fresh round of email warnings for Yahoo account holders has been sent; however, cybercriminals are taking advantage: A new Yahoo breach phishing campaign has been detected that piggybacks on the latest news.

New Warnings for Yahoo Email Account Holders

Yahoo has been sending fresh warnings to account holders explaining that their accounts may have been compromised as a result of the Yahoo cyberattacks in 2013 and 2014. The Yahoo cyberattacks were the largest ever seen, resulting in the theft of 1 billion and 500 million users’ credentials. Yahoo has now confirmed that the attacks involved the use of forged cookies to bypass its security controls.

Yahoo’s CISO Bob Lord has told account holders in the email that “We have connected some of the cookie forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on Sept. 22, 2016.” As was the case in previous Yahoo warnings, accounts should be reviewed for any suspicious activity and users should not click on links or open attachments from unknown senders.

Yahoo Breach Phishing Campaign Detected

Many active Yahoo account holders are concerned about email security following news of the cyberattacks in 2013/2014 and cybercriminals have been quick to take advantage. The fresh round of email warnings has only heightened fears, as well as the risk for account holders. Cybercriminals have been piggybacking on the latest news of account breaches and have been sending their own messages to Yahoo email users. The latest Yahoo breach phishing email campaign play on users’ fears over the security of their accounts. The Yahoo breach phishing emails attempt to fool security conscious account holders into clicking on malicious phishing links and revealing sensitive information.

In the latest round of warnings, Yahoo urged users to take advantage of Yahoo’s password-free security service – the Yahoo Account Key authentication service. The latest round of Yahoo breach phishing emails offer account holders the option of upgrading the security on their accounts as well. To improve take up, the attackers add urgency by saying the target’s account has been temporarily limited for failing an automatic security update. A link is supplied for users to click to re-verify account ownership. If they fail to click on the link and update their details, they will be permanently locked out of their account.

The Yahoo breach phishing campaign is likely to claim many victims, although the phishing emails are fairly easy to identify as fake. The emails appear to have come from an account called ‘Mail’, although checking the actual email address will reveal that the email was not sent from a domain used by Yahoo. There are also some errors with the structure of the email. Slight grammatical errors are a tell-tale sign that the emails are not genuine.

However, not all Yahoo breach phishing emails contain errors. Some have been highly convincing. Users are therefore advised to exercise extreme caution when using their Yahoo accounts and to be on high alert for Yahoo breach phishing emails.

Cost of the Yahoo Cyberattacks

The Yahoo cyberattacks of 2013 and 2014 have cost the company dearly. While it is unclear what the final cost of the Yahoo cyberattacks will be, it will certainly be well in excess of $250 million – That is the price reduction Verizon Communications is seeking following the revelation that Yahoo account holders’ credentials were stolen in the two massive cyberattacks reported last year. The purchase price of $4.8 billion, which was agreed in the summer of 2016, is to be reduced. There was talk that the deal may even not go ahead as a result of the Yahoo cyberattack revelations. While Yahoo will not want a price reduction, there are likely to be a few sighs of relief. Verizon were rumored to be looking for a $1 billing reduction in the price just a few weeks back.

Cyberattacks on Law Firms on the Rise

Cyberattacks on law firms have been steadily increasing over the past three years. According to data from PwC’s annual Law Firms Survey last year, 73% of the UK’s top 100 law firms have been attacked by cybercriminals in the past year. In 2014/2015, 62% of the top 100 law firms were attacked. The previous year the figure stood at 45%. In the past two years, cyberattacks on law firms have increased by a staggering 60%.

According to PwC’s figures, large law firms are the most frequently targeted. 90% of the top 25 legal firms had experienced a cyberattack in the past 12 months. The types of attacks are highly varied, although the most common way attacks occur is via the firm’s email system.

Spear phishing emails are sent to solicitors in an attempt to obtain banking credentials and access to email accounts. When solicitors respond to these phishing emails and divulge their banking credentials, client funds are transferred to the criminals’ accounts. According to the survey, 84% of legal firms said they had experienced a phishing attack in the past year.

Solicitors in the UK and Ireland and attorneys in the United States are also being sent bogus emails that claim to be from home buyers or sellers. Instructions are provided asking for funds to be transferred to alternate accounts. Hackers eavesdrop on email conversations and are aware when funds are about to be transferred. They then sent an email to an attorney/solicitor posing as the buyer/seller of a property and provide alternate bank accounts asking for the funds to be transferred to the new account.

Buyers and sellers of properties are also targeted in a similar fashion. They are sent emails with the hacker claiming to be their solicitor. Alternate bank account details are provided for transfers. This is now one of the main types of cyberattacks on law firms and their clients.

Direct attacks on networks still occur, with hackers taking advantage of vulnerabilities in security defenses. However, law firm hacking only accounts for around 16% of incidents. Malware is a much bigger threat. Malware is delivered via spam email or drive-by downloads from the Web. 55% of legal firms say they have experienced a malware attack in the past 12 months. Malware can be ransomware – which locks computers with powerful encryption until a ransom payment is made or keyloggers that record sensitive data such as usernames and passwords. Malware can also enable criminals to gain access to systems to steal sensitive data and extort money out of law firms.

Law firm cyberattacks can be costly to resolve; however, the biggest cost can be loss of reputation. If law firms suffer cyberattacks and client data is stolen or exposed, reputations can be permanently damaged. Legal firms that are unable to ensure that their clients’ information remains confidential may find the cost of removing malware the least of their problems.

To prevent phishing emails and malware from being delivered to inboxes, an advanced spam filter is required. SpamTitan includes a powerful anti-phishing component that recognizes the common signatures of phishing emails and ensures they are not delivered. SpamTitan also blocks 100% of known malware and ransomware, ensuring end users do not receive malicious email attachments and links to malware-ridden websites.

To find out how SpamTitan can improve your security posture, contact the TitanHQ team today and take the first step toward preventing your law firm from being added to next year’s PwC’s law firm cyberattack statistics.

School Phishing Email Attack Highlights Need for Powerful Anti-Spam Solution

Another school phishing email attack has resulted in the W-2 Form data of school employees being emailed to tax fraudsters. This time, it was employees of Mercer County Schools in West Virginia whose data have been compromised.

The FBI has been called in to investigate the W-2 phishing scam and the IRS has been notified of the incident, while affected employees have been offered services to help them protect their identities.

The school phishing email attack is just one of many such attacks that have occurred this year. While businesses have been extensively targeted in the past, phishing attacks on schools are now commonplace. The problem has become so severe that the IRS recently issued a warning to schools of the risk of phishing email attacks, saying “This is one of the most dangerous email phishing scams we’ve seen in a long time.”

The Mercer County School District phishing attack was almost a carbon copy of many other tax season attacks this year. Already, there have been more than 29,000 victims of these attacks and there is still two months of tax season remaining.

The school phishing email attack involved the sending of an email to an employee in the HR/payroll department requesting a copy of W-2 Forms for all employees that worked in the previous fiscal year. The email was sent from an email account that was very similar to that used by the chief supervisor.

The email contained a slight variation from the genuine email address, which was enough to fool the recipient into thinking the email had been sent from the supervisor’s account. The employee then sent the W-2 forms of 1,800 staff members to the attackers as requested.

Databreaches.net has been tracking this year’s W-2 phishing scams and is maintaining a list of all organizations that have been scammed into revealing W-2 Form data. The list shows that school districts are being extensively targeted.  Successful W-2 phishing attacks have been reported by the following schools and school districts in the past 6 weeks:

  • Argyle School District, TX
  • Belton Independent School District, TX
  • Bloomington Public Schools, MN
  • College of Southern Idaho, ID
  • Davidson County Schools, NC
  • Dracut Schools, MA
  • Lexington School District 2, SC
  • Manatee County School District, FL
  • Mohave Community College, AZ
  • Morton School District, IL
  • Odessa School District, WA
  • Tipton County Schools, TN

The Manatee County School District phishing attack resulted in the W-2 Form data of 7,900 employees being emailed to the scammers: The biggest school phishing email attack of the year to date. The Bloomington Public Schools attack also resulted in thousands of employees’ W-2 Forms being disclosed.

There are a number of measures that can be taken to reduce the risk of phishing attacks such as these. Training should be provided to HR and payroll staff and they should be instructed to carefully check senders’ email addresses to ensure the correct account has been used. Policies should also be developed requiring any W-2 Form requests to be verified with the sender via the telephone. It is also essential to implement a spam filtering solution with a powerful anti-phishing component. This will help to ensure that the emails are not delivered. A spam filtering solution will also block malware and ransomware emails from being delivered. The latter types of malicious emails have also been a major problem for school districts over the past year.

UConn Students Warned of Sophisticated Phishing Emails and Web Attacks

Sophisticated phishing emails and elaborate web-based scams are being used to target students at the University of Connecticut. The extent to which students have been targeted with these scams has prompted UConn Chief Information Officer and Provost for Information Technology to send a warning to all students to be on high alert.

A number of students at the university have received sophisticated phishing emails in recent months that appear to have been sent from University President Susan Herbst. Like many universities and other educational establishments, the email system is protected with a spam filter. The majority of spam and scam emails are filtered out, although some do make it through. If these emails are delivered to students, there is a high probability that they will be opened. After all, the messages do appear to have been sent from the University president.

The emails contain malicious attachments or links to websites that attempt to steal login information and the scam is sophisticated and highly convincing. Many students would be unaware that they have been scammed after disclosing their login credentials.

The same can be said of malware infections, which usually occur silently when a malicious website is visited. Criminals are attempting to install key-loggers that record all sensitive data entered on compromised computers.

These scams are intended to get students to disclose their bank account information, credit card data, or Social Security numbers and personal information. The attackers can then use this information for a wide range of nefarious purposes including identity theft.

Sophisticated Phishing Emails are the New Norm

Email scams of old were quite easy to identify. They often included many grammatical and spelling mistakes and included offers that sounded too good to be true. However, today, sophisticated phishing emails are the new norm and they can be very difficult to identify. Emails are sent from authority figures, are grammatically perfect, and the attackers use wide range of social engineering techniques to get victims to disclose sensitive data or take a particular action.

The scammers are also increasingly sending highly targeted emails. These ‘spear phishing’ emails use personal information unique to the recipient to add credibility. Information is often obtained from social media and professional networking sites.

One of the latest UConn email scams includes information about Blackboard Inc., the Mail Service used by UConn. The attachment has the title “Exclusive Important Announcement from President Susan Herbst.”

Warnings have been issued by email to all students alerting them to this scam and advising them to exercise caution when using email and surfing the Internet. Students have been told not to login on any websites that do not have a valid security certificate.

A Spam Filter and Web Filter in Tandem Offer Greater Protection Against Phishing Attacks

Users should always exercise caution when using email. Attachments from unknown senders should not be opened and links contained in emails from unfamiliar sources should not be visited. However, curiosity often gets the better of students and malicious links are often unwittingly visited.

For this reason, in addition to using an advanced spam filtering solution – such as SpamTitan – universities and other educational establishments should also employ a web filtering solution. The spam filter will block the vast majority of malicious messages. The web filter will ensure that malicious websites and infected webpages cannot be visited. In tandem, a spam filter and web filter will offer far greater protection against phishing attacks and malware/ransomware infections.

Schools Targeted with W-2 Form Phishing Scam

A W-2 Form phishing scam that has been extensively used to con businesses out of the tax information of their employees is now being used on educational institutions. School districts need to be on high alert as cybercriminals have them fixed in their cross-hairs.

Over the past few weeks, many school districts have fallen victim to the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information sent to fraudsters. The data are used to file fraudulent tax returns in victims’ names.

At face value, the W-2 Form phishing scam is one of the simplest con-tricks used by cybercriminals. It involves sending an email to a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any employee send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the information. This is why the W-2 Form phishing scam is so effective. In many cases, suspicions are not aroused for a number of days after the emails have been sent. By that time, fraudulent tax returns may have been filed in the names of all of the victims.

It is unknown how many school districts have been targeted to date with this W-2 Form phishing scam, although 10 school districts in the United States have announced that their employees have fallen for the scam this year and have emailed W-2 Form data to the attackers. In total, 23 organizations have announced that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 organizations fell for similar scams last year.

Due to the number of attacks, the IRS issued a warning in early 2016 to alert all organizations to the threat. The increase in attacks in 2017 has prompted the IRS to issue a warning once again.  While corporations are at risk, the IRS has issued a warning specifically mentioning school districts, as well as non-profits and tribal organizations.

The IRS warning explains how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks occurred relatively late in the tax season. Cybercriminals are attempting to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be issued.

A variety of spoofing techniques are employed to make the email appear like it has come from the email account of an executive or other individual high up in the organization. In some cases, criminals have first compromised the email account of a board member, making the scam harder to identify.

This year has also seen a new twist to the scam with victims targeted twice. In addition to the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is made to the payroll department. Some organizations have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same attackers.

Protecting against these scams requires a combination of technology, training and policy/procedural updates. The first step for all organizations – including school districts – is to send an email to all HR and payroll staff warning them about these phishing scams. Staff must be made aware of the scam and told to be vigilant.

Policies and procedures should be updated requiring payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the information.

An advanced spam filter – such as SpamTitan – can also greatly reduce the risk of W-2 Form scam emails being delivered to end users’ inboxes. Blocking suspicious emails will reduce reliance on training and user awareness of these scams. The spam filter will also be effective at blocking further scams and other malicious emails from being delivered.

New Locky Variant Discovered: Osiris Ransomware

Osiris ransomware is the latest variant of Locky. As with other versions of the ransomware, there is no free way of unlocking encrypted files if a viable backup of data does not exist.

Cybercriminals use a variety of techniques and attack vectors to spread malicious files such as ransomware and malware. Exploit kits are popular as they can be hidden on websites and used to silently probe visitors’ browsers for vulnerabilities in plugins such as Adobe Flash, Microsoft Silverlight, and Oracle Java. Those vulnerabilities are leveraged to download malware. Malvertising – malicious web adverts – are often used to direct users to these malicious webpages; however, all too often, links to these websites are sent via spam email.

The rise in malware and ransomware attacks over the past few years has prompted many organizations to start providing security awareness training to staff members. Employees are instructed never to click on a link contained in an email unless they are sure that it is genuine.

However, even with security awareness training, a great many employees inadvertently infect their computers with malware or accidentally download ransomware. One of the biggest problems is not malicious links in spam email but malicious attachments. Cybercriminals have increased the use of malicious file attachments in the last year, especially to infect end users with ransomware.

One of the biggest ransomware threats in the past 12 months has been Locky. Locky has been spread via exploit kits in the past, although spam email is now primarily used to infect users.

Office Macros Used to Infect Computers with Osiris Ransomware

The gang behind Locky frequently updates the ransomware, as well as the methods used to fool end users into installing the malicious file-encryptor. The latest Locky variant – Osiris ransomware – encrypts files and adds the .osiris extension to encrypted files.

Locky is commonly spread via malicious macros in Word documents. Typically, the malicious Word documents claim to be invoices, purchase orders, or notifications of missed parcel deliveries.

However, a recent campaign used to distribute the Osiris ransomware variant switches from .DOC files to Excel spreadsheets (.XLS). Recipients of the emails are told the Excel spreadsheet is an invoice. Opening the attached Excel spreadsheet will not automatically result in an Osiris ransomware infection if macros have not been set to run automatically. The user will be presented with a blank spreadsheet and a prompt to enable macros to view the content of the file.

Clicking on ‘Enable Content’ will launch a VBA script that downloads a Dynamic Link Library (DLL) file, which is automatically executed using the Windows file Rundll32.exe. That DLL file is used to download Osiris ransomware. Osiris ransomware encrypts a wide range of file types and deletes Windows Shadow Volume Copies, preventing the user from restoring the computer to the configuration before the ransomware was installed. The only option for recovery from an Osiris ransomware infection is to pay the ransom demand or to wipe the system and restore files from backups.

Protecting Networks From E-Mail-Based Ransomware and Malware Attacks

An advanced spam filtering solution such as SpamTitan can be used to block the vast majority of email-borne threats. SpamTitan performs a wide range of front line tests to rapidly identify spam email and prevent it from being delivered, including RBL, SPF, Greylisting and SMTP controls.

SpamTitan uses two enterprise-class anti-virus engines to scan for malicious attachments – Kaspersky Anti-Virus and ClamAV – to maximize detection rates.

SpamTitan can also be configured to block specific files attachments commonly used by cybercriminals to infect end users: EXE files and JavaScript files for example. The contents of compressed files are also automatically scanned by SpamTitan.

Host-based tests are performed to examine mail headers, while the contents of messages are subjected to a Bayesian analysis to identify common spam signatures and spam-like content. Messages are also scanned for malicious links.

These extensive tests ensure SpamTitan blocks 99.97% of spam emails, preventing malicious messages from being delivered to end users. SpamTitan has also been independently tested and shown to have an exceptionally low false positive rate of just 0.03%.

If you want to keep your network protected from malicious spam emails and reduce reliance on employees’ spam detection abilities, contact the TitanHQ team today. SpamTitan is available on a 30-day free trial, allowing you to fully test the product and discover the difference SpamTitan makes at your organization before committing to a purchase.

W2 Phishing Scams Aplenty as Tax Season Commences

Its tax season in the United States, which means the start of scamming season. W2 phishing scams and other tax-related email and telephone scams are rife at this time of year. Businesses need to be particularly careful. There have already been a number of victims of W2 phishing scams and the year has barely started.

2016 Saw a 400% Rise in Tax Season Phishing and Malware Incidents

Tax season in the United States runs from the start of January to April 15. It is the time of year when Americans calculate how much tax they need to pay from the previous financial year. It is also a busy time for cybercriminals. They will not be filing their own tax returns however. Instead they are concentrating on filing tax returns on behalf of their victims.

In order for tax refunds to be fraudulently filed, cybercriminals need information about their victims. Given the number of data breaches that have resulted in the theft of Social Security numbers in the past 12 months, 2017 could well be a record year for tax scams.

However, while past data breaches can provide cybercriminals with the information they need to file fraudulent tax returns, tax season usually sees a massive increase in phishing scams. The sole purpose of these scams is to get victims to reveal their Social Security numbers and the other personal information necessary to file tax returns.

Since the IRS started allowing Americans to e-file their tax returns, scammers had a new option for filing fraudulent tax returns. Phishing emails claiming to have been sent by the IRS request the recipients update their IRS e-file. A link is included in the emails for this purpose. Clicking on the link in the emails will not direct the recipient to the IRS website, but a spoofed version of the site. The information entered online is then used to e-file on behalf of the victims and the scammers pocket the tax refunds.

In 2016, the IRS reported a massive increase in phishing and malware incidents. These scams and malware infections increased by an incredible 400%. The massive rise in scams prompted the IRS to issue a warning to Americans about the scams, with the IRS confirming that it does not initiate contact with taxpayers by email to request personal or financial information.

2017 is likely to be no different. Until April 15, tax-related scams are likely to be rife. All Americans should therefore be wary and must exercise caution.

Tax Season Sees a Massive Rise in W2 Phishing Scams

While consumers are at risk. Businesses in the United States are also extensively targeted at this time of year. The scammers impersonate CEOs, CFOs, and other individuals with authority and make requests for W2 data and other financial information about employees. The requests can be highly convincing and each year many employees fall for these types of scams. The scammers are well aware that some employees would be nervous about questioning a request that has been emailed from their SEO or CFO.

It is difficult to determine how many attempted W2 phishing scams took place last year, but in the first quarter of 2016, at least 41 U.S companies reported that they were the victims of successful W2 phishing scams. Employees were sent email requests to send W2 data by return and they responded. By doing so, employees’ tax information was sent directly to the scammers’ inboxes.

2017 is not yet a month old, yet already W2 phishing scams have been reported. The week, the Tipton County Schools District in western Tennessee reported that it had fallen victim to one of these W2 phishing scams. The attacker had posed as the director of the schools and had requested W2 tax data on all employees. W2 form data were then emailed to the attacker by an employee.

A similar email phishing scam was reported to have been used to attack 8 school districts in Missouri, according to a report by the Missouri Department of Elementary and Secondary Education. In this case, only one of the eight school districts responded to the scam: An employee from the Odessa School District was fooled and send the tax details of the district’s employees to the attackers.

It is not only schools that are being targeted. A hospital in Campbell County, Wyoming was attacked this week. According to a Campbell County Health news release, a hospital executive was impersonated in this attack. A 66-year old hospital worker fell for the scam and emailed W-2 information about employees as requested.

Preventing successful W2 phishing scams requires a combination of technological solutions, employee training, and updates to policies and procedures.  All employees with access to sensitive data must be advised of the risk and told to exercise caution. Policies should be introduced that require all email requests for employees’ tax information to be authenticated via telephone or other means. Organizations should also implement a robust spam filtering solution to prevent the scam emails from being delivered to employees’ inboxes.

However, if nothing is done to mitigate risk, 2017 is likely to be another record breaking year for the scammers.

Satan Ransomware: A Particularly Worrying New RaaS

You have no doubt heard of Locky and Cryptolocker, but what about Satan ransomware? Unfortunately, you may soon be introduced to this new ransomware variant. No matter where your organization is based, if you do not have a host of cybersecurity defenses to block ransomware attacks, this nasty file-encryptor may be installed on your network.

Satan Ransomware is being offered to any would-be hacker or cybercriminal free of charge via an affiliate model known as ransomware-as-a-service or RaaS. The idea behind RaaS is simple. Developers of ransomware can infect more computers and networks if they get an army of helpers to distribute their malicious software. Anyone willing to commit a little time to distributing the ransomware will receive a cut of any profits.

Ransomware authors commonly charge a nominal fee for individuals to participate in these RaaS schemes, in addition to taking a percentage of any ransomware payments that are generated. In the case of Satan ransomware, the developers offer RaaS totally free of charge. Anyone who wants to distribute the malicious software is free to do so. In exchange for their efforts they get to keep 70% of the ransom payments they generate. The remaining 30% goes to the ransomware authors. The gang behind the RaaS also offers higher percentages as infections increase as a reward for effort. All that is required to get started is to create a username and password. Access to the ransomware kit can then be gained.

What is alarming is how easy it is to participate in this RaaS scheme and custom-craft the malware. The gang behind the campaign has developed an affiliate console that allows the malware to be tweaked. The ransom amount can be easily set, as can the time frame for making payments and how much the ransom will increase if the payment deadline is exceeded.

Help is also offered with the distribution of the malware. Assistance is provided to make droppers that install the malware on victims’ systems. Help is offered to create malicious Word macros and CHM installers that can be used in spam email campaigns. Help is also offered to encrypt the ransomware to avoid detection. Even multi-language support is provided. Any would-be attacker can craft ransom demands in multiple languages via the RaaS affiliate console.

Satan ransomware performs a check to determine if it is running on a virtual machine. If it is, the ransomware will terminate. If not, it will run and will search for over 350 different file types. Those files will be locked with powerful encryption. File extensions are changed to. stn and the file names are scrambled to make it harder for victims to identify individual files. The ransomware will also wipe all free space on the hard drive before the ransom demand is dropped onto the desktop.

There is no decryptor for Satan ransomware. Recovery without paying the ransom will depend on organizations being able to restore files from backups. Since the ransomware also encrypts backup files, those backups will have to be in the cloud or on isolated devices.

RaaS is nothing new, but what is so worrying about Satan ransomware is how easy it has been made for affiliates. Next to no skill is required to run a ransomware campaign and that is likely to see many individuals take part in the RaaS program.

Spate of Gmail Phishing Attacks Detected

A spate of Gmail phishing attacks has hit the headlines this week. While the phishing scam is not new – it was first identified around a year ago – cybercriminals have adopted the campaign once more. The phishing emails are used to obtain Gmail login credentials are highly convincing,. A number of different tactics are used to evade detection, some of which are likely to fool even the most security aware individuals.

The Gmail phishing attacks start with an email sent to a Gmail account. Security aware individuals would be wary about an email sent from an unknown source. However, these attacks involve emails sent from a contact in the target’s address book. The email addresses are not masked to make them look like they have come from a contact. The email is actually sent from a contact’s account that has already been compromised.

Email recipients are far more likely to open emails sent from their contacts. Many people do not perform any further checks if the sender is known to them. They assume that emails are genuine solely from the source.

However, that is not the only technique used to fool targets. The attackers also use information that has been taken from the contact’s sent and received messages and add this to the email. An screenshot of an attachment or image that has already been included in a previous email between the contact and the target is included in the message. Even if the target is slightly suspicious about receiving an email, these additional touches should allay concern.

The aim of the email is to get the target to click on the image screenshot. Doing so will direct them to a Gmail login page where the target is required to sign in again. While this is perhaps odd, the page that the user is directed to looks exactly as it should. The page exactly mirrors what the user would normally expect.

Checking the website address bar should reveal that the site is not genuine; however, in this case it does not. The address bar shows the site is secure – HTTPS – and the web address includes accounts.google.com. The only sign of the scam is the inclusion of ‘data.text/html’ before accounts.google.com in the address bar.

Entering in account credentials will send that information directly to the attackers. The response is lightning quick. Account credentials are immediately used to log into the victim’s account. Before the victim even suspects they have been scammed, the entire contents of their Gmail account could be stolen, including sent and received emails and the address book. Contacts will be subjected to these Gmail phishing attacks in the same fashion.

Google is aware of the scam and is currently developing mitigations to prevent these types of attacks from occurring. In the meantime, however, users of Gmail should be particularly wary. Many users just glance at the address bar and look for the HTTPS and the web address. Failure to very carefully check the address bar and protocol before entering login credentials can – and certainly will in this case – result in the user’s account being compromised. Gmail accounts contain a huge amount of personal information. Information that could be used in future spear phishing attacks, extortion attempts, and other scams on the target and their contacts.

Spora Ransomware: A Highly Professional New Ransomware Variant

A new ransomware variant – Spora ransomware – has been identified by Emisoft which features a new twist. Victims have a wide range of their files encrypted as with other forms of file-encrypting malware, but they are given the option of preventing future ransomware attacks if they pay up.

The attackers would not be able to prevent attacks performed by other gangs – with other ransomware variants – although if the attackers can be believed, victims would only be attacked with Spora once. That is, if they choose the more expensive option of ‘Spora immunity’ rather than just paying to unlock the encryption.

The bad news for the victims is that payment will be required to unlock the infection if a viable backup of data does not exist. At present, there is no decryptor for Spora.

Emisoft reports that the encryption used is particularly strong, and even if a decryptor was developed, it would only be effective against a single user due to the complex method of encryption used – a combination of AES and RSA keys using the Windows CryptoAPI.

In contrast to many ransomware variants that communicate with a command and control server, Spora ransomware does not receive any C&C instructions. This means that files can be encrypted even if the computer has no Internet connection.

The authors have also not set a fixed ransom amount, as this depend on the ‘value’ of the encrypted data. The ransom payment will be set based on who the user is and the files that have been encrypted. Before files are encrypted, a check is performed to see who has been infected. Encrypted files are sorted based on extension type and the information is combined into the .KEY file along with information about the user. The .key file must be supplied in the payment portal. An HTML file is also created on the desktop with details of how payment can be made.

The ransomware is being spread via spam email. Infection occurs when an email recipient opens the infected attachment. The attached file appears to be a genuine PDF invoice, although it includes a double file extension which masks the fact it is actually a .HTA file. Infection occurs via JScript and VBScript contained in the file.

Opening the file launches a Wordpad file which displays an error message saying the file is invalid. In the background, the ransomware will be encrypting data.

Emisoft reports that the ransomware is slick and appears highly professional. Typically, the first versions of ransomware invariably contain multiple flaws that allow decryptors to be developed. In this case, there appear to be none. Spora ransomware also tracks infections via different campaigns. The information will likely be used to determine the effectiveness of different campaigns and could be used to direct future attacks.

The slick design of the HTML ransom note and the payment portal show considerable work has gone into the creation of this new ransomware. Emisoft suggests that Spora ransomware has been developed specifically for the ransomware-as-a-service market.

Prevention remains the best defense. Since Spora ransomware is spread via spam email, blocking malicious messages is the best defense against infection, while recovery will only be possible by paying the ransom demand or restoring data from a backup.

New Screen Locker Attack Targets Mac Users

Apple malware infections are relatively rare, although Mac users should not get complacent. New threats do appear from time to time and cybercriminals do target Mac users. This month another malware variant has been discovered – a type of screen locker – that is linked to a tech support scam and its Mac users that are being targeted.

The attack starts when the user clicks on a malicious link in a spam email message, although links on social media sites could also be used to direct end users to the malicious website where the attack occurs. When the malicious website is visited, malicious code on the site causes a denial-of-service attack which freezes the device as its memory is consumed.

The method of locking the computer depends on the version of OS X installed on the device. On older OS X versions, a visit to the malicious website will trigger the creation of multiple emails until the Macs memory is overloaded. The emails have the subject “Warning: Virus Detected”.  Since no memory is available, users will not be able to launch any other programs. The email messages are only created as drafts – they are not delivered – although this will be sufficient to freeze the device.

Additionally, a message is loaded into the draft folder containing a phone number to call to have the virus removed. While the message appears to have been sent by Apple, this is part of the scam. This is how the attackers make their money. Removal of the infection will require payment. The attackers appear to be after credit card numbers.

The second variant of the attack affects newer OS X versions. Rather than trigger draft emails, a similar style of attack occurs via iTunes. Multiple iTunes windows are launched, similarly using up the Macs memory. As with the first attack, a message also appears with a telephone number to call to remove the infection.

These tech support scams may not involve any downloaded malware, although responding to this type of scam and providing credit card details will result in multiple payments being taken until the card provider blocks the card or credit limits are reached.

Tech support scams such as this frequently target Windows users via Firefox, IE, Edge or Chrome browsers. Multiple browser windows are launched with a tech support number displayed. A call is required to unlock the infection.

These browser-locking attacks are relatively common. Only last month, Symantec identified a new campaign which locks the screen on Windows computers and displays a browser window detailing imagery from the police force of the country where the user is based – Most of the attacks occurred in the US (FBI) and Europe (Europol).

Users are advised that they have been caught engaging in illegal online activity, usually related to pornography or child abuse. A code must be obtained from the police department to unlock the screen. A phone number is supplied which the user must call to make payment. The attackers rely on victims’ fear and embarrassment to obtain payment.

L.A. County Victim of One of the Largest Phishing Attacks in the United States

Last month, L.a. County reported one of the largest phishing attacks in the United States. A single phishing campaign directed at Los Angeles County employees saw an incredible 108 individuals fall for the scam. Each employee that responded to the campaign inadvertently divulged their email credentials to the attacker. 108 email accounts were compromised as a result of the one phishing campaign.

While it is not known whether the individual behind the campaign successfully retrieved any data from L.A County email accounts, the compromised email accounts were a treasure trove of sensitive information. The email accounts contained the sensitive information of more than 750,000 individuals.

While the announcement of the phishing attack was only made in December, the actual incident occurred on May 13, 2016. In contrast to the phishing and spam email campaigns of old that contained numerous spelling mistakes, grammatical errors, and bordered on the unbelievable, this campaign was expertly crafted. The attacker used realistic text and images, hence the reason why such a large number of employees fell for the scam.

Fortunately for L.A. County, the phishing attack was identified promptly – within 24 hours – therefore limiting the damage caused. A detailed forensic investigation revealed that 756,000 individuals had their sensitive information – including Social Security numbers and protected health information- exposed as a result of the attack.

There was further good news. The lengthy investigation confirmed the identity of the attacker, a Nigerian national – Austin Kelvin Onaghinor. A warrant has been issued for his arrest. Bringing that individual to justice may be another matter. Extraditing foreign nationals to the United States can be a difficult and long winded process. However, L.A District Attorney Jackie Lacey has vowed to “aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law.”

Phishing attacks on this scale are unfortunately not that rare. Cybercriminals are becoming much better at crafting convincing emails and gaining access to corporate email accounts. All too often, the phishing attacks are not identified quickly, giving criminals plenty of time to exfiltrate data from compromised accounts. Many phishing campaigns are conducted to obtain network credentials and other information that can be used to gain a foothold in corporate networks. Once access is gained, all manner of nefarious activities take place.

This L.A. County phishing scam clearly demonstrates that employees are the weakest link in the security chain, which is why cybercriminals are committing more time and effort into phishing attacks. It is far easier to compromise an email account or gain access to a network if an employee provides their login credentials than attempting to find a chink in advanced cybersecurity defenses.

Protecting against phishing attacks requires an advanced spam filtering solution. Without such a solution in place, organizations have to rely on employees identifying emails as malicious. Something which is becoming much harder to do as cybercriminals perfect their social engineering techniques.

Blocking phishing emails and preventing them from being delivered to inboxes is the single-most effective solution to counter the phishing threat. Along with staff anti-phishing training and anti-phishing exercises, organizations can mount a defense against such attacks and avoid the not inconsiderable mitigation costs. Providing credit monitoring and identity theft protection services to 756,000 individuals is a sizeable cost for any organization to absorb.

Holiday Season Malware Infections Increase Again

‘Tis the season to be jolly, although ‘tis also the season to be infected with malware. The holiday season is an annual highlight for cybercriminals. Holiday season malware infections are to be expected as cybercriminals increase their efforts and try to infect as many users with malware as possible.

Malware is an ever-present threat, but the increase in online activity in the run up to the holiday season means easy pickings for cybercriminals. Consumers are starting to prepare for the holidays earlier, but not as early as the scammers. As consumers head online in their droves, scammers and other cybercriminals are lying in wait.

The advent of Black Friday and Cyber Monday – days where shoppers are offered amazing deals to prompt early Christmas purchases– see a frenzy of online activity. There are discounts aplenty and great deals to be had.

However, not all of those discounts are genuine. Many are scams that are used to phish for sensitive information or spread malware infections. As is the case every year, the holiday season sees a spike in malware infections, with the biggest spike over Thanksgiving weekend. This year has been no exception. Holiday season malware infections have increased significantly year on year.

Holiday Season Malware Infections Rise 118% Above Normal Levels

This year, over the first official shopping weekend of the holiday season, malware infections increased by 106% according to data compiled by the Enigma Software Group. On Cyber Monday, when even more great deals on online purchases are made available, malware infections were 118% higher than normal.

Those figures are only for Windows users. Add in smartphones and Apple devices and the figures would be higher still. The problem is also getting worse. Last year there was a spike of 84% over normal levels during the Thanksgiving weekend.

There have been a number of suggestions put forward as to why the figures are so high this year. One of the main reasons is simply due to the number of shoppers heading online. Each year sees more individuals choosing to go online shopping over Thanksgiving weekend. More online shoppers mean more opportunities to infect users with malware.

However, there are also more actors involved in online scams, malware-as-a-service and ransomware-as-a-service has also grown in popularity, and many cybercriminals have started up affiliate schemes to get more help spreading their malicious software. Individuals who succeed in infecting computers with ransomware are given a cut of the profits and there is no shortage of people willing to try the affiliate schemes to boost their own earnings.

Cybercriminals are also getting better at developing convincing scams and malicious email messages. The grammatical and spelling mistakes that were common in phishing emails in years gone by are largely gone. Now, almost perfect emails are sent and scammers are using a wide range of social engineering techniques to lure end users into clicking on malicious links or opening infected email attachments. Spoofed retail sites are also now commonplace – and extremely convincing.

The growth of social media has also helped boost cybercriminal activity. Malicious posts are being shared online offering discounts, special offers, and unmissable deals. However, all end users get is a malware download.

Avoiding a Bad Start to Holiday Season

To avoid becoming a victim of a scam or having to deal with a malware or ransomware infection, shoppers must be vigilant and exercise more caution. Offers that sound too good to be true usually are. Unsolicited emails should always be treated as suspicious and extra care should be taken when clicking on any link or visiting a retail site.

Businesses should also take extra precautions. A malware or ransomware infection can prove extremely costly to resolve. While warnings should be sent to end users about the risks of holiday season malware infections, technological solutions should also be in place to prevent malicious file downloads.

Antispam solutions are highly effective at blocking malicious messages such as phishing emails and emails containing malware. SpamTitan blocks 99.97% of spam messages, contains a powerful anti-phishing module, and blocks 100% of known malware.

Malicious links on social media sites and on third-party ad networks (malvertisting) are a very real risk. However, a web filter can be used to control access to social media sites, block malicious third-party adverts, and prevent end users from visiting websites known to contain malware.

If you want to keep your network free from malware this holiday season, if you have not already used these two solutions, now is the time. They will also help to keep your network malware free around the year. And with security experts predicting a massive increase in ransomware and malware attacks in 2017, there is no better time to start improving your defenses.

Malicious Email Spam Volume Hits 2-Year High, Says Kaspersky Lab

Malicious email spam volume has increased again. According to the latest figures from Kaspersky Lab, malicious email spam volume in Q3, 2016 reached a two-year high.

In Q3 alone, Kaspersky Lab’s antivirus products identified 73,066,751 malicious email attachments which represents a 37% increase from the previous quarter. Malicious spam email volume has not been at the level seen in Q3 since the start of 2014. Kaspersky Lab’s figures show that six out of ten emails (59.19%) are spam; a rise of around 2% from Q2, 2016. September was the worst month of the year to date, with 61.25% of emails classified as unsolicited spam.

Spam includes a wide range of unsolicited emails including advertising and marketing by genuine companies, although cybercriminals extensively use email to distribute malware such as banking Trojans, keyloggers, and ransomware. The use of the latter has increased considerably throughout the year. In Q3, the majority of malicious emails contained either ransomware or downloaders that are used to install ransomware on personal computers and business networks.

Ransomware is a form of malware that locks files on a computer with powerful encryption, preventing the victim from gaining access to their data. Many ransomware variants are capable of spreading laterally and can encrypt files on other networked computers. All it takes is for one individual in a company to open an infected email attachment or click on a malicious link in an email for ransomware to be downloaded.

Spammers often use major news stories to trick people into opening the messages. The release of the iPhone 7 in Q3 saw spammers take advantage. Spam campaigns attempted to convince people that they had won an iPhone 7. Others offered the latest iPhone at rock bottom prices or offered an iPhone 7 for free in exchange for agreeing to test the device. Regardless of the scam, the purpose of the emails is the same. To infect computers with malware.

There was an increase in malicious email spam volume from India in Q3. India is now the largest source of spam, accounting for 14.02% of spam email volume. Vietnam was second with 11.01%, with the United States in third place, accounting for 8.88% of spam emails sent in the quarter.

Phishing emails also increased considerably in Q3, 2016. Kaspersky Lab identified 37,515,531 phishing emails in the quarter; a 15% increase compared to the Q2.

Business email compromise (BEC) attacks and CEO fraud are on the rise. These scams involve impersonating a CEO or executive and convincing workers in the accounts department to make fraudulent bank transfers or email sensitive data such as employee tax information. Some employees have been fooled into revealing login credentials for corporate bank accounts. Cybercriminals use a range of social engineering techniques to fool end users into opening emails and revealing sensitive information to attackers.

Security awareness training is important to ensure all individuals – from the CEO down – are aware of email-borne threats; although all it takes is for one individual to be fooled by a malicious email for a network to be infected or a fraudulent bank transfer to be made.

The rise in malicious email spam volume in Q3, 2016 shows just how important it is to install an effective spam filter such as SpamTitan.

SpamTitan has been independently tested by VB Bulletin and shown to block 99.97% of spam emails. SpamTitan has also been verified as having a low false positive rate of just 0.03%. Dual antivirus engines (Kaspersky Lab and ClamAV) make SpamTitan highly effective at identifying malicious emails and preventing them from being delivered to end users.

If your end users are still receiving spam emails you should consider switching antispam providers. To find out the difference that SpamTitan can make, contact the Sales Team today and register for a free, no obligation 30-day trial.