Our spam news section provides up to date news on the latest threats that are likely to hit the inboxes of your employees. Cybercriminals are constantly changing tactics with new spam email campaigns, different social engineering techniques and new methods of installing malware and ransomware. By keeping up to date on the latest spam news, organizations can take timely action to mitigate risk.
In that regard, a spam filtering solution is essential. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be compromised. A spam filter will check all incoming email messages and search for common spam signatures in addition to checking senders’ email accounts against blacklists of known spammers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of known malicious domains.
Armed with the latest spam news, information security teams can send email alerts to their employees warning of pertinent threats that they need to be aware of.
This section also includes news on industry-specific attacks, in particular those that are being used to target the healthcare, education, financial services, legal and hospitality sectors.
This month has seen an increase in phishing campaigns targeting professionals purporting to be messages from Human Resources advising them about salary increases, promotions, updates to policies and procedures, and other annual updates. The start of the year typically sees the HR department issue updates to employees, including notifications about changes to employee benefits, proposed pay rises, and annual updates to policies and procedures. It is therefore no surprise that cybercriminals are taking advantage of the increase in HR communications and have adopted lures related to these start-of-year messages. Several campaigns have been detected this month that have targeted employees and used HR-related lures.
The emails have realistic subject lines, appear to have been sent internally, and have lures that are likely to prompt a quick response. Messages about changes to employee benefits, pay rises, and promotions are likely to be opened by employees quickly without thinking, as are other notifications from the HR department such as updates to internal policies. Phishing simulation data shows that these types of emails have some of the highest click rates.
These emails include a combination of attachments and hyperlinks. One campaign claimed to include important information about a new benefits package and required employees to open an attached .shtml file. The email claimed employees needed to review and digitally sign the document to acknowledge receipt. In this case, opening the attached file would load a local copy of a phishing page, which generated a fake Microsoft 365 login prompt in the user’s browser. The user’s email address is populated as the username, and they are required to enter their password. The user is told that their password must be entered as they are accessing sensitive internal information.
These phishing emails may be sent from external email addresses and spoof the HR department, but internal email accounts compromised in previous phishing attacks are often used, adding to the realism of the campaign and making it harder for email security solutions to detect the emails as malicious. It is common for these campaigns to include malicious hyperlinks rather than attachments, where the user is directed to a phishing page that mimics the domain of the organization or a well-known, unrelated company. In one campaign, a healthcare organization was impersonated in an email purporting to provide details of updated medical benefits for employees. One campaign involved notifications about changes to the employee security awareness training program for the new year.
Phishing is one of the most common tactics used by cybercriminals to gain initial access to business networks. The campaigns are easy to conduct, requiring little effort by the attackers, and they are often effective. Simply opening a malicious attachment and enabling the content to view the document is all that is needed to install malware, and if a user can be convinced to disclose their Microsoft credentials, the attacker can gain access to all associated Microsoft applications, including Email, OneDrive, Teams, and SharePoint, giving them the foothold they need for conducting a more extensive attack and access to a considerable amount of sensitive company data.
Cybercriminals mimic the types of emails that employees are likely to receive at different times of the year. Over the next few weeks, it is likely that there will be an increase in phishing campaigns targeting tax professionals, and phishing campaigns targeting individuals that use tax-related lures, such as notifications about tax returns, tax rebates, and unpaid tax as tax season gets into full swing.
Businesses need to take steps to block these attacks. While antivirus software and a spam filter were once effective and could block the vast majority of email-based attacks, phishing is becoming increasingly sophisticated and the speed at which new, previously unseen malware variants can be created and released means these defenses are no longer as effective as they used to be.
To block more phishing attempts, businesses need to adopt a defense in-depth approach. In addition to antivirus/endpoint detection software and an advanced spam filter, they should consider adding a web filter to block access to the web-based component of phishing attacks and block malware downloads from the Internet. Multi-factor authentication should be implemented for accounts, although phishing kits are now being used that can bypass MFA. While any form of MFA is better than nothing, phishing-resistance MFA is ideal and should be implemented, which is based on FIDO standards and provides a much greater level of protection.
While it is the responsibility of organizations to block malicious emails and prevent them from reaching employees, it is inevitable that some will be delivered. It is therefore important to also provide security awareness training to employees to train them how to identify and avoid phishing attempts. Security awareness training combined with phishing simulations, such as those provided by TitanHQ through the SafeTitan platform, are proven to reduce susceptibility to phishing attacks.
Phishing attempts are often very convincing as the emails mimic trusted brands, include their logos and color schemes, and the message format is often copied from genuine company messages. The most commonly spoofed brands are well-known companies that have millions of customers, which increases the chances of the message landing in the inbox of a person who has, at least at some point in the past, used that company’s products or services.
Every quarter, Check Point releases its Brand Phishing Report, which highlights the latest phishing trends and the brands being impersonated most often. LinkedIn, Microsoft, Google, and Netflix are regulars in the top 10 List, with LinkedIn being the most commonly spoofed brand in phishing attacks in the first half of the year; however, the top spot has now gone to the German logistics and package delivery firm, DHL.
DHL accounted for 22% of all worldwide phishing attempts in Q3, 2022. DHL itself issued a warning to customers in July after the company became aware that it was being spoofed in a massive phishing campaign that was being conducted globally. It is probable that DHL will remain in the top spot in Q4 due to the increase in online purchases in the run-up to Christmas.
While there is some variation in the phishing emails impersonating DHL, one of the most common appears to have been sent by DHL Express and alerts the recipient about an undelivered package. The message warns that it will not be possible to attempt redelivery of the package unless delivery information is confirmed. The phishing emails include a link to a website to allow that information to be provided; however, the link directs the user to a website where they are required to log in and provide their name, username, password, and other sensitive information, such as payment details.
While email phishing is the most common form, DHL has been spoofed in SMS messages that achieve the same purpose. Of course, SMS messages are not subject to spam filtering controls and mobile devices are less likely to be protected by web filters, which can detect and block attempts to visit malicious websites. SMS phishing – termed smishing – has been growing in popularity in recent years.
Unsurprisingly, given the number of users, Microsoft achieved second place, accounting for 16% of phishing emails in the quarter. The phishing emails spoofing Microsoft are more varied due to the extensive product range, although OneDrive phishing emails were common. These emails claim to be collaboration requests and target businesses and ask the recipient to click on a button to view a shared document. Like many phishing emails, the messages warn the recipient that urgent action is required, as the document will be deleted in 48 hours. The user is directed to a malicious website where they are asked to enter credentials for their Microsoft account.
It is unclear why LinkedIn has fallen out of favor slightly, although it still achieved 3rd spot and accounted for 11% of phishing attempts in the quarter. The rest of the top ten consists of Google (6%), Netflix (5%), We Transfer (5%), Walmart (5%), WhatsApp (4%), HSBC (4%), and Instagram (3%).
Phishing is one of the main ways that cybercriminals gain access to business networks. The attacks are easy to conduct, low cost, and do not require extensive technical knowledge. Businesses can block the majority of these malicious messages by implementing an advanced spam filter such as SpamTitan Cloud. They should also consider adding an extra layer to their defenses – A web filter such as WebTitan Cloud.
Technical defenses such as these are vital for protecting against phishing attempts, but it is also important for businesses to ensure that they provide regular security awareness training to their employees to make them aware of the threat of phishing and to teach them how to identify phishing emails. In addition to training, phishing simulations should be conducted on the workforce. These have been proven to reduce susceptibility to phishing attempts, as they give employees practice at identifying phishing and any failures are turned into a training opportunity.
With the SafeTitan security awareness training and phishing simulation platform, training is automatically triggered in real-time in response to phishing simulation failures and other security errors, when the training is likely to have the greatest effect.
If you run a business and want to improve your defenses against phishing, give TitanHQ a call. TitanHQ products are available on a free trial to allow you to put them to the test before making a decision about a purchase. MSPs that have yet to add spam filtering, web filtering, and security awareness training to their service stacks should give the TitanHQ channel team a call to find out more about these opportunities to improve their clients’ defenses against phishing and other cyberattacks.
TitanHQ has announced an update has been made to its flagship anti-phishing solution, SpamTitan Plus. The new enhancements have been added to the predictive phishing detection capabilities of SpamTitan Plus to help users block personalized URL attacks.
Phishing attacks on businesses have become much more sophisticated and new tactics are constantly being developed to evade standard email security solutions. While commercial email security solutions perform well at identifying and blocking spam emails, achieving detection rates in excess of 99%, blocking phishing emails is more of a challenge and many phishing threats sneak past email security solutions and are delivered to inboxes.
One of the ways that cyber threat actors bypass email security solutions is by creating personalized URLs for their phishing emails. One of the methods used by email security solutions for blocking phishing URLs is a real-time blacklist of known malicious URLs and IP addresses. If an email is sent from an IP address that has previously been used to send spam or phishing emails, the IP address is added to a blacklist and all emails from that IP address will be blocked. The URLs in phishing campaigns are set up and massive email runs are performed. When those URLs are detected as malicious, they are also added to a blacklist and will be blocked by email security solutions.
However, it is becoming increasingly common for personalized URLs to be used. These URLs can be personalized for the targeted organizations at the path and parameter level, and since a unique URL is used in each attack, standard anti-phishing measures such as blacklists are ineffective at detecting these URLs as malicious. That means the emails containing these malicious URLs are likely to be delivered to inboxes and can only be blocked after they have been delivered. That typically means an employee needs to report the email to their security team, and the security team must then act quickly to remove all phishing emails in that campaign from the email system. That process takes time and there is a risk that the links in the emails could be clicked, resulting in credential theft or malware infections. Most of the phishing detection feeds that are used by email security solutions do not gather the necessary intelligence to be able to inform customers of the level at which a phishing campaign should be blocked. SpamTitan Plus, however, does have that capability.
“With predictive phishing detection, SpamTitan Plus can now combat automated bot phishing,” said Ronan Kavanagh, CEO of TitanHQ. “At TitanHQ we always strive to innovate and develop solutions that solve real-security problems and provide tangible value to our customers. The end goal is to have our partners and customers two or three steps ahead of the phishers and cybercriminals.”
SpamTitan Plus is an AI-driven anti-phishing solution that is capable of blocking even the newest zero-day phishing threats. The solution has better coverage than any of the current market leaders and provides unparalleled time-of-click protection against malicious hyperlinks in phishing emails, with the lowest false positive rate of any product. SpamTitan Plus benefits from massive clickstream traffic from 600+ million users and endpoints worldwide, which sees the solution block 10 million new, never-before-seen phishing and malicious URLs a day.
The solution protects against URL-based email threats including malware and phishing, performs predictive analyses to identify suspicious URLs, URLs are rewritten to protect users, real-time checks are performed on every click, and the solution includes 100% of all current market-leading anti-phishing feeds. That translates into a 1.5x increase in unique phishing URL detections, 1.6x faster phishing detections than the current market leaders, and 5 minutes from initial detection of a malicious URL to protecting all end user mailboxes.
For more information about the best phishing solution for businesses, give the TitanHQ team a call today. Current users of SpamTitan Plus already have these new capabilities added, at no additional cost.
2019 was a particularly bad year for ransomware attacks, and while there was a reduction in the use of ransomware in 2020, attacks increased sharply in 2021, with the education sector and government organizations the most attacked sectors, although no industry sector is immune to attacks.
There is growing concern about the increase in attacks on critical infrastructure organizations, which are an attractive target for ransomware gangs. According to the data from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), 14 of the 16 critical infrastructure sectors in the United States reported ransomware attacks in 2021, including the defense industrial base, emergency services, healthcare, food and agriculture, information technology, and government facilities. Cybersecurity agencies in the United Kingdom and Australia have also said critical infrastructure has been targeted.
Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks
This week, a warning has been issued by the Federal Bureau of Investigation (FBI), the U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN) about ransomware attacks using AvosLocker ransomware.
AvosLocker was first identified as a threat in late June 2021 and despite being a relatively new threat, poses a significant risk. Attacks using the ransomware increased in the latter half of 2021, with spikes in attacks occurring in November and December. Variants of AvosLocker ransomware have now been developed to attack Linux as well as Windows systems.
As is now common, the attackers engage in double extortion and demand payment for the keys to decrypt files and to prevent the release of stolen data. The gang operates a data leak site where a sample of stolen data is uploaded and made accessible to the public. The gang says it then sells the stolen data to cybercriminals if payment is not made. AvosLocker is one of a handful of ransomware operations that also makes contact with victims by phone to encourage them to pay the ransom. The gang is known to issue threats of Distributed Denial of Service (DDoS) to further pressure victims into paying the ransom.
AvosLocker is a ransomware-as-a-service operation where affiliates are recruited to conduct attacks for a percentage of any ransom payments they generate. Consequently, the attack vectors used in attacks depend on the skillsets of the affiliates. Common vulnerabilities are known to be exploited to gain initial access to networks, including vulnerabilities associated with Proxy Shell and unpatched vulnerabilities in on-premises Microsoft Exchange Servers. However, over the past year, spam email campaigns have been a primary attack vector.
Email Filtering Vital for Defending Against Ransomware Attacks
Spam email is a common attack vector used by ransomware gangs. Spam email campaigns are effective and provide low-cost access to victim networks. Phishing and spam campaigns either use malicious attachments or embedded hyperlinks in emails, along with social engineering techniques to convince end users to open the attachments or click the links.
The primary defense against these attacks is email filters. Email filters scan all inbound emails and attachments and prevent malicious messages from being delivered to inboxes. Since cyber actors are constantly changing their lures, social engineering methods, and strategies to bypass email security solutions, it is vital to have an email security solution in place that can respond to changing tactics.
Email security solutions that use artificial intelligence and machine learning to identify and block threats outperform solutions that rely on antivirus engines and blacklists of known malicious IP addresses. SpamTitan incorporates artificial intelligence in addition to blacklists, dual antivirus engines, and sandboxing to identify malicious emails, and has comprehensive threat intelligence feeds to identify new threats rapidly. SpamTitan also provides time-of-click protection against malicious hyperlinks in emails to ensure users are well protected against phishing, malware, ransomware, and other email threats.
Don’t Neglect Security Awareness Training for the Workforce
It is also important to provide security awareness training to all members of the workforce from the CEO down. The FBI and the U.S. Treasury Department recommended in the latest alert to “Focus on cyber security awareness and training,” and “Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).” TitanHQ can help in this regard with SafeTitan – “The only behavior-driven security awareness solution that delivers security training in real-time.”
For more information on improving your defenses against ransomware and other cyber threats, give the TitanHQ team a call to inquire about email filtering, web filtering, and security awareness training for your workforce.
Business Email Compromise (BEC) is the leading cause of financial losses to cybercrime. The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 19,369 complaints about BEC scams in 2020, resulting in adjusted losses of $1.87 billion. While BEC crime ranked number 10 based on victim count, it topped the list in terms of the losses sustained by victims, with three times as much lost to the scams as the second-biggest loss to cybercrime – Confidence/romance fraud.
Business Email Compromise scams usually start with a phishing attack to gain access to email credentials. The attackers seek the credentials of the CEO, CFO, or another executive, and either target those individuals directly with spear phishing emails or compromise the email accounts of lower-level employees and use their email accounts to send phishing emails to the targeted individuals. Once the right credentials have been obtained, the executive’s email account is used to send messages to individuals responsible for wire transfers to trick them into making substantial wire transfers to attacker-controlled bank accounts. While these scams require planning and research, the time spent setting up the scams is well spent, as BEC attacks are often successful.
While BEC scams are usually conducted via email, BEC scammers are increasingly using virtual meeting platforms such as Microsoft Teams and Zoom in their scams. The scammers have taken advantage of the increase in remote working due to the pandemic and the popularity of virtual meeting platforms for communication and collaboration.
Once the scammers have access to the CEO’s email account, they identify their next target and send a request for a virtual meeting. When the target connects to the meeting, the scammer explains that they are having problems with their audio and video, so the meeting proceeds with the scammer on text chat. Oftentimes they will insert a picture of the CEO for added realism. The scammer then provides a reason for the out-of-band request, then asks the employee to make a wire transfer, either in the meeting or after the meeting via email.
The FBI has recently issued a warning to businesses about the increase in the use of virtual meetings for BEC scams, having observed an increase in the use of these platforms for BEC scams between 2019 and 2021. Scammers are also compromising employee email accounts and are inserting themselves into work meetings to gather information about the day-to-day processes at businesses. Since the scammers use genuine email accounts to connect, and audio/visual problems are relatively common, they are able to gather information and steal funds without being detected. The scammers also use compromised CEO email accounts to send emails to employees claiming they are stuck in a virtual meeting and unable to arrange an important wire transfer and ask an employee to initiate the transfer on their behalf.
There are several steps that businesses can take to improve their defenses against BEC attacks. Defending against these attacks should start with an advanced email security solution to block the phishing attacks that allow scammers to gain access to email accounts. SpamTitan has industry-leading detection of phishing URLs in emails and can prevent employees from visiting the web pages where credentials are harvested.
Security awareness training is important as some malicious emails bypass all spam filters. Employees need to be trained on how to identify scam emails. Security awareness training is concerned with creating a ‘human firewall’ to augment technical defenses and should make employees aware of BEC scams and how to identify scam emails from internal email accounts. TitanHQ has recently launched a new security awareness platform called SafeTitan to help businesses with training. SafeTitan is the only behavior-driven security awareness platform that provides real-time training to deal with threats targeting employees.
It is also recommended to implement policies and procedures that require secondary channels or two-factor authentication to verify requests for any changes to account information or atypical requests for bank transfers.
Phishing is the attack vector of choice for many cybercriminals. Attacks are easy to perform, they are often successful, and they provide the foothold in business networks that is required for more extensive compromises. The best defense against phishing is to implement a technological solution – a spam filter – to prevent phishing emails from reaching inboxes. If phishing emails are blocked at the email gateway, they will not arrive in inboxes where they can fool employees.
End-user training is also important, as no spam filter will block all malicious emails. A recent large-scale study has been conducted to determine whether end-user training and phishing warnings are effective, how vulnerability to phishing attacks evolves over time, which employees are most likely to fall for a phishing scam, and whether employees can actually play an important role in phishing email detection, The results of the survey are interesting and provide insights into susceptibility to phishing attacks that can be used by businesses to develop effective employee training programs.
The study was conducted on 14,733 participants by researchers at ETH Zurich and over a period of 15 months and involved another company sending phishing email simulations to see who opened the messages and who clicked on links in the emails. The employees that were tested had no knowledge that simulations were being conducted to make the simulations closely mirror real-world phishing attacks.
Book a free SafeTitan Security Awareness Training demonstration with an expert.
Book Free Demo
There were notable differences in susceptibility to phishing attacks with different age groups, with younger employees more likely to respond to the phishing emails than all other age groups. 18- and 19-year-olds were by far the most likely age group to fall for phishing emails, with the over 60s the least likely. From ages 20 to 59, the percentage of dangerous actions taken in response to phishing emails increased for each age group, with 20- to 29-year olds the least likely to take dangerous actions.
Individuals who are not required to use computers for their day-to-day jobs might be considered to be most at risk of falling for a phishing scam, but that was not the case. Infrequent computer users were the least likely to fall for the scams followed by frequent users, with individuals who use specialized software for repetitive tasks the most susceptible to phishing emails.
In this study, men and women were found to be equally susceptible to phishing emails across the entire study. This contrasts with several other studies that suggest there is a gender bias, with women less likely to fall for phishing scams than men. However, there were differences between the genders when combined with the frequency of computer use data. Men who use specialist software to automate tasks were the most likely to fall for phishing emails, followed by women who used specialist software, then women who are frequent users of computers, and men who are infrequent users. Female infrequent users were the least likely to fall for phishing scams.
The study confirmed the findings of several others in that some individuals are prone to respond to phishing emails. After responding to one simulated phishing email they would go on to respond to more. 30.62% of individuals who clicked on one phishing email were repeated clickers, and 23.91% of individuals who took dangerous actions such as enabling macros in email attachments did it on more than one occasion. These findings show the importance of conducting phishing email simulations to identify weak links who can receive additional training.
Behaviour driven security awareness platform that delivers security training in real-time.
Book Free Demo
Phishing simulations are often conducted by businesses to test the effectiveness of their training programs, but one notable finding was that voluntary training when a simulated phishing email attracted a response was not effective. In fact, not only was this not effective, it appeared to make employees even more susceptible to phishing emails.
Another interesting finding related to adding warnings to emails. When warnings about potential phishing emails, such as emails coming from an external email address, were included in emails, employees were less likely to be duped. However, the lengthier the warning, the less effective it is. Detailed warnings were less likely to be read and acted upon.
When a phishing email reporting option was added to the mail client, employees often reported phishing emails. This feature involved a phishing email button that sent a warning to the IT team. There did not appear to be any waning of reporting over time, with employees not appearing to suffer from reporting fatigue. A few reports would be submitted within 5 minutes of an email arriving, around 30% of reports were within 30 minutes, and over 50% came within 4 hours. The reports could give IT security teams time to take action to remove all instances of phishing emails from the mail system or send warnings to employees.
Free SafeTitan Security Awareness Training demonstration with an expert. Ask any questions.
Book Free Demo
What the study clearly demonstrated is that even employees who are adept at identifying phishing emails are likely to fall for one eventually, so while security awareness training is important, having an effective spam filtering solution is vital. Even individuals who were regularly exposed to phishing emails were eventually duped into clicking a phishing link or taking a dangerous action. Across the entire study, 32.1% of employees clicked on at least one dangerous link or opened a potentially dangerous email attachment.
Phishing is the number one cybersecurity threat faced by businesses and attacks are becoming highly sophisticated. Phishing is used to obtain sensitive information such as login credentials and for distributing malware and ransomware. 91% of all cyberattacks start with phishing emails.
Many businesses now provide security awareness training for the workforce to raise awareness of the threat from phishing and to teach employees the skills that will allow them to identify and avoid phishing emails, but the click rates in phishing emails remain high. According to Security Affairs, 97% of users fail to identify phishing emails. The reason is phishing emails are now being created that are virtually indistinguishable from genuine communications from trusted sources and phishers are experts at social engineering.
The best defense against phishing is a spam filter – A technical solution that scans all inbound (and outbound) emails and performs a wide range of checks and analyses, all of which must be passed in order for an email to be sent to an inbox. Spam filters scan the message headers and message body for signs of spam and phishing, and attachments are scanned using anti-virus engines that identify known malware variants. Hyperlinks in messages are also checked; however, phishers are constantly developing new techniques for hiding malicious URLs from email security solutions.
TitanHQ’s spam and phishing protection solution – SpamTitan – already provides excellent protection from spam and phishing emails; however, a new product – SpamTitan Plus – has now been launched that significantly improves detection rates. SpamTitan Plus provides advanced phishing protection with better coverage, better phishing link detections, faster detection speed, and also has the lowest false positive rate of any product.
“The overwhelming feedback from our users and customer base has been that phishing attacks are becoming more advanced, proficient, and dangerous. Phishing is the number one problem to solve in the email security community,” said TitanHQ CEO Ronan Kavanagh. “With that in mind, we allocated resources and investment to develop a solution with new, cutting-edge, robust, fast phishing threat intelligence driven by a team of security specialists. We’re very happy with the result – SpamTitan Plus”.
SpamTitan Plus includes leading-edge, AI-driven anti-phishing prevention and incorporates the newest “zero-day” threat intelligence, providing better protection than current market-leading email security solution providers at neutralizing malicious links in emails.
All URLs in emails are inspected to determine if they are malicious and are rewritten, and a time-of-click analysis is performed. This is important as the URLs in phishing emails may not be malicious at the time of delivery and may be weaponized with malware after they have passed email security checks. The time-of-click protection involves several dynamic checks, including a page evaluation to identify spoofed websites and login pages and the following of any redirects. If a user clicks on a malicious URL, instead of being directed to the website they will be sent to a local block page that provides further information.
Independent tests of SpamTitan Plus show:
- 100% coverage of phishing threats from the current market-leading anti-phishing feeds
- 5X increase in unique phishing URL threat detection than the current market leaders
- 6X faster and more rapid phishing detection than the current market leaders
10 million new, previously undiscovered phishing URLs are detected every single day and there is only a 5-minute delay from the initial detection of a malicious URL to protect an end user’s mailbox.
SpamTitan is relied upon by 12,000 customers and 3,000 Managed Service Providers for protecting against spam and phishing emails. They can now choose to significantly improve protection with SpamTitan Plus. For more information about SpamTitan Plus, Give the TitanHQ team a call today.
At the start of 2021, a Europol and Eurojust-led operation involving law enforcement agencies in 8 countries successfully took down the infamous Emotet botnet. The botnet consisted of an estimated 1.6 million devices worldwide that had been infected with the Emotet Trojan.
The Emotet Trojan first appeared in 2014 and was originally a banking trojan, although it evolved into a malware downloader that was rented out to cybercrime gangs under the malware-as-a-service model. The botnet was used to give those threat actors a foothold in victims’ environments and allowed them to install malware such as IcedID, QakBot, and TrickBot. Those malware variants were then used to deliver ransomware such as Conti and Ryuk.
Emotet posed a massive threat to businesses worldwide prior to its takedown. In addition to being a malware distribution tool, the botnet was used to launch Distributed Denial of Service (DDoS) attacks and largescale spamming campaigns against high-profile targets around the world.
The Emotet botnet was controlled by a network of hundreds of servers worldwide. The takedown, which occurred on January 27, 2021, saw its infrastructure taken over by law enforcement. On April 25, 2021, law enforcement in Germany launched a cleanup operation that added a module that removed the Emotet Trojan from victims’ systems. 2 individuals were arrested who were suspected of involvement in maintaining the botnet, and in the weeks and months that followed no Emotet activity was detected. However, that has now changed.
The Emotet Botnet is Back
Law enforcement took control of the command-and-control infrastructure of Emotet and removed the Emotet Trojan from all infected devices, and while that was sufficient to kill the botnet, it was not enough to prevent its return. Researchers at GData, Advanced Intel, and Cryptolaemus have all discovered instances where the TrickBot Trojan has delivered an Emotet loader.
The Emotet botnet operators have previously worked with the threat actors behind the Trickbot Trojan, using their botnet to grow the TrickBot botnet. That process is now happening in reverse. A new version of the loader and Emotet Trojan have been created and it appears that the Emotet botnet is being reconstructed from scratch.
At this stage, there are relatively few devices infected with Emotet but that is not likely to remain the case for long. Around 246 devices are known to have had the Emotet Trojan installed, and they are being used as its command-and-control infrastructure at present.
Emotet was known for conducting malspam campaigns to grow the botnet, and spamming campaigns have already been detected using several different lures and a variety of attachments. Spam emails spreading Emotet have used Word files and Excel spreadsheets with malicious macros, and to prevent analysis by email security solutions, some emails have used password-protected zip files. Some of the lures detected by security researchers in the first campaigns include notifications about canceled dental insurance, Cyber Monday and Black Friday sales, notifications about canceled meetings, and requests for political party donations.
How to Protect Against Infection with Emotet
Protecting against Emotet involves implementing measures that also protect against TrickBot infections. Since both Emotet and TrickBot are extensively delivered via malspam emails, implementing an advanced email security solution is a good place to start.
One of the most effective tactics used by the Emotet gang was hijacking message threads. This involves sending replies to previous message conversations and adding a malicious hyperlink or infected email attachment. Since the messages were sent from email accounts known to the recipient, links were often clicked, and attachments opened.
Security awareness training often teaches employees to be suspicious of unsolicited messages from unknown individuals. It is important to make employees aware that malicious emails may also come from known individuals and to warn employees that hijacked message threads are used to deliver malware. Security awareness training can be effective, but it is nowhere near as effective as technical solutions that block malicious messages.
Security can be improved by choosing an email security solution with outbound email scanning. This feature will scan outgoing messages to detect compromised email accounts, allowing security teams to take prompt action to isolate infected devices. You should also ensure that your email security solution includes sandboxing in addition to antivirus engines, as the latter can only detect known malware variants. Attachments that pass standard AV scans are sent to a sandbox where they are subjected to in-depth analysis to identify malicious actions.
These features and many more are included in SpamTitan from TitanHQ. SpamTitan is effective at blocking the full range of email-based threats and is easy to implement and use. If you want to improve your defenses against dangerous email threats such as TrickBot, IcedID, QakBot, and Emotet without breaking the bank, give the TitanHQ team a call for more information about SpamTitan.
SpamTitan is available on a free trial and product demonstrations can be arranged on request.
A new malware variant dubbed Squirrelwaffle has been identified which is being distributed via spam emails. Squirrelwaffle was first identified in September 2021, with the number of spam emails distributing the malware increasing throughout the month and peaking at the end of September.
The takedown of the Emotet botnet in January 2021 left a gap in the malware-as-a-service market, and several new malware variants have since emerged to fill that gap. Emotet was a banking Trojan that was used to distribute other malware variants to Emotet-infected machines, with Squirrelwaffle having similar capabilities. Squirrelwaffle allows the threat group to gain a foothold in compromised devices and networks, which allows other malware variants to be delivered.
Investigations of the malspam campaign have revealed it is currently being used to distribute Qakbot and Cobalt Strike, although the malware could be used to download any malware variant. The spam emails that deliver Squirrelwaffle include a hyperlink to a malicious website which is used to deliver a .zip file that contains either a .doc or .xls file. The Office files have a malicious script that will deliver the Squirrelwaffle payload.
The Word documents use the DocuSign signing platform to lure users to activate macros, claiming the document was created using a previous version of Microsoft Office Word which requires the user to “enable editing” then click “enable content” to view the contents of the file. Doing so will execute code that will deliver and execute a Visual Basic script, which retrieves the Squirrelwaffle payload from one of 5 hardcoded URLs. Squirrelwaffle is delivered as a DLL which is then executed when downloaded and will silently download Qakbot or Cobalt Strike, which both provide persistent access to compromised devices.
As was the case with the Emotet Trojan, Squirrelwaffle can hijack message threads and send malspam emails from infected devices. Since replies to genuine messages are sent from a legitimate email account, a response to the message is more likely. This tactic proved to be highly effective at distributing the Emotet Trojan. The campaign is mostly conducted in English, although security researchers have identified emails in other languages including French, German, Dutch, and Polish.
The similarities with Emotet could indicate some individuals involved in that operation are attempting a return after the law enforcement takedown, although it could simply be an attempt by unrelated threat actors to fill the gap left by Emotet. Currently, the malware is not being distributed in anywhere near the volume of Emotet but it is still early days. Squirrelwaffle may turn out to be the malware distribution vehicle of choice in the weeks and months to come.
To counter the threat, it is vital for email security measures to be implemented to block the malspam at source and ensure the malicious messages are not delivered to inboxes. Since message threads are hijacked, a spam filtering solution that also scans outbound emails– SpamTitan for example – should be used. Outbound scanning will help to identify compromised devices and prevent attacks on other individuals in the organization and address book contacts. SpamTitan also incorporates sandboxing, which works in conjunction with antivirus engines. Suspicious attachments that bypass the AV engines are sent to the sandbox for in-depth analysis.
As part of a defense-in-depth strategy, other measures should also be deployed. A web filter is a useful tool for blocking C2 communications, endpoint security solutions will help to protect against Squirrelwaffle downloads, and regular security awareness training for the workforce is recommended to teach cybersecurity best practices and train employees how to identify malicious emails. Employees should be told to never click links or open attachments in unsolicited emails or messages and to be wary of messages from unknown accounts. It is also important to explain that some malware variants can hijack message threads, so malicious emails may come from colleagues and other address book contacts.
The threat group known as TA505 (aka Hive0065) is known for conducting large-scale phishing campaigns but has not been active since 2020. Now phishing campaigns have been detected that indicate the threat group is conducting attacks once again, with the first mass-phishing campaigns by the group detected in September 2021.
The initial campaigns were small and consisted of a few thousand phishing emails, but as the month progressed larger and larger campaigns were conducted, with phishing campaigns conducted by the group now consisting of tens of thousands of messages. The geographic range has also been increased beyond North American where the gang was initially concentrating its attacks.
Social engineering techniques are used to convince victims to open email attachments or visit links and view shared files, with a variety of lures used by the gang in its phishing attacks. Emails intercepted from the latest campaigns claim to provide insurance claims paperwork, situation reports, media release requests, health claims, and legal requests. Many of the campaigns so far have targeted employees in financial services.
One of the hallmarks of the group is using Excel file attachments in emails that contain malicious macros which deliver a Remote Access Trojan (RAT), the downloading and execution of which gives the group control over victims’ devices. The group is also known to use HTML files that link to malicious websites where the malicious Excel files are downloaded.
While the attacks often start with a file attachment, later in the attack process a Google feedproxy URL is used with a SharePoint and OneDrive lure that appears to be a file share request, which delivers the weaponized Excel file.
The initial infection stage involves the downloading of a Microsoft installer package, which delivers either a KiXtart or REBOL malware loader, which pulls a different MSI package from the C2 server, which then installs and executes the malware. TA505 is known to use the FlawedGrace RAT, which first appeared in 2017, and the latest campaign delivers a new variant of this malware using a malware loader dubbed MirrorBlast. According to an analysis of MirrorBlast by Morphisec labs, the malware will only run in 32-bit versions of Microsoft Office as there are compatibility issues with ActiveX objects.
Macros are disabled by default in Microsoft Excel as a security measure, so social engineering techniques are used in the attacks to convince victims to enable macros. Macros are more commonly used in Excel files than Word files, and end users may not be as suspicious of Excel macros as Word macros.
Email security solutions are capable of detecting files containing Excel macros, especially email security solutions with sandboxing. In an attempt to bypass those measures and ensure the emails are delivered, TA505 uses lightweight, legacy Excel 4.0 XLM macros rather than the newer VBA macros, which has seen many of the messages bypass email security gateways.
TA505 is a highly creative threat group that regularly changes its attack techniques to achieve its goals, with the gang known to have conducted campaigns to deliver the Dridex banking Trojan, Locky and Jaff ransomware, and the Trick banking Trojan.
The group is known for conducting high-volume phishing campaigns that have targeted a range of different industry sectors and geographical areas.
TA505’s tactics, techniques, and procedures are expected to continue to evolve so it is vital for organizations to ensure email security defenses are implemented to block the emails. Security awareness training should also be provided to the workforce and employees should be made aware of the latest tricks and tactics used by the gang, including raising awareness of the use of Excel files with macros in phishing emails.
TitanHQ has released a new version of its award-winning email security solution that includes a new security feature – Geo-blocking email filtering, as well as several other security updates and fixes to improve usability.
Geo-blocking is a feature that has been requested by customers and has now been included in the product at no additional cost to users. Geo-blocking, as the name suggests, allows SpamTitan users to block or allow emails originating from certain geographical locations, based on either IP address or country. This feature allows businesses to add an extra layer of protection to block geographic threat vectors and stop malware, ransomware, and phishing emails from reaching inboxes.
The new feature allows businesses and organizations to block emails coming from any country. This extra control is important, as most malware-containing emails come from a handful of overseas countries – Countries that most small- to medium-sized businesses do not normally work with. Blocking emails from those countries eliminates threats, without negatively impacting the business.
Activating the geo-blocking feature could not be any easier. SpamTitan users can click to restrict emails from any country in the SpamTitan Country IP Database and all emails coming from those countries will be blocked. There will naturally be instances where things are not so cut and dry, but that is not a problem. Geo-blocking can be activated for a specific country, and IP addresses, domains, or email addresses of trusted senders within those countries can simply be whitelisted to ensure their messages are delivered.
“Geoblocking has been a much-requested feature and as always we listen to our customers and provide what they need to implement the very best email security they can,” said TitanHQ CEO Ronan Kavanagh. “After experiencing 30% growth in 2021, TitanHQ expects these product enhancements and new features to make 2021 another record-breaking year.”
Several other security enhancements have been made to further improve the already excellent threat detection and blocking mechanisms within SpamTitan. SpamTitan 7.11 includes an upgraded sandboxing feature to provide even greater protection against malware, ransomware, phishing, spear-phishing, Advanced Persistent Threats, and malicious URLs embedded in emails. These enhancements also provide more detailed information into new threats to help SpamTitan users mitigate risk.
As always with a new release, recently reported bugs have been fixed, and SpamTitan has been further improved with enhanced email rendering in Mail Viewer. Users also now have the ability to remove quarantine report token expiry and improve domain verification, to name but a few of the enhancements.
SpamTitan is delivered either as a 100% cloud-based solution or as an anti-spam gateway, which is run as a virtual appliance on existing hardware. Existing SpamTitan Cloud customers need do nothing to upgrade to the new version of the solution, released on September 14, 2021. SpamTitan Cloud is automatically updated to the latest version.
Users of SpamTitan Gateway will need to manually upgrade to the latest version via System Setup > System Updates.
A full description of the latest updates in SpamTitan 7.11 is available here.
TitanHQ has been recognized for its email security, web security, and email archiving solutions, collecting not one, not two, but three prestigious awards from Expert Insights.
Expert Insights was launched in 2018 to help businesses find cybersecurity solutions to protect their networks and devices from an ever-increasing number of cyber threats. Researching cybersecurity solutions can be a time-consuming process, and the insights and information provided by Expert Insights considerably shortens that process. Unlike many resources highlighting the best software solutions, Expert Insights includes ratings from verified users of the products to give users of the resource valuable insights about how easy products are to use and how effective they are at blocking threats. Expert Insights has helped more than 100,000 businesses choose cybersecurity solutions and the website is visited by more than 40,000 individuals a month.
Each year, Expert Insights recognizes the best and most innovative cybersecurity solutions on the market in its “Best-Of” Awards. The editorial team at Expert Insights assesses vendors and their products on a range of criteria, including technical features, ease-of-use, market presence, and reviews by verified users of the solutions. Each product is assessed by technology experts to determine the winners in a broad range of categories, including cloud, email, endpoint, web, identity, and backup security.
“2020 was an unprecedented year of cybersecurity challenges, with a rapid rise in remote working causing a massive acceleration in cybercrime,” said Craig MacAlpine, CEO and Founder, Expert Insights. “Expert Insights’ Best-Of awards are designed to recognize innovative cybersecurity providers like TitanHQ that have developed powerful solutions to keep businesses safe against increasingly sophisticated cybercrime.”
Three TitanHQ cybersecurity solutions were selected and named winners in the Expert Insights’ 2021 “Best-Of” Awards in the Email Security Gateway, Web Security, and Email Archiving categories. SpamTitan was named winner in the Email Security Gateway category, WebTitan won in the Web Security category, and ArcTitan was named a winner in the Email Archiving category. SpamTitan and WebTitan were praised for the level of protection provided, while being among the easiest to use and most cost-effective solutions in their respective categories.
All three products are consistently praised for the level of protection provided and are a bit hit with enterprises, SMBs, and MSPs. The solutions attract many 5-star reviews from real users on the Expert Insights site and many other review sites, including Capterra, GetApp, Software Advice, Google Reviews, and G2 Crowd. The cybersecurity solutions are now used by more than 8,500 businesses and over 2,500 MSPs.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said Ronan Kavanagh, CEO, TitanHQ. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
A new phishing scam has been detected targeting UK residents that spoofs the National Health Service (NHS) and offers recipients the opportunity to register to receive a COVID-19 vaccination. The NHS COVID-19 vaccine scam is one of several to be intercepted in recent weeks that offers the chance to get a vaccine, when in reality it will involve disclosing sensitive information.
Since the SARS-CoV-2 virus started spreading beyond the borders of China, scammers have been conducting a wide range of COVID-19 phishing scams. Now that the vaccine rollout is progressing in the UK and globally, using the promise of an early vaccine as a lure was to be expected.
In the latest campaign, the sender’s address has been spoofed to make it appear than the messages have been sent by the NHS, and NHS branding is used in the message body. Recipients are instructed that they have been selected to receive the vaccine based on their family and medical history.
The lure is plausible, as in the UK the most at-risk groups have mostly been vaccinated, and the NHS is now moving into priority group 6, which is all individuals aged 16 to 65 with an underlying medical condition. The NHS has also asked people to be patient and to wait until they are contacted about the vaccine to arrange an appointment, which may be via email.
The NHS COVID-19 vaccine scam emails require the recipient to click a link that directs them to a website where they are instructed to provide some information to confirm their identity. In this case, the aim of the scam is not to obtain credentials, but personal information including name, address, date of birth, and credit card details.
Phishing has become the attack vector of choice for many cybercriminal operations during the pandemic. One study indicates an increase of 667% in phishing as an attack vector, showing the extent to which cybercriminals have changed their attack tactics during the pandemic. One study by Centrify shows the number of phishing attacks had increased by 73% between March 2020 and September 2020.
Research published by the ransomware response firm Coveware shows that the volume of ransomware attacks using phishing as the infection vector increased sharpy in the final quarter of 2020, overtaking all other methods of attacks to become the main method of gaining access to business networks.
Phishing attacks are expected to continue to increase in 2021 due to the ease at which they can be conducted and the effectiveness of the campaigns. Attacks are also becoming more sophisticated and harder for employees to identify.
Spear phishing attacks that target certain companies and individuals are becoming much more prevalent. These campaigns involve prior research, and the messages are tailored to maximize the chance of a response.
With phishing so prevalent, it is vital for businesses to ensure they are sufficiently protected and have an email security solution installed that is capable to blocking these threats.
Dual AV engines and sandboxing are capable of blocking known and zero-day malware and ransomware threats, while machine learning technology and multiple threat intelligence feeds provides protection against current and emerging phishing threats.
SpamTitan significantly improves protection for Microsoft Office 365 accounts, the credentials to which are highly sought after by phishers and offers businesses excellent protection from all email-based attacks at a very affordable price.
If you want to protect your inboxes and block more malicious emails, contact TitanHQ for more information about SpamTitan. The multi-award-winning antispam solution is also available on a free trial for you to see for yourself how effective it is and how easy it is to use.
Tax season has begun and so have the annual scams targeting tax professionals. Each year in the run up to the tax filing deadline, cybercriminals conduct scams in order to obtain electronic filing identification numbers (EFINs).
In the United States, the Internal Revenue Service (IRS) issues EFINS to tax professionals and individuals to allow them to file tax returns electronically. If cybercriminals obtain these EFINs they can file fraudulent tax returns in victims’ names to obtain tax rebates. Obtaining an e-file number of a tax professional will allow tax returns to be filed for many individuals, so these scams can be very lucrative.
These scams usually start with a phishing email using a lure to get the recipient to visit a malicious website where they are asked to provide information or upload documents that contain sensitive information. Alternatively, recipients are told to download files which silently install a malware downloader which ultimately gives the attackers full control of the victim’s computer.
Commonly, the spam emails spoof the IRS and instruct tax professionals to provide information or documents in order to prevent the suspension of their account. At such as busy time of year, suspension of an account is best avoided. Faced with this threat, tax professionals may provide the requested information.
One of the phishing emails recently intercepted spoofed the IRS by using the sender name “IRS Tax E-Filing,” with the subject line “Verifying your EFIN before e-filing.” The emails looked convincing and required “authorized e-file originators” to reverify prior to filing returns through the IRS system. The emails claimed the IRS had started using this new security measure to prevent unauthorized and fraudulent activities. The scammers requested a PDF file/scan of the EFIN acceptance letter and both sides of the individual’s driver’s license. Similar scams have been conducted that require tax preparers’ ID numbers and e-services usernames and passwords to be provided.
This year, in addition to the usual phishing emails spoofing the IRS, campaigns have been detected where the attackers claim to be potential clients looking for tax preparers ahead of the filing deadline. Attachments are provided that would typically be needed by tax preparers, but they are laced with malicious scripts that install keylogging malware that records and exfiltrates keystrokes, with are likely to include usernames and passwords.
Tax preparers that fall victim to these scams can suffer catastrophic damage to their reputations, so it is important to exercise caution when opening any emails and to stop and think carefully about any request to provide sensitive information or download files.
One of the easiest ways to protect against these scams is to implement an advanced spam filtering solution that can identify and block these malicious messages. SpamTitan is a powerful email security solution that identifies and blocks malware and documents containing malicious scripts with dual antivirus engines, sandboxing, and machine learning techniques. In addition to blocking malware threats, SpamTitan is highly effective at blocking phishing emails containing malicious links.
The award-winning spam filter is quick and easy to implement and maintain, requiring no technical knowledge. You can be up and running in minutes and protecting your inbox from phishing and malware attacks, which will allow you to concentrate on your business at this busy time of year and avoid costly cyberattacks.
For more information about SpamTitan, to book a product demonstration or to register for a free trail, give the SpamTitan team a call today.
Phishers regularly changes their tactics, techniques and procedures and create more convincing scams to trick employees into disclosing sensitive information or installing malware on their computers. One novel tactic that was first observed in the fall of 2020 involved the use of malformed URL prefixes. Over the following months, the number of emails sent with these atypical URL prefixes grew, and according to GreatHorn researchers, the volume of these messages increased by almost 6,000% in the first month of the year.
URLs start with either HTTP:// or HTTPS://, which are the standard URL protocols. While end users may check to see if the URL starts with HTTP or HTTPS to determine whether the connection to the website is encrypted, they may not notice or be overly concerned about what comes after the colon. That is also true of certain security solutions and browsers, which also do not check that part of the URL.
The new tactic sees one of the forward slashes swapped with a backslash, so HTTPS:// becomes HTTP:/\ and it is enough of a change to see phishing emails delivered to inboxes. This tactic has been combined with another tactic that reduces the chance of the link being identified as malicious. The URL linked in the emails directs the user to a web page that includes a reCAPTCHA security feature. This feature will be known to most internet users, as it is used by a great deal of websites and search engines to distinguish between real users and robots.
The challenge must be passed for a connection to the website to me made. Having this security feature helps to convince the visitor that they are arriving on a legitimate site, but it also stops security solutions from assessing the content of the site. If the user passes the reCAPTCHA challenge, they are then redirected to a different URL that hosts the phishing form. That webpage very closely resembles the login prompt of Office 365 or Google Workspace, with this campaign mostly targeting Office 365 credentials.
Since this new tactic is now proving popular it is worthwhile incorporating this into your security awareness training sessions to make employees aware of the need to check the URL prefix, and also add a rule in SpamTitan to block these malformed URLs.
A new Adidas phishing scam has been detected that offers free shoes and money. The messages claim that Adidas is celebrating its 93rd anniversary and is giving 3000 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription.
“Adidas is giving away 3000 Free Pair of Shoes to celebrate its 93rd anniversary. Get your free shoes at <link>”
The very same scam was run in 2019 claiming to celebrate 69th anniversary and on that occasion was giving 2,500 lucky customers a free pair of Adidas sneakers and a free $50 a month subscription. The scammer saw success previously and have clearly decided it’s worth trying again.
The Scam Adidas Email
There is also an email version of the scam. The fake Adidas email claims the recipient has won a large sum of money and all they need to do to claim the cash is send their personal details via email.
Scam emails are now a very effective form of cyber attack. Most successful hacking attacks today begin with a phishing email. Scam emails containing ransomware or BEC are a challenge for corporate security.
A successful breach can cost an organization millions but defending against this kind of attack requires powerful anti-spam and malware technology. To defend against this kind of phishing attack you need a cutting edge email security solution to stop scam emails, a security aware workforce to identify a scam email and spot a spoof email, and powerful web protection that blocks user from accessing dangerous websites
Discover how SpamTitan works to block phishing and ransomware threats with a free demo.
Book Free Demo
WhatsApp phishing scam
The WhatsApp phishing scam is targeting users on mobile devices in specific locations. If the user clicks the link in the message and is determined not to be using a mobile device, they will be directed to a webpage that displays a 404 error. The scam will also only run if the user is in the United States, Pakistan, India, Norway, Sweden, Nigeria, Kenya, Macau, Belgium or the Netherlands.
Provided the user is on a mobile device and located in one of the targeted countries, a series of four questions will be asked. The responses to the questions are irrelevant as all users will be offered a “free” pair of sneakers after answering the four questions.
In order to be able to claim the prize, users must share the offer with their contacts on WhatsApp. Regardless of whether the user does this, they will be directed to another webpage where they are asked further questions and are finally offered a “free” pair of sneakers worth $199.
There is another catch. In order to claim their free sneakers, the user must pay $1. The user is advised that they will also be charged $49.99 a month for the subscription at the end of the month if they do not cancel. The user is told they can cancel at any point.
On the payment screen the user is told that the payment will be processed by organizejobs.net. Proceeding with the payment will see the user charged $1, followed by the subscription cost of $49.99 in 7 days.
The campaign is being run on WhatsApp, although similar scams have been conducted via email and SMS messages. Several variations along the same theme have also been identified spoofing different shoe manufacturers.
The link supplied in the WhatsApp phishing message appears to be genuine, using the official domain for the country in which the user is located. While the domain looks correct, this is an example of a homoglyph attack. Instead of the domain adidas.de, the i is replaced with a vertical line – a homoglyph attack.
These types of scams are commonplace. Homoglyph scams take advantage of the ability to use non-ASCII characters in domain names. Similar scams use a technique called typosquatting – where domains closely matching real brand names are registered: Incorrect spellings for instance, such as “Addidas” instead of Adidas, or with an i replaced with a 1 or an L.
In this case, the attackers appear to be earning a commission for getting users to sign up, although disclosing debit and credit card details could easily see the information used to run up huge bills or drain bank accounts.
There are various warning signs indicating this is an Adidas phishing scam. Close scrutiny of the domain will reveal it is incorrect. The need to share the message to contacts is atypical, being notified of a charge after being told the shoes are free, the failure to ask the user to choose a pair of shoes or even select their size, and an odd domain name is used to process payment. However, even with these tell-tale signs that the offer is not genuine, this adidas phishing scam is likely to fool many people.
Be warned. If you receive any unsolicited WhatsApp message offering you free goods, best to assume it is a phishing scam.
To find out more about some of the key protections you can put in place to improve your resilience against email scams and phishing attacks, contact the SpamTitan team today.
DMARC email authentication is an important element of phishing defenses, but what is DMARC email authentication, what does it do, and how does it protect against email impersonation attacks?
There is some confusion about what DMARC email authentication is and what it can do. In this post we explain in clear English what DMARC means and why it should be part of your anti-phishing defenses.
What is DMARC
DMARC is short for Domain-based Message Authentication, Reporting, and Conformance. Its purpose is to make it harder for threat actors to conduct phishing attacks that spoof brands and get those messages delivered to inboxes. DMARC is a critical component of email cybersecurity that reduces an attacker’s ability to get email threat to an end user’s inbox.
With DMARC, organizations can create a record of who is authorized to send emails from their domain. This helps to prevent misuse of a company brand in phishing campaigns.
If DMARC is implemented on email, a business can have all incoming emails checked against DMARC records and any email that fails the check can be subjected to certain actions.
The message can be delivered as normal with a warning and the email will be included in a report of emails that failed the check. The message could automatically be sent to quarantine for manual approval before delivery is made. Alternatively, the message could be rejected or subjected to a custom policy. An organization can select the best policy to adopt based on their level of risk tolerance.
DMARC will not stop all phishing emails from being delivered, but it is an important measure to implement to stop email spoofing and reduce the number of phishing emails that reach inboxes. DMARC is just one of several rules that are used to determine whether emails are genuine and should be delivered or if the messages have been sent from an unauthorized user.
Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DNS records are also used to determine whether the email server being used is authorized to send emails for the organization.
Find out more about improving your email security defenses. Sign up for a free SpamTitan demo today.
Book Free Demo
What is Sender Policy Framework (SPF)
The Sender Policy Framework (SPF) is an email-authentication technique used to restrict who can send emails from your domain. It allows your mail server determine when a message comes from the domain that it uses. SPF has three major elements: a policy framework, an authentication method and specialized headers to convey the information.
An email message contains two sender addresses:
- The From:header, displaying the name and email address of the sender
- The Envelope From:or Return-Path email address.
Both types of sender addresses can be easily spoofed.
SPF uses a DNS record to verify the Envelope From: only. This means that if a spammer spoofs the Envelope From: address using a domain where SPF is enabled, the mail will be caught by the receiving server. If the spammer spoofs the From: header, SPF will not catch this. The SPF record indicates which email servers are authorized to send mail on behalf of a domain. This would be the organization itself and any third parties, such as marketing companies. The SPF record is a DNS TXT record that includes IP addresses and hostnames that are allowed to send emails from a particular domain. The SPF record is the first thing checked by DMARC rules.
Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
DKIM is more advanced and uses a TXT record and asymmetric public-private key encryption. With DMARC enabled, the signature is encrypted with the public key and the key is published on DNS servers. The domain’s private key is then used at the recipient’s email server for verification.
If DKIM is enabled, the public key-encrypted signature is compared with the message that is decrypted using a newly generated key to confirm that the message has not been altered. DKIM also confirms that the sender is from the listed domain and that the sender has not been spoofed.
DMARC offers a much greater level of protection than SPF and is more dependable, so both should be implemented. Both SPF and DMARC are incorporated into SpamTitan to better protect users from email spoofing attacks. Enabling SPF, DKIM and DMARC will help greatly reduce the amount of spoof emails recieved, and that is only good.
To find out more about improving your email security defenses, contact the TitanHQ team today.
The threat from phishing is ever present and phishing remains the leading cause of data breaches. All it takes is for one employee to fall for a phishing email for threat actors to gain the foothold they need to conduct more extensive attacks on the organization. But how common is phishing? In this post we provide some key 2020 phishing statistics to raise awareness of the threat and highlight the need for businesses to rethink their current phishing defenses.
2020 Phishing Statistics
Phishing is the easiest way for cybercriminals to gain access to sensitive data and distribute malware. Little skill or effort is required to conduct a successful phishing campaign and steal credentials or infect users with malware. The latest figures show that in 2020, 22% of reported data breaches started with a phishing email and some of the largest data breaches in history have started with a phishing attack, including the 78.8 million record data breach at the health insurer Anthem Inc., and the massive Home Depot data breach in 2014 that saw the email addresses of 53 million individuals stolen.
Phishing can be conducted over the phone, via SMS, social media networks, or instant messaging platforms, but email is most commonly used. Around 96% of all phishing attacks occur via email. Successful phishing attacks result in the loss of data, theft of credentials, or the installation of malware and ransomware. The cost of resolving the incidents and resultant data breaches is substantial. The 2020 Cost of a Data Breach Report by the Ponemon Institute/IBM Security revealed the average cost of a data breach is around $150 per compromised record with a total cost of $3.86 million per breach. A single spear phishing attack costs around $1.6 million to resolve.
Employees may believe they are able to spot phishing emails, but data from security awareness training companies show that in many cases, that confidence is misplaced. One study in 2020 revealed that 30% of end users opened phishing emails, 12% of users clicked a malicious link or opened the attachment in the email, and one in 8 users then shared sensitive data on phishing websites. Bear in mind that 78% of users claimed that they know they shouldn’t open email attachments from unknown senders or click links in unsolicited emails.
The 2020 phishing statistics show phishing and spear phishing are still incredibly common and that phishing attacks often succeed. Another study revealed 85% of companies have fallen victim to a phishing attack at least once. Phishing websites are constantly being created and used in these scams. Once a URL is confirmed as malicious and added to a blacklist, it has often already been abandoned by the threat actors. In 2020, around 1.5 million new phishing URLs were identified every month.
2020 has seem a massive increase in ransomware attacks. While manual ransomware attacks often see networks compromised by exploiting vulnerabilities in firewalls, VPNs, RDP, and networking equipment, ransomware is also delivered via email. Since 2016, the number of phishing emails containing ransomware has increased by more than 97%.
How to Detect and Block Phishing Threats
Tackling phishing and preventing successful attacks requires a defense in depth approach. An advanced spam filtering solution is a must to prevent phishing emails from reaching inboxes. Companies that use Office 365 often rely on the protections provided as standard with their licenses, but studies have shown that the basic level of protection provided by Microsoft’s Exchange Online Protection (EOP) is insufficient and average at best and phishing emails are often not detected. A third-party, solution is recommended to layer on top of Office 365 – One that incorporates machine learning to identify never before seen phishing threats. The solution should use email authentication protocols such as DMARC, DKIM, and SPF to identify and block email impersonation attacks and outbound scanning to identify compromised mailboxes.
End user training is also important. In the event of a phishing email arriving in an inbox, employees should be trained to identify it as such and be conditioned into reporting the threat to their IT team to ensure action can be taken to remove all instances of the threat from the email system. Web filters are also important for blocking the web-based component of phishing attacks and preventing employees from visiting phishing URLs. Multi-factor authentication on email accounts is also essential. In the event of credentials being stolen, MFA will help to ensure that the credentials cannot be used to access email accounts.
Phishers are constantly changing their tactics to fool employees into clicking on links and disclosing their credentials. During the pandemic, many scammers switched from their tried and tested campaigns using standard business-themed lures such as fake invoices, purchase orders, and shipping notices to COVID-19 themed lures. These lures were topical and took advantage of people craving information about the coronavirus and COVID-19.
Phishers Use Fake Internal Memos About Changes to HR Work from Home Policies
Now a new phishing campaign has emerged that takes advantage of the changed business practices due to COVID-19. Many employees are still working remotely, even though their employers have started reopening their offices. During the pandemic, employees have got used to receiving regular internal company memos and updates.
The new phishing campaign spoofs the company’s HR department and appears to be an automated internal company email, similar to the messages employees are used to receiving. The emails claim to have voicemail attachments, which will also be familiar to many remote workers. The HTML attachments are personalized with the recipient’s name to add credibility to the message.
If the file attachment is opened, the user will be presented with a link they are required to click to receive the company information. In one campaign, this was a SharePoint link, although other cloud services could similarly be used. The link directs the user to SharePoint and provides an update on the company’s remote working policy. After reading the message, the worker is required to click a link that directs them to the actual phishing page where sensitive information is collected.
This campaign is very realistic. The fake remote working policy is well written and plausible and states that if employees wish to continue working from home after the pandemic, they are required to complete an HR form to provide notice in writing. The SharePoint-hosted Excel form where the user is directed is also plausible, but in addition to the request to continue to work from home, the user is required to supply their email credentials.
Phishing Campaign Offers Government Financial Aid to COVID-Affected Workers
A separate phishing campaign has been identified that is also linked to the pandemic, spoofing government agencies and offering pandemic-related financial assistance for individuals prevented from working due to COVID-19 restrictions or have otherwise been adversely affected. This campaign has targeted U.S. citizens, although similar campaigns could be conducted targeting individuals in other countries.
In this campaign, which has the subject message “US government to give citizens emergency financial aid,” the message states that the government begun issuing payments of cash compensation in October 2020. The message states that payment is only provided to USA residents and the maximum payout is $5,800.
A link is supplied in the email that the user is required to click to make a claim, which the email states will be reviewed by a support representative who will send a personal response within 24 hours. The link directs the user to a domain that spoofs the U.S. government. The user is required to enter their name and date of birth, followed by their address, contact information, Social Security number, and driver’s license number on a second form.
Phishing is the Most Common Type of Cybercrime
A recent Clario/Demos survey confirmed that phishing and email attacks are the most common types of cybercrime reported in both the United States and the United Kingdom.
The pandemic has made it easier for phishing attacks to succeed. Phishers are taking advantage of the uncertainty about changes to new ways of working caused by the pandemic, people working home alone without such a high level of support, and vulnerabilities that have been introduced as a result of the change to a fully remote workforce.
Businesses can better protect their employees by using cloud-based email and web filtering solutions. These solutions work in tandem to block the email and web-based component of phishing attacks and malware distribution campaigns. A cloud-based email filtering solution will filter out the majority of malicious messages and will keep inboxes free of threats. A web filter will prevent end users from visiting malicious links, downloading malicious attachments, or visiting malicious websites either through work-related or non-work-related Internet activity when working from the office or remotely.
TitanHQ has developed two easy to use, easy to implement, and highly effective email and web security solutions for protecting office-based and remote workers from the full range of web and email threats, including previously seen phishing emails and zero-minute attacks and new malware threats.
To better protect your business, your employees, and your networks from threats, give the TitanHQ team a call today to find out more. You will also have the opportunity to trial the SpamTitan Email Security and WebTitan Web Security solutions to see for yourself how easy they are to use and the protection they offer. You are also likely to be pleasantly surprised by how little this level of protection will cost.
Banking Trojans have long posed a threat to businesses, but one in particular has stood head and shoulders above the rest in 2020: The Emotet Trojan.
Emotet: The Biggest Malware Threat in 2020
The Emotet Trojan first appeared in 2014 and was initially a banking Trojan, which was used to steal sensitive data such as bank account information from browsers when the user logs into their bank account. The Emotet Trojan has since been developed and it has now evolved into a much bigger threat.
Emotet is now far more effective at spreading to other devices, using a worm like element to infect other devices on the network as well as hijacking the user’s email account and using it to send copies of itself to victims’ contacts. Infected devices are added to the Emotet botnet, and have been used in attacks on other organizations. The operators of Emotet have now joined forces with other cybercriminal operations and are using their malware to deliver other Trojans such as TrickBot and QakBot, which in turn are used to deliver ransomware.
Data from HP Inc. revealed Emotet infections increased by 1,200% from Q2 to Q3, showing the extent to which activity has increased recently. Data from Check point show Emotet is the biggest malware threat, accounting for 12% of all infections in October 2020. TrickBot, which is delivered by Emotet, is the second biggest threat, accounting for 4% of infections.
Emotet and TrickBot are Driving the Increase in Ransomware Infections
The Emotet and TrickBot Trojans are driving the increase in ransomware infections globally, especially attacks on healthcare organizations. The healthcare industry in the United States is being targeted by ransomware gangs due to the increased chance of the ransom being paid. In many cases, the recent ransomware attacks have been made possible due to previous Emotet an TrickBot infections.
Unfortunately, due to the efficient way that Emotet spreads, removing the malware can be problematic. It is probable that more than one device has been infected, and when the Trojan is removed from one device, it is often reinfected by other infected devices on the network.
The best way of preventing attacks is stopping the Emotet emails from reaching inboxes and making sure that employees are trained how to recognize phishing emails.
How SpamTitan Can Protect Your Organization
SpamTitan use a wide range of different techniques to identify phishing emails that are used to deliver malware such as Emotet. These measures provide layered protection, so should one check fail to identify the threat, several others are in place to provide protection.
SpamTitan uses dual antivirus engines to identify previously seen malware variants and sandboxing to identify new (zero day) malware threats. Suspicious email attachments are sent to the sandbox where they are subjected to in depth analysis to identify malicious actions such as command and control center callbacks.
SpamTitan uses Sender Policy Framework (SPF) and DMARC to block spoofing and email impersonation attacks, which are used to convince employees to open attachments and click malicious links. SpamTitan also includes outbound scanning, which detects devices that have potentially been infected and prevents messages from spreading Emotet internally and to business contacts.
There are many cybersecurity solutions that can provide protection against malware, but finding one that is easy to use, effective, and reasonably priced can be a challenge.
SpamTitan ticks all of those boxes. It is the most and best ranked email security solution on Capterra, GetApp and Software Advice, has achieved a rating of 4.9 out of 5 on Google reviews, and is listed in the top three in the email security gateway, MSP email security, and email security for Office 365 categories.
If you want to protect your organization from Emotet and other malware and phishing attacks, give the TitanHQ team a call to find out more about SpamTitan Email Security.
The threat of phishing is ever present, especially for the healthcare industry which is often targeted by phishers due to the high value of healthcare data and compromised email accounts. Phishing attacks are having a major impact on healthcare providers in the United States, which are reporting record numbers of successful phishing attacks. The industry is also plagued by ransomware attacks, with many of the attacks having their roots in a successful phishing attack. One that delivers a ransomware downloader such as the Emotet and TrickBot Trojans, for example.
A recent survey conducted by HIMSS on U.S. healthcare cybersecurity professionals has confirmed the extent to which phishing attacks are succeeding. The survey, which was conducted between March and September 2020, revealed phishing to be the leading cause of cybersecurity incidents at healthcare organizations in the past year, being cited as the cause of 57% of incidents.
One interesting fact to emerge from the survey is the lack of appropriate protections against phishing and other email attacks. While it is reassuring that 91% of surveyed organizations have implemented antivirus and antimalware solutions, it is extremely concerning that 9% appear to have not. Only 89% said they had implemented firewalls to prevent cybersecurity incidents.
Then there is multi-factor authentication. Multifactor authentication will do nothing to stop phishing emails from being delivered, but it is highly effective at preventing stolen credentials from being used to remotely access email accounts. Microsoft suggested in a Summer 2020 blog post that multifactor authentication will stop 99.9% of attempts to use stolen credential to access accounts, yet multifactor authentication had only been implemented by 64% of healthcare organizations.
That does represent a considerable improvement from 2015 when the survey was last conducted, when just 37% had implemented MFA, but it shows there is still considerable for improvement, especially in an industry that suffers more than its fair share of phishing attacks.
In the data breach reports that are required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Rules, which healthcare organizations in the U.S are required to comply with, it is common for breached organizations to state they are implementing MFA after experiencing a breach, when MFA could have prevented that costly breach from occurring in the first place. The HIMSS survey revealed 75% of organizations augment security after suffering a cyberattack.
These cyberattacks not only take up valuable resources and disrupt busines operations, but they can also have a negative impact on patient care. 28% of respondents said cyberattacks disrupted IT operations, 27% said they disrupted business operations, and 20% said they resulted in monetary losses. 61% of respondents said the attacks had an impact on non-emergency clinical care and 28% said the attacks had disrupted emergency care, with 17% saying they had resulted in patient harm. The latter figure could be underestimated, as many organizations do not have the mechanisms in place to determine whether patient safety has been affected.
The volume of phishing attacks that are succeeding cannot be attributed to a single factor, but what is clear is there needs to be greater investment in cybersecurity to prevent these attacks from succeeding. An effective email security solution should be top of the list – One that can block phishing emails and malware attacks. Training on cybersecurity must be provided to employees for HIPAA compliance, but training should be provided regularly, not just once a year to meet compliance requirements. Implementation of multifactor authentication is also an essential anti-phishing measure.
One area of phishing protection that is often overlooked is a web filter. A web filter blocks the web-based component of phishing attacks, preventing employees from accessing webpages hosting phishing forms. With the sophisticated nature of today’s phishing attacks, and the realistic fake login pages used to capture credentials, this anti-phishing measure is also important.
Many hospitals and physician practices have limited budgets for cybersecurity, so it is important to not only implement effective anti-phishing and anti-malware solutions, but to get effective solutions at a reasonable price. That is an area where TitanHQ excels.
TitanHQ can provide cost-effective cloud-based anti-phishing and anti-malware solutions to protect against the email- and web-based components of cyberattacks and both of these solutions are provided at a very reasonable cost, with flexible payment options.
Further, these solutions have been designed to be easy to use and require no technical skill to set up and maintain. The ease of use, effectiveness, and low price are part of the reason why the solutions are ranked so highly by users, achieving the best rankings on Capterra, GetApp and Software Advice.
If you want to improve your defenses against phishing, prevent costly cyberattacks and data breaches, and the potential regulatory fines that can follow, give the TitanHQ team today and inquire about SpamTitan Email Security and WebTitan Web Security.
The Emotet Trojan is one of the main malware threats currently used to attack businesses. The Trojan is primarily distributed using spam emails, using a variety of lures to convince users to install the Trojan.
The spam emails are generated by the Emotet botnet – an army of zombie devices infected with the Emotet Trojan. The Trojan hijacks the victim’s email account and uses it to send copies of itself to the victim’s business contacts using the email addresses in victims’ address books.
Emotet emails tend to have a business theme, since it is business users that are targeted by the Emotet actors. Campaigns often use tried and tested phishing lures such as fake invoices, purchase orders, shipping notices, and resumes, with the messages often containing limited text and an email attachments that the recipient is required to open to view further information.
Word documents are often used – although not exclusively – with malicious macros which install the Emotet Trojan on the victim’s device. In order for the macros to run, the user is required to ‘Enable Content’ when they open the email attachment.
Users are instructed in the documents to enable content using a variety of tricks, oftentimes the documents state that the Word document has been created on an IoS or mobile device, and content needs to be enabled to allow the content to be viewed or that the contents of the document have been protected and will not be displayed unless content is enabled.
Earlier this month, a new lure was used by the Emotet actors. Spam emails were sent explaining a Windows update needed to be installed to upgrade apps on the device, which were preventing Microsoft Word from displaying the document contents. Users were instructed to Enable Editing – thus disabling Protected View – and then Enable Content – which allowed the macro to run.
The Emotet Trojan does not simply add devices to a botnet and use them to conduct further phishing attacks. One of the main uses of Emotet is to download other malware variants onto infected devices. The operators of the Emotet botnet are paid by other threat actors to distribute their malware payloads, such as the TrickBot Trojan and QBot malware.
The TrickBot Trojan was initially a banking Trojan that first appeared in 2016, but the modular malware has been regularly updated over the past few year to add a host of new functions. TrickBot still acts as a banking Trojan, but is also a stealthy information stealer and malware downloader, as is QBot malware.
As with Emotet, once the operators of these Trojans have achieved their aims, they deliver a secondary malware payload. TrickBot has been used extensively to deliver Ryuk ransomware, one of the biggest ransomware threats currently in use. QBot has teamed up with another threat group and delivers Conti ransomware. From a single phishing email, a victim could therefore receive Emotet, TrickBot/QBot, and then suffer a ransomware attack.
It is therefore essential for businesses to implement an effective spam filtering solution to block the initial malicious emails at source and prevent them from being delivered to their employee’s inboxes. It is also important to provide security awareness training to employees to help them identify malicious messages such as phishing emails in case a threat is not blocked and reaches employees’ inboxes.
Organizations that rely on the default anti-spam defenses that are provided with Office 365 licenses should consider implementing an additional spam filtering solution to improve protection against Emotet and other malware and phishing campaigns. Phishing emails often slip past Office 365 defenses and are delivered to inboxes. With a powerful, advanced spam filtering solution such as SpamTitan layered on top of Office 365 anti-spam protections, users will be better protected.
To find out more about the full features of SpamTitan and how the solution protects businesses from threats such as malware, ransomware, phishing, and spear phishing attacks, give the SpamTitan team a call today.
A product demonstration can be arranged, your questions will be answered, and assistance will be provided to help set you up for a free trial to evaluate the solution in your own environment.
The TrickBot Trojan, one of the biggest malware threats to appear in recent years, has had its backend infrastructure taken down by a coalition of tech firms.
TrickBot started life in 2016 as a banking Trojan used to target Windows devices but the malware has received many updates over the years and has had many new modules added to give it a much wider range of capabilities. TrickBot targets hundreds of different banks and also steals credentials and Bitcoin wallets. In recent years, the operators have teamed up with several different criminal organizations and have used the Trojan to deliver keyloggers, cryptominers, information stealers and ransomware variants such as Ryuk and Conti. TrickBot can now perform a huge range of malicious actions via many different plugins and in January and February 2020 was targeting more than 600 websites via a webinject module, most of which being financial institutions.
The Trojan achieves persistence on infected devices and adds them to a botnet, which has grown into one of the largest in operation. The operators of the Trojan are also known to use the EternalBlue exploit to move around infected networks and spread the Trojan to other devices on the network. This can make removal of the Trojan difficult, as once it is removed from a device, other infected devices on the network simply reinfect it when it is reconnected.
TrickBot is primarily spread via phishing emails via malicious macros, but other malware-as-a-service operations also deliver TrickBot, such as Emotet. TrickBot typically used lures aimed at business users, such as shipment receipts, receipt reminders, required declarations, delivery notifications, and other logistics themes using Word and Excel attachments and Java Network Launch Protocol (.jnlp) attachments, as well as malicious hyperlinks embedded in emails. In 2020, a large-scale campaign was conducted using coronavirus and COVID-19 themed lures, one of which spoofed humanitarian groups and claimed to offer free COVID-19 tests.
Those emails were sent by a diverse range of compromised email accounts and marketing platforms, with the threat group also using domains with their own mail servers to distribute the malware. There has been growing concern that the botnet could also be used in campaigns to disrupt the upcoming November 3, 2020 U.S. presidential election.
TrickBot is stealthy and uses a variety of mechanisms to evade detection by security solutions, including password protected zip files, delayed downloads of the Trojan when macros are run, heavily obfuscated loaders, encryption of configuration files, and a complex command and control infrastructure. The latter has now been untangled and its backend infrastructure has been taken down.
Several tech firms including Microsoft, ESET, Black Lotus Labs, and NTT have been working together for months to try to disrupt the TrickBot operation. More than 125,000 samples of the TrickBot Trojan were analyzed along with over 40,000 configuration files used by various TrickBot modules. After several months of painstaking work, the command and control servers used by the botnet were identified and its network infrastructure was mapped. Armed with the IP addresses, Microsoft obtained a court order and seized control of the infrastructure of servers used to distribute and communicate with the malware and its various modules. The IP addresses associated with the malware have now been disabled.
When the takedown occurred, more than 1 million devices had been infected with the malware and were part of its botnet. The takedown is great news, as one more malware threat – and a major one at that – has been taken out of action, at least temporarily. Efforts are now underway by ISPs to contact victims to ensure the Trojan is removed from their systems.
Businesses are constantly targeted by cybercriminals and phishing one of the easiest ways that they can gain a foothold in corporate networks. An email is sent to an employee with a lure to entice them to click an embedded hyperlink and visit a website. When they arrive on the site, they are presented with a login prompt and must enter their credentials. The login prompt is indistinguishable from the real thing, but the domain on which the login prompt appears is controlled by the attacker. Any information entered on the website is captured.
End user training will go a long way to keeping your business protected against phishing attacks. Phishers target people using a variety of “social engineering” tactics to get them to take a specific action, which could be visiting a website and downloading malware, giving up their login credentials, or sending a wire transfer to the criminal’s bank account. By conditioning employees to perform checks and to stop and think before taking any action suggested in an email, you will greatly improve resilience to phishing attacks.
Industry leading, behaviour-driven security awareness platform that delivers security training in real-time.
Book Free Demo
Many employees will say that they can identify a phishing email and will never be fooled, but the number of successful phishing attacks that are occurring every day suggests there are gaps in knowledge and even the most tech-savvy individuals can be fooled.
To illustrate this point, consider the SANS Institute. If you have never heard of the SANS Institute, it is one of the world’s leading computer and information security training and certification organizations, including anti-phishing training.
In August 2020, the SANS Institute announced that one of its employees had fallen for a phishing scam and disclosed their login credentials. The attacker used those credentials to access the account and set up a mail forwarder that sent a copy of every email to the attacker’s email account. 513 emails, some of which contained sensitive information on SANS members, were forwarded to the account before the attack was detected. The emails contained the personally identifiable information of 28,000 SANS members. The SANS Institute decided to use this attack as a training tool and will be providing details of how it succeeded to help others prevent similar attacks.
This incident shows that even the most highly trained individuals can fall for a phishing email. Had training not been provided, instead of one compromised email account there could have been many.
Phishers are constantly changing tactics and developing new scams to fool people and technological anti-phishing solutions. The key to phishing attack prevention is to implement a range of defenses to block attacks. Any one of those measures may fail to detect a phishing email on occasion, but others will be in place to provide protection. This defense-in depth approach is essential given the sophistication of phishing attacks and the volume of messages now being sent.
Book a free SafeTitan Security Awareness Training demonstration with an expert.
Book Free Demo
In addition to regular end user training and phishing simulation emails to harden the human element of your defenses, you need an advanced spam filter. If you use Office 365 you will already have a basic level of protection provided through Microsoft’s basic spam filter, Exchange Online Protection (EOP), but this should be augmented with a third-party solution such as SpamTitan to block more threats. EOP blocks spam, known malware, and many phishing emails, but SpamTitan will greatly improve protection against more sophisticated phishing attacks and zero-day malware.
You should also consider implementing a web filter to block the web-based component of phishing attacks. When an employee attempts to visit a malicious website that is used to steal credentials and other sensitive information, a web filter can prevent that website from being accessed.
With a spam filter, web filter, and end user training, you will be well protected, but you should also implement 2-factor authentication. If credentials are stolen, 2-factor authentication can prevent those credentials from being used by the attacker to gain access to the account.
For more information on spam filtering, web filtering, and phishing protection, give the TitanHQ team a call. Our team of experienced engineers will be happy to help you set up SpamTitan email security and the WebTitan web filter on a free trial so you can see for yourself how effective both are at blocking phishing attacks and other cybersecurity threats.
Behaviour driven security awareness platform that delivers security training in real-time.
Book Free Demo
Several SBA loan phishing scams identified in recent weeks that impersonate the U.S. Small Business Administration in order to obtain personally identifiable information and login credentials for fraudulent purposes.
Due to the hardships suffered by businesses due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is offering loans and grants to small businesses to help them weather the storm.
Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and companies during the pandemic. Cybercriminals have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and distribute malware and ransomware.
Several phishing campaigns have been launched since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.
Phishing emails have been sent encouraging small businesses to apply for a loan. One such campaign confirms that the business is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the scammers to apply for a loan on behalf of the business and pocket the funds.
Another scam impersonates the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been received. The emails include an attached form that must be completed and uploaded to the SBA website. The email attachment appears to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a range of different malicious payloads.
The same email address used for that campaign was used in a different attack that included a PDF form that requested bank account information and other sensitive data, which needed to be completed and uploaded to a spoofed SBA website.
In the past few days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government agencies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the genuine login page apart from the URL that attempts to steal credentials. The scam prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency alert warning of the scam.
These SBA loan phishing scams use a variety of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.
First and foremost, you should have an advanced spam filtering solution in place such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and block email impersonation attacks.
Dual antivirus engines detect 100% of known malware and sandboxing is used to subject attachments to deep analysis to identify malicious code and malware that has not been seen before. Machine learning technology is also used to identify new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.
Prior to opening any downloaded document or file it should be scanned using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.
Care should be taken opening any email or email attachment, even emails that are expected. Steps should be taken to verify the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive information.
Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are genuine. Always carefully check the sender of the email – Genuine SBA accounts end with sba.gov. The display name can easily be spoofed so click reply and carefully check the email address is correct. Care should be taken when visiting any website linked in an email. Check the full URL of any website to make sure it is the legitimate domain.
CISA also recommends monitoring users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such as WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by employees.
For more information on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call today.
A new phishing campaign has been detected that uses Google Cloud Services to fool victims into giving up their Office 365 credentials. The new campaign is part of a growing trend of disguising phishing attacks using legitimate cloud services.
The phishing attack starts like any other with an email containing a hyperlink that the recipient is requested to click. If the user clicks the link in the email, they are directed to Google Drive where a PDF file has been uploaded. When the file is opened, users are asked to click a hyperlink in the document, which appears to be an invitation to access a file hosted on SharePoint Online.
The PDF file asks the victim to click the link to sign in with their Office 365 ID. Clicking the link will direct the user to a landing page hosted using Google’s storage.googleapis.com. When the user arrives on the landing page, they are presented with an Office 365 login prompt that looks exactly like the real thing. After entering their credentials, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting firm.
The campaign has been designed to make it appear that the victim is simply being directed to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their credentials. It is therefore likely that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy individuals would be unlikely to check.
This campaign was identified by researchers at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are legitimate and have valid SSL certificates, they are difficult to detect as malicious. This campaign abused Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add legitimacy to the campaigns.
This campaign highlights the importance of providing security awareness training to the workforce and warning employees about the risks of clicking links in unsolicited emails, even those that link to genuine domains. An advanced email security solution should also be implemented to block malicious emails and ensure the majority of malicious messages are not delivered to inboxes. That is an area where TitanHQ can help.
Emotet was the most prolific malware botnet of 2018 and 2019, but the botnet fell silent on February 7, 2020 but it has now sprung back to life and is being used to distribute Trojan malware. The botnet returned with a malicious spam campaign on July 17 of at least 30,000 emails, mostly targeting organizations in the United States and United Kingdom. The scale of the campaign has now grown to around 250,000 emails a day with the campaign now global.
The Emotet botnet is a network of computers infected with Emotet malware and there are estimated to be around half a million infected Windows computers under the control of the botnet operators. Those infected devices are contacted through the attackers’ command and control (C2) servers and are sent instructions to send out spam emails spreading Emotet malware.
Once the malware is downloaded, the infected computer is added to the botnet and is used to send spam emails. Emotet infections can also spread laterally within an organization. When investigations are launched following the detection of Emotet, it is common for other computers to be discovered to be infected with the malware.
What makes Emotet particularly dangerous is the operators of the botnet pair up with other threat groups and deliver other malware variants. Emotet has been used to distribute a range of malware variants since its creation in 2014, but recently the malware payload of choice was the TrickBot Trojan. TrickBot is a banking trojan cum information stealer that also serves as a malware downloader. In addition to stealing sensitive data, the operators of TrickBot pair up with other malware developers, notably the developers of Ryuk ransomware. Once TrickBot has stolen information, the baton is passed over to Ryuk, which will also steal data before encrypting files on network. The new Emotet campaign started by distributing the TrickBot Trojan, although the payload has since switched to the QakBot banking Trojan. QakBot also delivers ransomware as a secondary payload, with Prolock often used in the past.
Emotet emails use a variety of lures to get recipients to click links to malicious websites or open infected email attachments. Emotet targets businesses, so the lures used are business related, such as fake shipping notices, invoices, purchase orders, receipts, and job applications. The emails are often personalized, and the threat actors known to hijack email threads and send responses with malicious documents added.
An Emotet infection is serious and should be treated with the same urgency as a ransomware attack. Prompt action may allow Emotet to be removed before a secondary payload is delivered.
Fortunately, Emotet malware is delivered via email so that gives businesses an opportunity to prevent infections. By deploying an advanced spam filter such as SpamTitan that has sandboxing to subject email attachments to deep analysis, these malicious emails can be identified and quarantined. Coupled with other email security measures such as end user training, businesses can mount a robust defense and block infections.
The return of Emotet was inevitable, and while the resumption of activity is bad news, there is some good news. A vigilante hacker has started sabotaging Emotet operations by targeting a weak link in their infrastructure. Emotet malware is downloaded from the internet from a range of hacked WordPress sites. The vigilante has found that the temporary stores of Emotet can be easily hacked as they tend to all use the same password. After guessing that password, the Emotet payload has been replaced with a variety of animated GIFs and has disrupted operations, reducing infections to around a quarter of their normal levels. That said, the Emotet gang is attempting to regain control of its web shells and infections with Emotet are still growing.
A recent survey by Capterra on British SMEs has revealed 30% have fallen victim to a phishing attack during the COVID-19 lockdown. Just under half of the phishing emails received (45%) were related to coronavirus or COVID-19.
COVID-19 phishing emails increased significantly during the first quarter of 2020 as the coronavirus spread around the world. Since the virus was unknown to science, scientists have been working tirelessly to learn about the virus, the disease it causes, how the virus is spread, and what can be done to prevent infection. The public has been craving information as soon as it is available, which creates the perfect environment for phishing attacks. People want information and threat actors are more than happy to offer to provide it.
The Capterra survey highlights the extent to which these campaigns are succeeding. Employees are receiving phishing emails and being fooled by the social engineering tactics the scammers have adopted. The high success rate has seen many threat actors temporarily abandon their tried and tested phishing campaigns that they were running before the SARS-CoV-2 outbreak, and have repurposed their campaigns to take advantage of the public’s thirst for knowledge about the virus. In the first quarter of 2020, KnowBe4 reported a 600% increase in COVID-19 and coronavirus themed phishing emails.
The high percentage of businesses that have experienced phishing attacks during the COVID-19 lockdown indicates many SMEs need to augment their anti-phishing defenses. There is also a need for further training to be provided to employees, as the emails are being opened and links are being clicked.
On the training front, formal training sessions may be harder to administer with so many employees working remotely. Consider conducting short training sessions via teleconferencing platforms and sending regular email alerts warning about the latest techniques, tactics and procedures being used in targeted attacks on remote workers. Phishing simulation exercises can be hugely beneficial and will help to condition workers to check emails thoroughly and report any threats received. These simulations also help identify which employees need further training to help them recognize potential phishing attacks.
Of course, the best way to ensure that employees do not open phishing emails and malicious attachments is to ensure they are not delivered to employees’ inboxes. That requires an advanced spam filtering solution.
Many SMEs and SMBs have now moved to an Office 365 hosted email solution, in which case email filtering will be taking place using Microsoft’s Exchange Online Protection – The default spam filtering service that protects all office 365 users. If you are reliant on this solution for filtering out phishing emails and other types of malicious messages, you should consider adding a third-party solution on top of EOP.
Exchange Online Protection provides a reasonable level of security and can block phishing emails and known malware threats, but it lacks the features of more advanced spam filtering solutions and cloud-based email security gateways, such as machine learning and predictive technology to identify attacks that have not been seen before.
As an additional protection against phishing attacks, a web filtering solution should be considered. In the event of a phishing email arriving in an inbox, a web filter serves as an additional layer of protection to prevent attempts by employees to visit websites linked in the emails. When an attempt is made to visit a known phishing website or web content that violates your acceptable internet usage policies, access will be blocked and the user will be directed to a local web page telling them why access has been denied.
Multi-factor authentication should also be implemented for email to ensure that in the event that credentials are compromised, a second factor must be provided before access to the email account is granted.
For more information on spam filtering and web filtering, and further information on TitanHQ’s advanced cloud-based email security solution – SpamTitan – and DNS-based web filtering solution – WebTitan – give the TitanHQ team a call today.
Data obtained by the UK think tank Parliament Street has revealed the extent to which universities are being targeted by cybercriminals and the sheer number of spam and malicious emails that are sent to the inboxes of university staff and students.
Data on malicious and spam email volume was obtained by Parliament Street through a Freedom of Information request. The analysis of data from UK universities showed they are having to block millions of spam emails, hundreds of thousands of phishing emails, and tens of thousands of malware-laced emails every year.
Warwick University’s figures show that more than 7.6 million spam emails were sent to the email accounts of staff and students in the final quarter of 2019 alone, which included 404,000 phishing emails and more than 10,000 emails containing malware.
It was a similar story at Bristol University, which received more than 7 million spam emails over the same period, 76,300 of which contained malware. Data from the London School of Hygiene and Tropical Medicine revealed more than 6.3 million spam emails were received in 2019, which included almost 99,000 phishing emails and more than 73,500 malware attacks. 12,773,735 spam and malicious emails were received in total for 2018 and 2019.
Data from Lancaster University revealed more than 57 million emails were rejected for reasons such as spam, malware, or phishing, with 1 million emails marked as suspected spam. The figures from Imperial College London were also high, with almost 40 million emails blocked in 2019.
Like attacks on companies, cyberattacks on universities are often conducted for financial gain. These attacks attempt to deliver malware and obtain credentials to gain access to university networks to steal data to sell on the black market. Universities store huge amounts of sensitive student data, which is extremely valuable to hackers as it can be used for identity theft and other types of fraud. Attacks are also conducted to deliver ransomware to extort money from universities.
Universities typically have high bandwidth to support tens of thousands of students and staff. Attacks are conducted to hijack devices and add them to botnets to conduct a range of cyberattacks on other targets. Email accounts are being hijacked and used to conduct spear phishing attacks on other targets.
Nation state sponsored advanced persistent threat (APT) groups are targeting universities to gain access to intellectual property and research data. Universities conduct cutting edge research and that information is extremely valuable to companies who can use the research data to develop products to gain a significant competitive advantage.
Universities are seen as relatively soft targets compared to organizations of a similar size. Cybersecurity defenses tend to be far less advanced, and the sprawling networks and number of devices used by staff and students make defending networks difficult.
With the number of cyberattacks on universities growing, leaders of higher education institutions need to take steps to improve cybersecurity and prevent the attacks from succeeding.
The majority of threats are delivered via email, so advanced email security defenses are essential, and that is an area where TitanHQ can help.
Independent test show SpamTitan blocks in excess of 99.97% of spam email, helping to keep inboxes free of junk email. SpamTitan incorporates dual anti-virus engines to block known threats, machine learning to identify new types of phishing attacks, and sandboxing to detect and block zero-day malware and ransomware threats. When email attachments pass initial tests, suspicious attachments are sent to the sandbox for in depth analysis to identify command and control center callbacks and other malicious actions. SpamTitan also incorporates SPF and DMARC controls to block email impersonation attacks, data loss prevention controls for outbound messages and controls to detect potential email account compromises.
If you want to improve cybersecurity defenses, start with upgrading your email security defenses with SpamTitan. You may be surprised to discover the little investment is required to significantly improve your email security defenses. For more information, call the TitanHQ team today.
Several new COVID-19 phishing email campaigns have been detected over the past few days that are exploiting fear about the novel coronavirus pandemic to deliver computer viruses and steal sensitive information.
People are naturally worried about getting infected with the real virus especially with the high fatality rate, so emails related to COVID-19 are likely to be opened.
Some of the phishing emails that have been intercepted are easy to identify as malicious. They are poorly written with spelling mistakes and grammatical errors, but some campaigns have been expertly crafted and are highly convincing and are likely to catch out many people.
The first COVID-19 phishing campaigns were detected in January and the number has steadily grown over the past few weeks. Many different threat groups are now using COVID-19 phishing lures to fool the unwary into disclosing credentials, visiting malicious links, or downloading malware.
The World Health Organization (WHO) has issued a warning after several phishing campaigns were detected that impersonated WHO. The emails claimed to provide essential information about cases in the local area along with advice on how to avoid infection. One of the most recently detected campaigns claimed to provide “Coronavirus Updates” with the emails containing a ZIP file attachment that appeared to be a PDF file – MYHEALTH.PDF. However, the file was actually an executable file – MYHEALTH.exe. If the file was opened, it triggered the download of GULoader, which in turn downloads Formbook malware from Google Drive. Another similar campaign included a Word attachment that downloaded the TrickBot Trojan, which is being used to deliver Ryuk ransomware as a secondary payload.
The Centers for Disease Control and prevention is also being impersonated. One campaign claims the novel coronavirus had become an airborne threat and warns of new cases in the local area. The emails appear to have been sent from a legitimate CDC email account – CDC-Covid19[@]cdc.gov. The emails include an attachment titled “Safety Precautions” which appears to be an Excel spreadsheet, but it actually a .exe executable file. Double clicking on the file attachment triggers the download of a banking Trojan.
Email and text-based phishing campaigns are targeting UK taxpayers and impersonate HM Revenue and Customs (HMRC). The emails include a legitimate HMRC logo and advise the recipients about a new COVID-19 tax refund program. According the emails, the refund program was set up in cooperation with National Insurance and National Health Services and allows taxpayers to claim back tax to help deal with the coronavirus pandemic. In order to receive the refund, the user is told they must supply their name, address, mother’s maiden name and their bank card number.
In the past few days, a web-based malware distribution campaign has been identified. Several websites are now displaying world maps and dashboards that allow people to track the spread of the virus and find out about the location of new cases. People are naturally concerned about cases in their local area, and the website maps are attracting a lot of visitors.
Shai Alfasi, a security researcher at Reason Labs, discovered several websites using fake versions of maps and dashboards. The websites prompt users to download an application that allows them to track infections in real-time. The application is an executable file that delivers the AZORult information stealer.
With COVID-19 infections increasing and showing no sign of slowing, COVID-19 phishing campaigns are likely to continue. Organizations should raise awareness of the threat of COVID-19 phishing attacks with their employees and ensure appropriate technical solutions are implemented to block web and email-based attacks. TitanHQ can help with the latter and can provide advanced email and web security solutions to block these attacks. If you have not yet implemented a web filter or email security solution to protect your Office 365 accounts, now is a good time to start. Contact TitanHQ today for further information.
Microsoft has announced it has taken control of the U.S. infrastructure of the Necurs botnet and has taken steps to prevent the botnet operators from registering new domains and the rebuilding the Necurs infrastructure.
The Scale of the Necurs Botnet
The Necurs botnet first appeared in 2012 and has grown into one of the largest spam and malware distribution networks. The botnet consists of around 9 million devices that have been infected with Necurs malware. Each device within the botnet is under the control of the cybercrime group behind the botnet.
The Necurs botnet is used to commit a wide range of cybercrimes by the operators of the botnet as well as other cybercriminal groups who rent out parts of the botnet as a service. The Necurs botnet was used for malware and ransomware distribution, cryptocurrency mining, and attacks on other computers to steal credentials and confidential data. The Necurs botnet also has a distributed Denial of Service (DDoS) module capable of performing massive DDoS attacks, although this function is yet to be used.
The main use of the botnet is spamming. The botnet has been used to send vast quantities of spam email, including emails pushing fake pharmaceutical products, pump and dump stock scams, and Russian dating scams. To give an example of the scale of the spamming, over a 58-day period of observation, Microsoft found that a single Necurs malware-infected computer had sent out 3.8 million spam emails to 40.6 million email accounts. That is just one infected device out of 9 million! In 2017, the botnet was being used to spread Dridex and Locky ransomware at a rate of around 5 million emails an hour and between 2016 and 2019 the botnet was responsible for 90% of email-based malware attacks.
The Takedown of Necurs Infrastructure
Microsoft has tracked the criminal activity of the Necurs botnet operators for 8 years. The gang is believed to be Evil Corp, the Russian cybercriminal group behind the Dridex banking Trojan. Evil Corp has been named the most harmful cybercrime group in the world.
The takedown of the Necurs botnet involved a coordinated effort by Microsoft and partners in 35 countries. Microsoft obtained an order from the U.S. District Court for the Eastern District of New York on March 5, 2020 to seize the U.S. domains used by the botnet operators. These domains were used to issue commands to the 9 million infected computers.
Simply seizing the domains would not be sufficient to take down the botnet, as the botnet’s command and controls servers could be rapidly rebuilt. Domains used by the threat actors are often taken down, so new domains are constantly registered weeks or months in advance.
The key to long-term disruption of the botnet was cracking the algorithm used by the threat actors to generate new domains. Microsoft analyzed the algorithm and calculated more than 6 million domains that would be used by the threat actors over the next 25 months. Steps have been taken to prevent those domains from being registered and becoming part of the Necurs infrastructure.
The 9 million devices around the world are still infected with Necurs malware. Microsoft and its partners have identified the infected devices and are working with ISPs and CERT teams around the world to rid those devices of the malware.
Just a few days after new figures from the FBI confirmed business email compromise scams were the biggest cause of losses to cybercrime, news broke of a massive cyberattack on a Puerto Rico government agency. Cybercriminals had gained access to the email account of an employee, understood to work in the Puerto Rico Employee Retirement System.
The compromised email account was used to send requests to other government agencies requesting changes be made to standard bank accounts for remittance payments. Since the email account used was trusted, the changes to bank accounts were made. Scheduled payments were then made as normal and millions of dollars of remittance payments were wired to attacker-controlled bank accounts.
The Puerto Rico Industrial Development Company, a state-owned corporation that drives economic development of the country, was one of the worst hit. Emails were received requesting changes to bank accounts and two payments were made. The first payment of $63,000 was made in December and another payment of $2.6 million in January. Other departments were also targeted, including the Tourism Company. The latter made a payment of $1.5 million. In total, the scammers attempted to steal around $4.73 million.
The business email compromise scam was uncovered when those payments were not received by the correct recipients. Prompt action was then taken to block the transfers and some of the payments were frozen, but the government has not been able to recover around $2.6 million of the stolen funds.
A full investigation has been launched to determine how the attackers gained access to the email account to pull off the scam. While the method used has not been confirmed, BEC attacks usually start with a spear phishing email.
A phishing email is sent to a person of interest requesting urgent action be taken to address a problem. A link is supplied in the email that directs the user to a website that requests their email account credentials. The account can then be accessed by the attacker. Attackers often set up mail forwarders to receive a copy of every email sent to and from the account. This enables them to learn about the company and typical payments and construct highly convincing scam emails.
Once access to a corporate email account is gained, the BEC scam is much harder to identify and block. The best defense is to ensure that the initial phishing emails are not delivered, and that is an area where TitanHQ can help.
A novel coronavirus phishing campaign has been detected that uses scare tactics to trick users into infecting their computer with malware.
The World Health Organization has now declared the 2019 novel coronavirus outbreak a global emergency. The number of cases has increased 10-fold in the past week with almost 9,100 cases confirmed in China and 130 elsewhere around the world.
A worldwide health crisis such as this has naturally seen huge coverage in the press, so it is no surprise that cybercriminals are capitalizing on the concern and are using it as a lure in a malspam campaign to scare people into opening an email attachment and enabling the content.
A novel coronavirus phishing campaign has been detected that uses a fake report about the coronavirus to get email recipients to open a document that details steps that should be taken to prevent infection. Ironically, taking the actions detailed in the email will actually guarantee infection with a virus of a different type: Emotet.
The coronavirus phishing campaign was identified by IBM X-Force researchers. The campaign is targeted on users in in different Japanese prefectures and warning of an increase in the number of local confirmed coronavirus cases. The emails include a Word document attachment containing the notification along with preventative measures that need to be taken.
If the attachment is opened, users are told they must enable content to read the document. Enabling the content will start the infection process that will see the Emotet Trojan downloaded. Emotet is also a downloader of other malware variants. Other banking Trojans and ransomware may also be downloaded. Emotet can also send copies of itself to the victim’s contacts. Those messages may also be coronavirus related.
To add credibility, the Emotet gang makes the emails appear to have been sent by a disability welfare service provider in Japan. Some of the captured messages include the correct address in the footer.
More than 2,000 new infections have been confirmed in the past 24 hours in China and all of its provinces have now been impacted. Cases have now been reported in 18 other countries with Thailand and Japan the worst hit outside of China with 14 cases confirmed in each country. As the coronavirus spreads further and more cases are reported, it is likely that the Emotet gang will expand this campaign and start targeting different countries using emails in different languages. Kaspersky lab has also said that it has identified malspam campaigns with coronavirus themes that use a variety of email attachments to install malware.
Businesses can protect against Emotet, one of the most dangerous malware variants currently in use, by implementing a spam filtering solution such as SpamTitan that incorporates a sandbox where malicious documents can be analyzed in safety to check for malicious actions.
For further information on protecting your email system, contact TitanHQ today.
It has been well documented how much time businesses waste dealing with spam and there is no denying the threat that malicious spam emails (malspam) pose, but it is not just a problem for big business. Spam in academia is also a major problem.
A recent study published in the journal, Scientometrics, explores the cost of spam in academia. The study was primarily focused on spam emails sent by new, non-peer reviewed journals that are attempting to gain a share of the market. These journals are adopting the same spam tactics often used by scammers to sell cheap watches, cut price medications, and for phishing and spreading malware.
Three researchers – Jaime A. Teixeira da Silva, Aceil Al-Khatib, and Panagiotis Tsigaria – attempted to quantify the amount of time that is being wasted dealing with those messages and the losses that result.
To assess the extent of the problem, the researchers used figures from several studies on spamming to obtain an average number of targeted spam emails that academics receive each day. They opted for a conservative figure of 4-5 messages, per academic, per day. Most of those messages take just a few seconds to open and read but that time mounts up. They assumed an average time of 5 seconds per message – less than half a minute per day. That equates to $100 per researcher, per year at an average hourly rate of $50. Using the United Nations estimate of the number of researchers in academia globally, the total global cost of spam in academia was estimated to be $1.1 billion a year.
That figure is based on the lost time alone and does not factor in non-targeted spam emails – bulk unsolicited emails not specifically targeting researchers. Add in the time dealing with those messages and the global cost reaches $2.6 billion a year. To put the cost into perspective, $2.6 million is much more than the time researchers devote to peer review, which has been estimated at costing $1.9 billion a year. The figures do not include the considerable losses due to phishing, malware, and ransomware attacks. Factor in those costs and the losses would be several orders of magnitude higher.
Co-author of the study, Panagiotis Tsigaris, a professor of economics at Thompson Rivers University in Canada, explained that there is no silver bullet when it comes to dealing with spam and suggested several ways that the cost of spam in academia could be reduced.
Tsigaris suggests that penalties should be increased for publishing in predatory journals, and that academics should be educated about spam email and improvements should be made to email filtering technology.
Here at TitanHQ we are well aware of the problem of spam, both in terms of the productivity losses that spam causes, and harm caused by malicious spam emails.
To help prevent losses and downtime due to spam and email-based threats, TitanHQ has developed a powerful, easy -to-use, and cost-effective cloud-based spam filtering solution called SpamTitan. SpamTitan has been independently tested and shown to block in excess of 99.9% of spam email, 100% of known malware and ransomware threats, and thanks to a host of detection measures and sandboxing, SpamTitan is also effective at blocking zero-day (new) malware and ransomware threats.
To find out more about SpamTitan and how you can block more spam and ensure malicious emails do not reach your researchers’ inboxes, give the TitanHQ team a call today.
Over the past 2 decades TitanHQ has been developing powerful cybersecurity solutions for SMBs and managed service providers (MSPs) that serve the SMB market. Naturally at TitanHQ we have great belief in our email security solution, SpamTitan. We believe it is the ideal spam filtering solution for SMBs and MSPs for preventing a myriad of email threats from reaching inboxes.
TitanHQ is the leading provider of cloud-based email security to MSPs serving the SMB market. We regularly receive positive feedback from MSPs and SMBs about how the solution has saved them hours of work compared to other email security solutions and has helped them improve email security and block more spam and stop malware and ransomware from reaching inboxes.
Positive feedback from end users proves we are getting it right and it inspires us to continue improving the solution to ensure it will keep on protecting our customers from malware, ransomware, viruses, botnets, and social engineering and phishing attacks for many years to come.
The positive feedback is not only provided to our engineers and customer service and sales teams. IT decision makers have posted highly positive reviews on the top business software review platforms and are letting other IT professionals know about their experiences implementing the solution, integrating it with their other cybersecurity solutions and management platforms, and what it is like to use SpamTitan on a daily basis.
In fact, across the different business review sites, SpamTitan has consistently received high scores. There is no other email security product on the market that has achieved such a wealth of positive reviews and feedback from end users.
Some of the positive reviews across the leading business software review sites are detailed below:
Gartner Peer Insights
Gartner Peer insights is one of the most highly respected review platforms from the world’s leading business advisory and research company. While Gartner strictly polices the review site, Gartner is unbiassed and has no hidden agenda. The review platform gives IT professionals the opportunity to give their honest feedback on software solutions that they have implemented to help other IT professionals save time and money in their search.
36 qualified users of SpamTitan have left reviews on the site and the solution has achieved highly positive feedback with an average user score of 4.7 out of 5.
“SpamTitan has been a very responsive vendor to work with, both during the sales process and with post-sales support. Tickets are responded to within several hours and often resolved within a day. The product itself is very MSP-friendly supporting delegation to client admins, multiple delivery pools, and attractive pricing. The catch rate is better than Exchange Online.”
Microsoft Team Lead in the Services Industry
“SpamTitan takes a little technical knowhow, but it’s powerful, flexible and affordable.” Director of IT and Telecom in the Healthcare Industry.
“SpamTitan is superb giving control back to the user and giving time back to IT staff. The product is amazing, it stopped 99% of spam and gives total control back to the user, it is web based and was easy to migrate to. The support and migration management from TitanHQ was brilliant.” IT Security Manager in the Manufacturing Industry.
G2 Crowd is one of the leading business software review sites. 139 verified users of SpamTitan have left reviews on the site and the solution has achieved an overall score of 4.6 out of 5. SpamTitan has been rated consistently highly in all rating categories, achieving 9.3 out of 10 for meets requirements and ease of doing business with, 9.2 for ease of setup and quality of support, 9.1 for ease of use, and 9.0 for ease of admin.
Additionally, each quarter, G2 Crowd compiles its Email Security Grid and rates solutions based on customer feedback and market presence. For four consecutive quarters, SpamTitan has been the Top Email Security Solution.
“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used.”
Jeff Banks, Director Of Technology.
Antispam that is affordable, flexible and powerful.” Mike S, Director of IT and Telecommunications.
“Cloud Version is Great for Managed Service Providers.” Andrew B, Vice President.
“Minimizes our exposure to harmful malware and junk emails.” David C, Outreach Specialist.
112 users of SpamTitan have taken the time to submit their feedback to Google Reviews. The solution is consistently given top marks by users and has achieved an overall review score of 4.9 out of 5.
Some of the positive feedback from users includes:
“TitanHQ is an excellent solution which ticks many boxes. It’s simple to setup, and gives a huge range of functionality all from within one place. My experience of the Support help desk has been great with a team that really do know their product. I highly recommend TitanHQ.” Chris Bell.
“The Titan Span filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy.” Joseph Walsh.
“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme.
Capterra is a leading software review site that has been active for 20 years. The site has now been purchased by Gartner which moderates reviews on the site. Capterra includes more than 700 categories of software products and is one of the most highly respected business software review sites. It is relied upon by IT decision makers the world over.
SpamTitan has been reviewed by 379 users and has achieved an overall review score of 4.6 out of 5.
“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since. Whitelisting and blacklisting domains and specific emails are super easy. Support Staff are awesome and go into detail when resolving problems if they were to arise or even if you just have a question. They have always been friendly and courteous and super personable and have been some of the best people to work with in all my years doing IT.” Benjamin Jones, Director Of Information Technology.
“SpamTitan has saved me, saved my company time, and has some of the best support people around. It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes.” Benjamin J, Director of Information Technology.
Members of the Spiceworks community have also rated SpamTitan highly. The solution has been reviewed by 56 users and has an overall rating of 4.6 out of 5.
The software review site Software Advice includes 350 reviews of SpamTitan from business users and has achieved an average score of 5.58 out of 5.
According to SpamFilterReviews, SpamTitan is the top-rated spam filtering solution on the site with a score of 4.9 out of 5.
Cyberattacks on managed service providers have been increasing over the past few months and they are now a key target for hackers. If a hacker can gain access to the systems of a managed service provider, their remote administration tools can be used to launch attacks on their clients.
There have been several major cyberattacks on managed services providers in the past few weeks, with nation state-backed hacking groups targeting MSPs serving enterprises and ransomware gangs are conducting attacks on MSPs serving small and medium sized businesses.
Three major cyberattacks on managed service providers serving healthcare organizations in the United States have been reported in the past two months. All three have affected more than 100 healthcare clients and one impacted 400.
In late November, the Milwaukee-based managed IT service provider, Virtual Care Provider Inc., was attacked with Ryuk ransomware. The attack started on November 17, 2019 and affected all of its clients’ data. Around 110 nursing homes and acute care facilities were prevented them from accessing their patients’ medical records. The consequences for its clients were dire. Assisted living facilities and nursing homes were prevented from billing for Medicaid, which meant essential funding was not provided and nursing homes were prevented from ordering essential drugs for patients. Virtual Care Provider was issued with a $14 million ransom demand, which the company could not afford to pay. The managed service provider had around 20% of its services affected and had to rebuild around 100 servers.
The ransomware was deployed as a secondary payload by the TrickBot Trojan. TrickBot had been installed on its network 14 months previously via a malicious email attachment.
A few weeks later, a Colorado-based managed service provider serving dental practices was attacked with ransomware. Complete Technology Solutions was infected with a ransomware variant called Sodinokibi. First the MSP was attacked, then its remote administration tools were used deploy ransomware on the networks of more than 100 dental practices. A ransom demand of $700,000 was issued, which the MSP refused to pay. Its clients are now having to pay the attackers for the keys to decrypt their files. Only a few that had backups stored off the network were able to recover without paying the ransom.
This is the second such attack to affect a company serving the dental industry. The dental record backup service provider, PerCSoft, was also attacked with Sodinokibi ransomware. That attack affected approximately 400 dental practices. CyrusOne was also attacked with Sodinokibi ransomware and its managed services division and six of its clients were affected.
It is not only ransomware that is being used in the attacks. Nation-state threat groups such as APT10 are also targeting MSPs. Their aims are different. The attacks are being conducted to gain access to the intellectual property of their enterprise customers.
As cyberattacks on managed service providers increase, MSPs must ensure that they have adequate defenses in place to keep the hackers at bay. This is an area where TitanHQ can help. TitanHQ is the leading provider of cloud-based email and web security solutions for managed service providers that serve the SMB market.
TitanHQ offers a trio of solutions for MSPs under the TitanShield program. SpamTitan email security is a powerful cloud-based solution that keeps inboxes free of spam, phishing emails, and malware. SpamTitan incorporates SPF and DMARC to block email impersonation attacks, uses dual antivirus engines to detect known malware threats, and heuristics and sandboxing to identify and block zero-day threats.
WebTitan Cloud is a 100% cloud-based DNS filtering solution that works seamlessly with SpamTitan to block web-based phishing attacks and malware downloads. The solution allows you to monitor and identify malicious threats in real time, and includes AI-driven protection against active and emerging phishing URLs, including zero-minute threats.
The third solution is ArcTitan, a cloud-based email archiving solution that provides protection against data loss and helps MSPs and their clients meet their compliance obligations. ArcTitan serves as a black box flight recorder for email and stores email data securely in the cloud on Replicated Persistent Storage on AWS S3. When emails need to be searched and recovered, the searches are lightning fast. ArcTitan can search up to 30 million emails a second.
ArcTitan has recently been moved to a brand new system, with the service delivered as a highly available, self-healing horizontally scaled Kubernetes cluster. Within that cluster are many different components working in harmony together, but independently. Should any component go down, that component can be taken offline and repaired with no impact on the others, ensuring a much more reliable service with minimal or no disruption during an outage. With ArcTitan, email is protected from cyberattacks.
These solutions are not only an ideal for improving the security posture of MSP clients, they can help to ensure that MSP systems are protected from attack. All TitanHQ solutions are quick and easy to implement, have a low management overhead, and are API-driven so they can easily be incorporated into MSP’s remote management and monitoring systems.
To find out more about the TitanShield program for managed service providers and to discover how TitanHQ’s cybersecurity solutions can improve yours and your clients’ security posture, give the TitanHQ channel team a call today.
Recent research has highlighted just how important it is for businesses to implement a range of defenses to ensure phishing emails are not delivered to inboxes and how business phishing protections are failing.
The studies were conducted to determine how likely employees are to click on phishing emails that arrive in their inboxes. Alarmingly, one study indicated almost three quarters of employees were fooled by a phishing test and provided their credentials to the attacker. In this case, the attacker was the consultancy firm Coalfire.
71% of the 525 businesses that were tested had at least one employee disclose login credentials in the phishing test, compared to 63% last year. At 20% of businesses, more than half of the employees who were tested fell for the phishing scam, compared to 10% last year.
A second study conducted by GetApp revealed a quarter of 714 surveyed businesses said they had at least one employee who responded to a phishing attack and disclosed their login credentials and 43% of businesses had employees that had clicked on phishing emails. The study also revealed only 27% of businesses provide security awareness training to employees, only 30% conduct phishing simulations, and 36% do not have multi-factor authentication in place on email.
The Importance of Layered Phishing Defenses
To mount an effective defense against phishing and other cyberattacks, a defense in depth approach to security is required.
With layered defenses, businesses are not replying on a single solution to block phishing attacks. Multiple defenses are put in place with the layers overlapping. If one measure proves to be ineffective at blocking a phishing email, others are in place to provide protection.
One area where many businesses fail is relying on Office 365 anti-phishing controls. A study by Avanan showed Office 365 phishing defenses to be effective at blocking most spam emails, but 25% of phishing emails were delivered to inboxes.
What is required is an advanced anti-spam and anti-phishing platform that can be layered on top of Office 365 to ensure that these phishing emails are blocked. SpamTitan can be seamlessly implemented in Office 365 environments and provides superior protection against phishing and malware attacks. SpamTitan blocks more than 99.9% of spam and phishing emails, 100% of known malware, and incorporates a host of features to identify zero-day threats.
As good as SpamTitan is at blocking email threats, other layers should be implemented to block phishing attacks. If a phishing email arrives in an inbox, a web filter will provide protection by blocking attempts by employees to visit phishing websites and sites hosting malware. WebTitan is a powerful DNS filtering solution that protects against the web-based element of phishing attacks. WebTitan adds an extra layer to phishing defenses and will block attempts by employees to visit malicious sites.
If an attacker succeeds in obtaining the credentials of an employee, it is important that those credentials cannot be used to gain access to the account. That protection is provided by multi-factor authentication. Multi-factor authentication is not infallible, but it will prevent stolen credentials from being used to access accounts in the majority of cases.
Security awareness training is also vital. Employees are the last line of defense and that defensive line will be tested. If employees are not trained how to identify phishing emails and other email security threats, they cannot be expected to recognize threats when they land in inboxes. An annual training session is no longer enough, considering how many phishing attacks are conducted on businesses and how sophisticated the attacks are becoming.
Security awareness training should consist of an annual training session with regular refresher training sessions throughout the year. Employees should be kept up to date on the latest tactics being used by cybercriminals to help them identify new scam emails that may bypass email security defenses. Phishing simulation exercises are also important. If these simulations are not conducted, businesses will have no idea how effective their training sessions have been, and which employees have not taken the training on board.
A new phishing campaign has been detected that is targeting Office 365 admins, whose accounts are far more valuable to cybercriminals than standard Office 365 accounts.
A standard Office 365 email account can used for spamming or conducting further phishing attacks on the organization or business contacts. However, there is a problem. When the account is used for phishing, the sent messages are likely to be noticed by the user. Failed delivery messages will also arrive in the user’s inbox. The account may only be able to be used for a short time before an account compromise is detected.
The attackers targeting Office 365 admins aim to compromise the entire domain. Office 365 admins can create new accounts on the domain, which are then used for phishing. Since the only person using that account is the attacker, it is likely the malicious actions will not be noticed, at least not as quickly. The only person who will see the failed delivery messages and sent emails is the attacker.
The newly created account abuses trust in the business domain. Any individual to receive such a phishing message may mistakenly believe the email is a legitimate message from the company. The messages also take advantage of the reputation of a business. Since the business domain will have been used only to send legitimate messages, the domain will have a high trust score. That makes it far more likely that the emails being sent from the new account will be delivered to inboxes and will not be picked up by Office 365 spam filters. The Office 365 admin may also have access to all email accounts on the domain, which will allow the attacker to steal a huge amount of email data.
In theory, Office 365 admins should be better at identifying phishing emails than other employees in the organization as they usually work in the IT department; however, these emails are very realistic and will likely fool many Office 365 admins.
The lure being used is credible. The emails appear to have been sent by Microsoft and include the Microsoft and Office 365 logos. The emails claim that the organization’s Office 365 Business Essentials invoice is ready. The user is told to sign into the Office 365 admin center to update their payment information, set their Message Center preferences, and edit their release preferences or join First Release and set these up if they have not done so already. The emails include an unsubscribe option and are signed by Microsoft and include the correct contact information. The emails also link to Microsoft’s privacy statement.
The embedded hyperlinks in the emails link to an attacker-controlled domain that is a carbon copy of the official Microsoft login page. If the user’s credentials are entered, they are captured by the attacker.
This campaign highlights how important it is to have layered email security defenses in place to block phishing attacks. Many phishing emails bypass standard Office 365 anti-phishing controls so additional protection is required.
An advanced anti-phishing solution such as SpamTitan should be layered on top of Office 365 to provide greater protection against sophisticated phishing attacks. Approximately 25% of all phishing emails bypass standard Office 365 phishing protections.
Another anti-phishing layer that many businesses have yet to implement is a web filter. A web filter, such as WebTitan, provides protection when messages are delivered to inboxes, as it blocks attempts by employees to visit phishing websites. When a link to a known phishing website is clicked, or the user attempts to visit a questionable domain, they will be directed to a block page and the phishing attack will be blocked.
The aim of this post is to provide you with some easy to adopt email security best practices that will greatly improve your organization’s security posture.
Email is the Most Common Attack Vector!
It is a certainty that business email systems will be attacked so email security measures must be implemented. The best form of email security is to do away with email altogether, but since businesses rely on email to communicate with customers, partners, and suppliers, that simply isn’t an option.
Email not only makes it easy to communicate with the people you need to for your business to operate, it also allows cybercriminals to easily communicate with your employees and conduct phishing attacks, spread malware and, if a corporate email account is compromised, communicate with your customers, partners and suppliers.
Email security is therefore essential, but there is no single solution that will protect the email channel. A spam filtering solution will stop the majority of spam and malicious email from reaching inboxes, but it will not block 100% of unwanted emails, no matter what solution you implement. The key to robust email security is layered defenses. If one defensive measure fails, others are in place that will provide protection.
You need a combination of technical, physical, and administrative safeguards to secure your email. Unfortunately, there is no one-size-fits-all approach that can be adopted to secure the email channel but there are email security best practices that you can adopt that will improve your security posture and make it much harder for cybercriminals to succeed.
With this in mind, we have outlined some of the most important email security best practices for your business and your employees to adopt.
Email Security Best Practices to Implement Immediately
Cybercriminals will attempt to send malware and ransomware via email, and phishing tactics will be used to steal sensitive information such as login credentials, so it is important to be prepared. Listed below are 8 email security best practices that will help you keep your email system secure. If you have not yet implemented any of these best practices, or have only done so partially, now is the time to make some changes.
Develop a Cybersecurity Plan for Your Business
We have included this as the first best practice because it is so important. It is essential for you to develop a comprehensive cybersecurity plan for your entire organization as not all threats arrive via email. Attacks come from all angles and improving email security is only one of the steps you need to take to improve your overall cybersecurity posture.
There are many resources available to help you develop a cybersecurity plan that addresses all cyber risks. The Federal Communications Commission has developed a Cyberplanner to help with the creation of a custom cybersecurity plan and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a Cyber Essentials Guide for Small Businesses and Governments. Take advantage of these and other resources to develop an effective cybersecurity plan.
Implement an Advanced Spam Filtering Solution
A spam filter serves as a semi-permeable membrane that prevents email threats from being delivered to inboxes and lets genuine emails pass through unimpeded. This is the single most important security measure to implement to protect against email threats and productivity-draining spam.
If you use Office 365 you will already have some protection, as Office 365 includes a spam filter and anti-virus software, but it falls short on phishing protection and will not block zero-day malware threats. You need layered defenses to secure email which means a third-party spam filter should be used on top of Office 365. Research from Avanan showed 25% of phishing emails bypass Office 365 defenses.
There are many spam filtering services for SMBs, but for all round protection against known and zero-day threats, ease of implementation, ease of use, and price, SpamTitan is the best choice for SMBs.
Ensure Your Anti-Virus Solution Scans Incoming Emails
You will no doubt have anti-virus software in place, but does it scan incoming emails? Email is one of the main ways that malware is delivered, so anti-virus software for email is a must. This does not necessarily mean you need a different antivirus solution. Your existing solution may have that functionality. Your spam filter is also likely to include AV protection. For example, SpamTitan incorporates dual anti-virus engines for greater protection and a sandbox where email attachments are analyzed for malicious actions. The sandbox his used to detect and block zero-day malware – New, never-before seen malware variants that have yet to have their signatures incorporated into AV engines.
Create and Enforce Password Policies
Another obvious email security best practice is to create a password policy that requires strong passwords to be set. There is no point creating a password policy if it is not enforced. Make sure you implement a control measure to prevent weak passwords from being set. Weak passwords (password, 123456, or dictionary words for example) are easy to remember but also easy to guess. Consider that cybercriminals are not sitting at a computer guessing passwords one at a time. Automation tools are used that make thousands of password guesses a minute. It doesn’t take long to guess a weak password! You should also make sure rate limiting is applied to block an IP from logging in after a set number of failed login attempts.
It is a good best practice to require a password of at least 8 characters to be set, with a combination of upper- and lower-case letters, numbers, and symbols and to block the use of dictionary words. Consider allowing long passphrases to be used as these are easier for employees to remember. Check National Institute of Science and Technology (NIST) advice on secure password practices if you are unsure about creating a password policy.
Implement DMARC to Stop Email Impersonation Attacks and Domain Abuse
DMARC, or Domain-based Message Authentication, Reporting & Conformance to give it its full name, is an email protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine whether an email is authentic.
By creating a DMARC record you are preventing unauthorized individuals from sending messages from your domain. DMARC also lets you know who is sending messages from your domain, and it lets you set a policy to determine what happens to messages that are not authenticated, I.e. quarantine them or reject them. Some email security solutions, such as SpamTitan, incorporate DMARC authentication.
Not only DMARC help you block email impersonation attacks, it also prevents abuse of your domain. Your DMARC record tells receiving email servers not to accept messages sent from authenticated users, thus helping protect your brand.
Implement Multi-Factor Authentication
Multi-factor authentication is yet another layer you can add to your anti-phishing defenses. Multi-factor authentication, as the name suggests, means more than one method is used to authenticate a user. The first factor is usually a password. A second factor is also required, which is something a person knows or possesses. This could be a mobile phone, to which a one-time PIN code is sent, or a token on a trusted device.
This safeguard is vital. If a password is obtained, in a phishing attack for example, the password alone will not grant access to the email account without an additional factor being provided. A combination of a password, token, and one-time PIN is a good combination.
Train Your Employees and Train Them Again
No matter how tech savvy your employees appear to be, assume they known nothing about cybersecurity. They will certainly not routinely stick to email security best practices unless you train them to do so and then hammer the message home.
Before letting any employee have access to email, you should provide security awareness training. Your training should cover email security best practices such as never opening email attachments from unknown senders, never enabling content in documents unless the document has been verified as legitimate, and never to click hyperlinks in emails or send highly sensitive information such as passwords via email.
You must also train your employees how to recognize phishing emails and other malicious messages and tell them what to do when suspicious emails are received. Anyone with access to email or a computer must be provided with security awareness training, from the CEO down.
One training session is not enough. Even an annual training session is no longer sufficient. You should be providing regular training, be sending cybersecurity newsletters warning about the latest threats, and using other tools to help create a security culture in your organization.
Conduct Phishing Awareness Simulation Exercises
You have provided training, but how do you know if it has been effective? The only way to tell is to conduct tests and that is easiest with phishing simulation exercises. These are dummy phishing emails that are sent to employees when they are not expecting them to see how they respond. You maybe surprised at how many employees respond and disclose sensitive information, open attachments, or click links in the emails.
The aim of these emails is to identify people that have not taken their training on board. The idea is not to punish those employees, but to tell you who needs further training. There are several companies that can assist you with these exercises. Some even offer free phishing simulation emails for SMBs.
TitanHQ is Here to Help!
TitanHQ has developed SpamTitan to be easy for SMBs to implement, use, and maintain. It requires no hardware, no software, and all filtering takes place in the cloud. Not only does SpamTitan offer excellent protection against the full range of email-based threats, it is also one of the lowest cost solutions for SMBs to implement.
Give the TitanHQ team a call today for more information on SpamTitan and to find out about how you can also protect your business from web-based threats and meet your compliance requirements for email.
Phishers are constantly changing tactics and coming up with new ways to fool people into handing over their credentials or installing malware. New campaigns are being launched on a daily basis, with tried and tested lures such as fake package delivery notices, fake invoices and purchase orders, and collaboration requests all very common.
In a departure from these common phishing lures, one threat group has opted for a rarely seen lure, but one that has potential to be very effective: Fake court subpoenas. The emails use fear and urgency and are designed to get users to panic and click quickly.
This campaign has been running for a few weeks and is targeting users in the United Kingdom, although this scam could easily be adapted and used in attacks on users in other countries.
Many phishing scams have the goal of stealing credentials to allow email accounts or Office 365 accounts to be accessed. In this case, the aim of the attack is to spread information stealing malware called Predator the Thief.
The phishing emails appear to have been sent by the Ministry of Justice in the UK. The sender field has Ministry of Justice as the display name and the emails have the Ministry of Justice crest, although the actual email address suggests the email has come from the Department of Justice (DOJ).
The emails warn the user that they have been subpoenaed. They are supplied with a case number along with a date when they have been ordered to attend court.
The emails include a hyperlink which the user must click to find out details of the charge and the documents they will need to bring with them to court. Urgency is added by warning the recipient they only have 14 days to respond to provide notice, and that the court case will proceed without them if they do not respond.
The URL in the email is seemingly benign, as it links to Google Docs – a trusted website. Clicking the link will see the user first directed to Google Docs, then redirected to OneDrive. When the user arrives on the OneDrive site, a document is downloaded. That document contains a malicious macro that launches a PowerShell command that downloads Predator the Thief malware.
Predator the Thief is an information stealer that can take screenshots and steals email and FTP credentials, along with cryptocurrency wallets and browser information. In contrast to many browser information stealers, this malware variant doesn’t just target the main browsers, but a host of less popular browsers. Once information has been stolen, the malware cleans up and exits, which makes it harder for the infection to be detected.
Phishing scams such as this highlight the need for layered security. Naturally, an advanced anti-spam solution such as SpamTitan should be implemented to block these threats and ensure and ensure messages are not delivered to end users’ inboxes. SpamTitan also includes DMARC email authentication to block mail impersonation attempts and a sandbox where email attachments are analyzed for malicious actions.
SpamTItan blocks in excess of 99.9% of all malicious emails, but it is not possible to block 100% of threats no matter what email security solution you use. This is where another layer is required. WebTitan is a DNS filtering solution that blocks threats such as this at the point where a DNS lookup is performed. This allows malicious websites to be blocked before any content is downloaded. WebTitan can also be configured to block downloads of certain file types.
With these two solutions in place, your business will be well protected against phishing emails and web-based malware downloads.