Our spam news section provides up to date news on the latest threats that are likely to hit the inboxes of your employees. Cybercriminals are constantly changing tactics with new spam email campaigns, different social engineering techniques and new methods of installing malware and ransomware. By keeping up to date on the latest spam news, organizations can take timely action to mitigate risk.
In that regard, a spam filtering solution is essential. All it takes is for one employee to click on a malicious link or open an infected email attachment for an entire network to be compromised. A spam filter will check all incoming email messages and search for common spam signatures in addition to checking senders’ email accounts against blacklists of known spammers. Email attachments will be checked for virus signatures and hyperlinks compared to blacklists of known malicious domains.
Armed with the latest spam news, information security teams can send email alerts to their employees warning of pertinent threats that they need to be aware of.
This section also includes news on industry-specific attacks, in particular those that are being used to target the healthcare, education, financial services, legal and hospitality sectors.
Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.
Office 365 Phishing Attacks Can Be Difficult to Identify
In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.
There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.
Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.
Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.
Microsoft Azure Blog Storage Phishing Scam
One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.
In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.
Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.
CloudFlare IPFS Gateway Abused
A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.
Office 365 Phishing Protections are Insufficient
Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.
Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.
How to Make Office 365 More Secure
While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.
Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.
To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:
With the largest economy, the United States is naturally a major target for cybercriminals. Various studies have been conducted on the cost of cybercrime in the United States, but little data is available on cybercrime losses in Germany – Europe’s largest economy.
The International Monetary Fund produces a list of countries with the largest economies. In 2017, Germany was ranked fourth behind the United States, China, and Japan. Its GDP of $3,68 trillion represents 4.61% of global GDP.
A recent study conducted by Germany’s federal association for Information Technology – BitKom – has placed a figure on the toll that cybercrime is taking on the German economy.
The study was conducted on security chiefs and managers at Germany’s top 503 companies in the manufacturing sector. Based on the findings of that survey, BitKom estimated cybercrime losses in Germany to be €43 billion ($50.2 billion). That represents 1.36% of the country’s GDP.
Extrapolate those cybercrime losses in Germany and it places the global cost of cybercrime at $1 trillion, substantially higher than the $600 billion figure estimate from cybersecurity firm McAfee and the Center for Strategic and International Studies (CSIS) in February 2018. That study placed the global percentage of GDP lost to cybercrime at between 0.59% and 0.80%, with GDP losses to cybercrime across Europe estimated to be between 0.79 to 0.89% of GDP.
Small to Medium Sized Businesses Most at Risk
While cyberattacks on large enterprises have potential to be highly profitable for cybercriminals, those firms tend to have the resources available to invest heavily in cybersecurity. Attacks on large enterprises are therefore much more difficult and time consuming. It is far easier to target smaller companies with less robust cybersecurity defenses.
Small to medium sized businesses (SMBs) often lack the resources to invest heavily in cybersecurity, and consequently are far easier to attack. The BitKom study confirmed that these companies, which form the backbone of the economy in Germany, are particularly vulnerable to cyberattacks and have been extensively targeted by cybercriminals.
It is not only organized cybercriminal groups that are conducting these attacks. Security officials in Germany have long been concerned about attacks by well-resourced foreign spy agencies. Those agencies are using cyberattacks to gain access to the advanced manufacturing techniques developed by German firms that give them a competitive advantage. Germany is one of the world’s leading manufacturing nations, so it stands to reason that the German firms are an attractive target.
Cybercriminals are extorting money from German firms and selling stolen data on the black market and nation-state sponsored hackers are stealing proprietary data and technology to advance manufacturing in their own countries. According to the survey, one third of companies have had mobile phones stolen and sensitive digital data has been lost by a quarter of German firms. 11% of German firms report that their communications systems have been tapped.
Attacks are also being conducted to sabotage German firms. According to the study, almost one in five German firms (19%) have had their IT and production systems sabotaged through cyberattacks.
Businesses Must Improve Their Defenses Against Cyberattacks
“With its worldwide market leaders, German industry is particularly interesting for criminals,” said Achim Berg, head of BitKom. Companies, SMBs in particular, therefore need to take cybersecurity much more seriously and invest commensurately in cybersecurity solutions to prevent cybercriminals from gaining access to their systems and data.
According to Thomas Haldenweg, deputy president of the BfV domestic intelligence agency, “Illegal knowledge and technology transfer … is a mass phenomenon.”
Preventing cyberattacks is not straightforward. There is no single solution that can protect against all attacks. Only defense-in-depth will ensure that cybercriminals and nation-state sponsored hacking groups are prevented from gaining access to sensitive information.
Companies need to conduct regular, comprehensive organization-wide risk analyses to identify all threats to the confidentiality, integrity, and availability of their data and systems. All identified risks must then be addressed through a robust risk management process and layered defenses implemented to thwart attackers.
One of the main vectors for attack is email. Figures from Cofense suggest that 91% of all cyberattacks start with a malicious email. It stands to reason that improving email security should be a key priority for German firms. This is an area where TitanHQ can help.
TitanHQ is a provider of world-class cybersecurity solutions for SMBs and enterprises that block the most commonly used attack vectors. To find out more about how TitanHQ’s cybersecurity solutions can help to improve the security posture of your company and block email and web-based attacks, contact the TitanHQ sales team today.
A new Python-based form of ransomware has been detected that masquerades as Locky, one of the most widely used ransomware variants in 2016. The new ransomware variant has been named PyLocky ransomware by security researchers at Trend Micro who have observed it being used in attacks in Europe, particularly France, throughout July and August.
The spam email campaigns were initially sent in relatively small batches, although over time the volume of emails distributing PyLocky ransomware has increased significantly.
Various social engineering tactics are being used by the attackers to get the ransomware installed, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is downloaded. The zip file contains PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be converted to standalone executable files.
If installed, PyLocky ransomware will encrypt approximately 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files stored on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then dropped on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are unrelated. Ransom notes are written in French, English, Korean, and Italian so it is probable that the attacks will become more widespread over the coming weeks.
While Python is not typically used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been created. Pyl33t was used in several attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant stand out is its anti-machine learning capabilities, which help to prevent analysis using standard static analysis methods.
The ransomware abuses Windows Management Instrumentation (WMI) to determine the properties of the system on which it is installed. If the total visible memory of a system is 4GB or greater, the ransomware will execute immediately. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an attempt to determine if it is in a sandbox environment.
Preventing attacks requires a variety of cybersecurity measures. An advanced spam filtering solution such as SpamTitan will help to prevent the spam emails being delivered to end users’ inboxes. A web filter, such as WebTitan, can be employed to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to ensure that end users recognize the threat for what it is. Advanced malware detection tools are required to identify the threat due to its anti-machine learning capabilities.
There is no free decryptor for PyLocky. Recovery without paying the ransom will depend on a viable backup copy existing, which has not also been encrypted in the attack.
A spam email campaign is being conducted targeting corporate email accounts to distribute Loki Bot malware. Loki Bot malware is an information stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging apps.
In addition to stealing saved passwords, Loki Bot malware has keylogging capabilities and is potentially capable of downloading and running executable files. All information captured by the malware is transferred to the attacker’s C2 server.
Kaspersky Lab researchers identified an increase in email spam activity targeting corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was delivered hidden in a malicious email attachment.
The intercepted emails included an ICO file attachment. ICO files are copies of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, most modern operating systems have the ability to access the contents of the files without the need for any additional software.
In this case, the ICO file contains Loki Bot malware and double clicking on the file will result in installation of the malware on operating systems that support the files (Vista and later).
It is relatively rare for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users attempt to open the files.
The campaign included a wide range of lures including fake purchase orders, speculative enquiries from companies containing product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known companies such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.
Spam Email Campaign Distributing Marap Malware Targets Financial Institutions
A separate and unrelated spam email campaign has been identified that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a downloader capable of downloading a variety of different payloads and additional modules.
Upon installation, the malware fingerprints the system and gathers information such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is installed. If the system is of particular interest, it is earmarked for a more extensive compromise.
Four separate campaigns involving millions of messages were detected by researchers at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document containing a malicious macro. The campaigns appear to be targeting financial institutions.
IQY files are used by Excel to download web content directly into spreadsheets. They have been used in several spam email campaigns in recent weeks to install a variety of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.
Since the majority of end users would not have any need to open ICO or IQY files, these file types should be added to the list of blocked file types in email spam filters to prevent them from being delivered to end users’ inboxes.
While the majority of phishing attempts are conducted via email, there has been a significant rise in the use of other communications platforms such messaging services, with WhatsApp phishing scams now increasing in popularity amongst phishers.
WhatsApp phishing attacks are common for two main reasons. First is the sheer number of people that are on the platform. In January 2018, the number of monthly users of WhatsApp worldwide reached 1.5 billion, up from 1 billion users six months previously. Secondly, is the lack of anti-phishing measures to prevent malicious messages from being delivered.
Many businesses have implemented spam filtering solutions such as SpamTitan, while personal users are benefiting by significant improvements to spam filtering on webmail services such as Gmail. Spam filtering solutions are highly effective at identifying phishing emails and other malicious messages and send them to the spam folder rather than delivering them to inboxes.
Messaging services often lack spam filtering controls. Therefore, malicious messages have a much greater chance of being delivered. Various tactics are used to entice recipients to click the links in the messages, usually an offer of a free gift, an exceptionally good special offer on a product – the new iPhone for instance – or a money off voucher or gift card is offered.
The messages contain a link that directs the recipient to the phishing website. The link usually contains a preview of the website, so even if a shortlink is used for the URL, the recipient can see some information about the site. A logo may be displayed along with the page title. That makes it much more likely that the link will be clicked.
Further, the message often comes from a known individual – A person in the user’s WhatsApp contact list. When a known individual vouches for the site, the probability of the link being clicked is much greater.
To add further legitimacy to the WhatsApp phishing scams, the websites often contact fake comments from social media sites confirming that a gift card has been won or a reward has been received. Some of those comments are positive, and some are neutral, as you would expect from a real prize draw where not everyone is a winner.
The websites used in WhatsApp phishing scams often use HTTPS, which show a green tick next to the URL to show that the site is ‘secure.’ Even though the green tick is no guarantee of the legitimacy of a site, many people believe the green tick means the site is genuine.
Gift cards are often given out for taking part in legitimate surveys, so the offer of either a gift card or entry into a free draw is not out of the ordinary. In return, the visitor to the site is required to answer some standard questions and provide information that would allow them to be contacted – their name, address, phone number, and email address for instance.
The information gathered through these sites is then used for further phishing attempts via email, telephone, or snail mail which aim to obtain even more personal information. After completing the questions, the website may claim that the user has one, which requires entry of bank account information or credit card details… in order for prize money to be paid or for confirmation of age.
These WhatsApp phishing scams often have another component which helps to spread the messages much more efficiently to other potential victims. Before any individual can claim their free prize or even submit their details for a prize draw, they must first agree to share the offer with some of their WhatsApp contacts.
If you receive an unsolicited link from a contact that offers a free gift or money-off voucher, there is a high chance it may not be genuine and is a WhatsApp phishing scam. If an offer seems too good to be true, it most likely is.
Hotels, restaurants, and telecommunications companies are being targeted with a new spam email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being distributed vis spam emails containing Microsoft Word attachments with malicious macros.
Opening an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary role is to perform fingerprinting on an infected device. Information will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are provided to the malware based on the information gathered on the system. The malware records system information, details of programs installed on the device, Office account details, and other information. It is also able to take screenshots on an infected device.
AdvisorsBot malware is so named because the early samples of the malware that were first identified in May 2018 contacted command and control servers that contained the word advisors.
The spam email campaign is primarily being conducted on targets in the United States, although infections have been detected globally. Several thousands of devices have been infected with the malware since May, according to the security researchers at Proofpoint who discovered the new malware threat. The threat actors believed to be behind the attacks are a APT group known as TA555.
Various email lures are being used in this malware campaign to get the recipients to open the infected attachment and enable macros. The emails sent to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that appear to be resumes from job applicants.
AdvisorsBot is written in C, but a second form of the malware has also been detected that is written in .NET and PowerShell. The second variant has been given the name PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that downloads a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.
These malware threats are still under development and are typical of many recent malware threats which have a wide range of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions performed are determined based on the system on which the malware has been installed. If that system is ideally suited for mining cryptocurrency, the relevant code will be installed. If the business is of particular interest, it will be earmarked for a more extensive compromise.
The best form of defense against this campaign is the use of an advanced spam filtering solution to prevent the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat arrives in their inbox.
A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.
On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.
For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.
However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.
While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.
For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.
This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.
It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.
So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.
Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.
Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.
Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.
Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.
The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.
Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.
284% Increase in Email Account Compromises in a Year
The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.
Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?
It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.
By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.
If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.
Once One Account is Breached, Others Will Follow
If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.
Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.
Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.
Email Account Compromises Are Costly to Resolve
Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.
Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.
Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.
How to Prevent Email Account Compromises
Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.
To prevent phishing attacks, companies need to:
- Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
- Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
- Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
- Implement two-factor authentication to prevent attempts to access email accounts remotely
- Implement a web filter as an additional control to block the accessing of phishing websites
- Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
- Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.
In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.
UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.
That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.
The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.
The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.
A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.
The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.
This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.
The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.
As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.
There has been a major increase in cryptojacking attacks in recent months. Many cybercriminal gangs now favoring this method of attack over ransomware and other forms of malware and are taking advantage of the high value of cryptocurrencies.
As with ransomware attacks, cybercriminals need to install malicious code on computers. Instead of encrypting files like ransomware, the code is used to mine for cryptocurrency. Mining cryptocurrencies involves a computers CPU being used to solve complex computational problems, which are necessary for verifying cryptocurrency transactions and adding to the blockchain. In exchange for verifying transactions, the miner is paid a small amount for the effort.
Devoting one computer to the task of cryptocurrency mining could generate a few dollars a day. Using multiple computers for the task can generate a substantial return. The more computers that are used, the more blocks can be added to the blockchain and the greater the profits. When a network of cryptocurrency mining slave computers can be amassed, the profits can be considerable. According to Kaspersky Lab, one cryptojacking gang that focusses on infecting enterprise servers and spreading the malicious code using NSA exploits, has generated around 9,000 Monero, which equates to $2 million.
Not all computers are suitable for mining cryptocurrency. One cybercriminal gang has got around this by developing malware that can decide whether to deploy a cryptocurrency miner or ransomware, with the decision based on the processing power of the computer. If its not suitable for use mining cryptocurrency, ransomware is deployed. This tactic helps maximize profits after compromising a device.
The use of cryptocurrency miners increased sharply last year as the value of cryptocurrencies started to soar. The price of those cryptocurrencies may have fallen, but cryptojacking attacks are still on the rise. The volume of new cryptojacking malware variants has also increased considerably over the past few months. Figures from McAfee indicate the number of cryptojacking malware variants increased by a staggering 1,189% in the first three months of 2018 alone, rising from around 400,000 malware variants to more than 2.9 million.
Over the same time frame, there has been a fall in the number of ransomware attacks. In Q1, ransomware attacks fell by around 32%, indicating threat actors who previously used ransomware to make money have changed their tactics and are now using cryptocurrency miners.
Ransomware attacks falling by a third is certainly good news, although the threat from ransomware cannot be ignored. Steps must be taken to prevent the installation of the file encrypting code and good backup practices are essential to ensure files can be recovered in the event of an attack. Certain industries face a higher risk of ransomware attacks than others, such as the healthcare industry, where attacks are still rife.
Cryptojacking attacks are more widespread, although the education sector has proven to be a major target. Many mining operations have been discovered in the education sector, although it is unclear whether these mining operations are legitimate, computers are being used by students to mine cryptocurrency, or if educational institutions are being targeted.
One thing is clear. As the value of cryptocurrencies rose, the number of mining attacks increased. That suggests that should prices fall, cybercriminals will switch to other types of attacks, and there could be a resurgence in ransomware attacks.
It could be argued that the installation of cryptocurrency mining malware on a computer is far less of a problem than ransomware or other forms of malware. When the CPU is mining cryptocurrency, the user is likely to find their computer somewhat sluggish. This can result in a drop in productivity. Heavy processing can also cause computers to overheat and hardware damage can result.
Cryptojacking malware is usually installed by a downloader, which can remain on a computer. If the profits from mining cryptocurrency fall, new malware variants could easily be downloaded in its place. Cryptocurrency mining malware can also be bundled with other malware variants that steal sensitive information. Cryptojacking attacks are therefore a major threat.
Protecting against cryptojacking attacks involves the same security controls that are used to block other forms of malware. Cryptojacking malware can be installed by exploiting vulnerabilities so good patch management is essential. Spam and phishing emails are used to install malware downloaders, so an advanced spam filtering solution is a must. Web filters can prevent web-based mining attacks and malware downloads and offer an important extra layer of protection. It is also important not to neglect end users. Security awareness training can help to eradicate risky behaviors.
Additionally, security audits should be conducted, first to scan for the presence of cryptojacking malware, which includes searching for anomalies that could indicate the presence of the malware. Those audits should include servers, end points, POS systems, and all other systems. Any system connected to the network could potentially be used for mining cryptocurrency.
Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.
Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.
This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.
However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.
The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.
The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.
When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.
If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.
If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.
Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.
A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.
Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.
Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.
In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.
That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.
The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.
The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.
In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.
The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.
While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.
Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.
In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.
2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.
Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.
An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.
Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.
An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.
The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.
For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.
The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).
In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.
2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.
Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.
Business Email Compromise Scams – The Main Cause of Losses in 2017
More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.
Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.
BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.
Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information. These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.
Phishing Extensively Used in Internet Crime
Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.
The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.
Ransomware Attack Mitigation Proves Expensive
In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.
Tech Support Fraud Losses Increased by 90%
Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.
These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.
Protecting Against Internet Crime
One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.
Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.
A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.
These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.
UK users are being targeted with a fake WannaCry ransomware alert threatening file encryption if a ransom demand is not paid.
Fraudsters Claim WannaCry is Back!
In May last year, WannaCry ransomware attacks brought many companies to a standstill, with the UK’s National Health Service (NHS) a notable victim. Now, a little more than a year later, a new WannaCry ransomware campaign is being run, or so the sender of a batch of phishing emails claims.
Email recipients are told “WannaCry is back!” and are warned that their devices have been hacked and ransomware has been installed.
Email recipients are warned that the threat actors have perfected their ransomware and this time around antivirus software and firewalls will not prevent file encryption. Further, recovery will not be possible if the ransom is not paid.
Failure to pay, or any attempt to try to remove the ransomware without paying the ransom demand will result in permanent file deletion. Further, the ransomware can propagate and infect the local network, cloud data, and remote devices, regardless of operating system.
Email recipients are told that the ransomware has already been deployed and payment of a ransom of 0.1 Bitcoin – Around $650 – must be made to stop the attack. Email recipients are given just 24 hours to pay the ransom before data are permanently deleted.
The email is signed by WannaCry-Hack-Team, and so far, more than 300 copies of the message have been reported to the UK government’s National Fraud and Cyber Crime Reporting Centre, Action Fraud.
A Phishing Scam that Preys on WannaCry Fears
There are some signs that the email is not a genuine threat, and instead is just preying on fears about another WannaCry style attack.
Ransomware attackers encrypt data then ask for a ransom to unlock files. They do not send a warning saying they will encrypt data if a ransom is not paid. That tactic may be used by some DDoS attackers, but not by ransomware threat actors.
Email recipients are told that this version of WannaCry will work on “any version of Windows, iOS, Android, and Linux.” The original version of WannaCry took advantage of a vulnerability in Windows Server Message Block. WannaCry only affected vulnerable Windows devices that had not been patched. The ransomware was not a threat on other operating systems.
Phishing campaigns often include spelling mistakes in the subject line and message body and this email is no different. The subject line is – “Attantion WannaCry”.
This is simply a phishing campaign that attempts to extort money from the recipient. No ransomware has been installed and the attackers cannot encrypt any files.
If you receive such a message threatening file encryption unless you pay a ransom, report the message to Action Fraud (UK), US-CERT (email@example.com) in the United States, or the government Fraud and Cyber Crime agency in your country of residence and delete the email and do not pay any Bitcoin ransom.
Of course, not all ransomware threats are as benign as this and many attackers will be able to encrypt your data. To protect against real ransomware threats ensure you create multiple backups of your files, deploy a spam filtering solution, ensure your operating system and all software are kept up to date, and keep your anti-virus protection up to date.
A new type of ransomware attack could be on the horizon. The attack method, termed ransomcloud, was developed by a white hat hacker to demonstrate just how easy it is to launch an attack that results in cloud-based emails being encrypted.
A successful attack will see the attacker gain full control of a cloud-based email account, allowing them to deploy a ransomware payload that encrypts all emails in the account. This method could also be used to gain full control of the account to use for spamming and other malicious purposes.
The attack works on all cloud-based email accounts that allow third party applications account access via OAuth, which includes Gmail and Office 365 accounts.
The ransomcloud attack starts with a phishing email. In this example, the message appears to have been sent by Microsoft offering the user the opportunity to sign up and use a new email spam filtering service called AntiSpamPro. The email includes the Microsoft logo and appears to be a new Microsoft service that provides the user with better spam protection.
In order to take advantage of this service, the user is required to click a hyperlink in the email to give authorization for the new service to be installed. Clicking the link will result in a popup window appearing that requires the user to authorize the app to access their email account.
Such a request is perfectly reasonable, as an app that offers protection against spam would naturally require access to the email account. Emails would need to be read in order for the app to determine whether the messages are genuine or spam. Clicking on ‘accept’ would give the attacker full control of the email account via an OAuth token. If access is granted, the user loses control of their email account.
In this example, ransomware is installed which encrypts the body text of all emails in the account. An email then appears in the inbox containing the ransom note. The user is required to pay a ransom to regain access to their emails.
Additionally, the attacker could claim the email account as their own and lock the user out, send phishing emails to all the user’s contacts, access sensitive information in emails, use email information to learn about the individual to use in future attacks such as spear phishing campaigns to gain access to their computer.
The ransomcloud attack method is astonishingly simple to pull off and could be adopted by cybercriminals as a new way of extorting money and gaining access to sensitive information.
A new spam campaign has been identified that uses Excel Web Query files to deliver malware. In this case, the .iqy files are used to launch PowerShell scripts that give the attackers root access to a device. .iqy files are not usually blocked by spam filters, making the technique effective at silently delivering malware.
The spam emails are being delivered via the Necurs botnet. Three spam campaigns have been detected by Barkly that use these attachments, although further campaigns are almost certain to be launched.
Excel Web Query files obtain data from an external source and load it to Excel. In this case, the external data is a formula which is executed in Excel. The formula is used to run PowerShell scripts which, in at least one campaign, downloads a Remote Access Trojan (RAT) called FlawedAmmyy Admin – a tweaked legitimate remote administration tool that gives the attacker full control of a computer, allowing any number of malicious programs to be installed.
The emails masquerade as purchase orders, unpaid invoices, and scanned documents – Common themes used in spam emails to deliver malware. These spam email campaigns often use Word documents with malicious macros. Macros are usually disabled by default. Through security awareness training, end users have been conditioned not to enable macros on documents from unknown senders, thus preventing malware downloads.
Since most end users will not be used to receiving .iqy files, these attachments should arouse suspicion. Microsoft has also built in warnings to prevent these files from being run by end users. If an end user attempts to open one of these files it will trigger a warning alerting the user that the file may not be safe as it enables an external connection. The end user would be required to click enable before the connection is made and data is pulled into Excel. A second warning would then be displayed, again requiring authorization. Only if both warnings are ignored will the script be allowed to run that downloads the malicious payload.
There are two steps you can take to protect your endpoints and networks from these types of attacks. The first is to configure your email spam filter to quarantine any emails containing .iqy attachments. SpamTitan allows certain attachment types to be blocked such as executable files and iqy files. You can set the policy to quarantine, reject, or delete the emails. Since these types of files are not usually sent via email, rejecting the messages or deleting them is the safest option.
You should also cover the use of these files in your security awareness training sessions and should consider sending an email alert to end users warning them about the threat.
Further information on steps you can take to prevent malware infections spread via email can be found in our anti-spam tips page. You can find out more about the capabilities of SpamTitan by calling the sales team:
- USA: +1 5859735070
- UK/EU: +44 (0)2476993640
- Ireland: +353 91 545555
- Mid East: +971 4 3886998
World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.
World Cup 2018 Phishing Scams Detected!
The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.
Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.
Fake Tickets and Fake Touts
With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.
Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.
Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.
Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.
Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.
Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners
Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.
Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.
Cheap Travel Accommodation Scams
Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.
These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.
Team and Match News and World Cup Gossip
As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.
How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam
These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.
Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:
- Only buy tickets from the official FIFA website
- Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
- Never buy products or services advertised in spam email
- Never opening attachments in World Cup-themed emails from unknown senders
- Do not click hyperlinks in emails from unknown senders
- Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
- Ensure all software, including browsers and plugins, is patched and kept fully up to date
- Ensure anti-virus software is installed and is kept up to date
- Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
- Stay alert – If an offer seems to good to be true, it most likely is
According to data from the UK’s fraud tracking team, Action Fraud, there has been a massive rise in TSB phishing scams in the past few weeks. Customers of TSB have been duped into handing over their online banking credentials to scammers. Action Fraud is now receiving around 10 complaints a day from TSB customers who have fallen for phishing scams.
A Nightmare Scenario for TSB Customers
The problem that made the scams possible was the separation of the TSB banking system from Lloyds Bank, of which TSB was part until 2015. TSB moved over to a new core banking system provided by Banco Sabadell, the Spanish bank which took over TSB. That transition happened in April. Unfortunately for TSB and its customers, it did not go smoothly.
While migrating customer information to the new core banking system, many customers were locked out of their accounts and were unable to access their money. Some customers were presented with other customers’ bank accounts when they logged in online, and there have been cases of customers having money taken from their accounts without authorization, and transfers have been made to the wrong bank accounts. It is almost June, and the problems have still not been completely resolved.
Customers starting to experience problems over the weekend of 21/22 April and the problems were understandably covered extensively by the media with many customers taking to Social Media sites to vent their spleens over the chaos. For scammers, this was too good an opportunity to miss.
Action Fraud had received more than 320 reports of TSB phishing scams in the first three weeks in May. There were only 30 reports of such scams in the entire month of April. That’s an increase of 969%.
TSB Phishing Scams Soar
The situation was ideal for scammers. Many TSB customers could not access their accounts, so there was little chance of customers realizing they had been defrauded until it was too late.
TSB staff were overworked dealing with the IT problems and its helplines were overwhelmed with calls from customers unable to access their money. When customers realized they had been scammed they were unable to contact the bank quickly. There have been reports of customers seeing money taken from their accounts while they were logged in, yet they could not get through to customer support to stop transfers being made.
The TSB phishing scams used a combination of SMS messages, emails, and telephone calls to obtain customers banking credentials. As is typical in these types of scams, customers were sent links and were asked to use them to login to their accounts. The websites the bank’s customers visited looked exactly how they should. The only sign that the website was not genuine was the URL, otherwise the website was a carbon copy of the genuine TSB website.
Many victims of the scam had received an email or text messages, which was followed up with a voice call to obtain the 2-factor authentication code that would allow the scammers to gain access to the victim’s account. While the requests from the scammers may have seemed unusual or suspicious, this was an unusual situation for TSB customers.After that information was obtained, the scammers went to work and emptied bank accounts.
According to data from cybersecurity firm Wandera, TSB has now jumped to second spot in the list of the financial brands most commonly used in impersonation attacks. Prior to the IT problems, TSB wasn’t even in the top five.
With the bank’s IT issues ongoing, the TSB phishing scams are likely to continue at high levels for some time to come. The advice to TSB customers is to be extremely wary of any email, text message or call received from TSB bank. Scammers can spoof email addresses and phone numbers and can make text messages appear as if they have been sent by someone else.
Several GDPR phishing scams have been detected in the past few days as scammers capitalize on the last-minute rush by companies to ensure compliance ahead of the May 25, 2018 GDPR deadline. Be wary about any GDPR related email requests – they may be a scam.
GDPR Provides Scammers with a New Opportunity
You will probably already be sick of receiving email requests from companies asking if they can continue sending you emails, but that is one of the requirements of GDPR. GDPR requires consent to be obtained to use – or continue to use – personal information. With previous privacy policies failing to comply with the new EU law, email requests are being sent to all individuals on mailing lists and those who have previously registered on websites to re-obtain consent.
All companies that have dealings with EU residents are required to comply with GDPR, regardless of their location. Emails are therefore being sent from companies far and wide. Consumers are receiving messages from companies that they may have forgotten they had dealings with in the past. If personal data is still on file, email requests are likely to be sent asking for permission to retain that information.
The masses of emails now being sent relating to GDPR has created an opportunity for scammers. GDPR phishing scams have been developed to fool users into revealing sensitive information under the guise of GDPR related requests. There have been many GDPR phishing scams identified in recent weeks. It is ironic that a regulation that aims to improve privacy protections for EU residents is being used to violate privacy.
Apple Spoofed in New Phishing Scam
Phishers often spoof large, familiar brands as there is a greater chance that the recipient of the message will have an account with that company. The most popular global brands – Netflix, PayPal, Apple, and Google are all commonly impersonated.
These impersonation scams can be highly convincing. A request is sent via email that seems perfectly reasonable, the emails appear to have been sent from the company, and the email address of the sender is spoofed to appear genuine. The emails contain branding and images which are familiar, and the messages can be almost indistinguishable from genuine communications.
The aim is to get users to click on an embedded hyperlink and visit the company’s website and login. There is usually an urgent call to action, such as a security alert, threat of account closure, or loss of services.
Apple is one such brand that has recently been impersonated in GDPR phishing scams. The aim of the attackers is to get Apple customers to login to a fake site and disclose their credentials. Once the credentials have been obtained, the scammers have access the user’s account, which includes financial information, credit card details, and other personal information.
Airbnb GDPR Phishing Scams Detected
Redscan has detected Airbnb GDPR phishing scams recently. Users of its home sharing platform are required to update their contact details due to GDPR law in order to continue to use the platform. The request is entirely reasonable given so many companies are sending similar emails.
The emails claim to be from Airbnb customer service, contain the correct images and branding, and direct users to a familiar looking website that differs only in the domain name. Users are asked to re-enter their contact information and payment card details.
Watch Out for GDPR Phishing Scams
These scams are just two of several. More can be expected over the coming days in the run up to the compliance deadline and beyond. To avoid falling for the scams, make sure you treat all GDPR-related requests as potentially suspicious.
The easiest way to avoid the scams is to visit the website of the brand by typing the correct address directly into the browser or using your usual bookmark. It should be clear when you login if you need to update your information because of GDPR.
Microsoft has released new figures that show there has been a sizeable increase in tech support scams over the past year. The number of victims that have reported these scams to Microsoft increased by 24% in 2017. The true increase could be much higher. Many victims fail to report the incidents.
According to Microsoft, in 2017 there were 153,000 reports submitted from customers in 183 countries who had been fooled by such a scam. While not all of the complainants admitted to losing money as a result, 15% said they paid for technical support. The average cost of support was between $200 and $400, although many individuals were scammed out of much more significant amounts. While victims may not willingly pay much more to fix the fictitious problem on their computers, if bank account details are provided to the scammers, accounts can easily be drained. One victim from the Netherlands claims a scammer emptied a bank account and stole €89,000.
The rise in complaints about tech support scams could, in part, be explained by more scammers pretending to be software engineers from Microsoft, prompting them to report the incidents to Microsoft when they realize they have been scammed.
However, the rise in tech support scams is backed up by figures released by the FBI. Its Internet Crime Complaint Center (IC3) received 86% more complaints in 2017 from victims of tech support scams. Around 11,000 complaints were received by IC3 about tech support scams last year and more than $15 million was lost to the scams.
It is easy to see why these scams are so attractive for would-be cybercriminals. In many cases, little effort is required to pull off the scam. All that is required in many cases is a telephone. Cold calling is still common, although many of the scams are now much more sophisticated and have a much higher success rate.
Email is also used. Some tech support scams involve warnings and use social engineering techniques to convince the recipient to call the helpline. Others involve malware, sent as an attachment or downloaded as a result of visiting a malicious website via a hyperlink supplied in the email.
Once installed, the malware displays fake warning messages that convince the user that they have been infected with malware that requires a call to the technical support department.
The use of popups on websites is common. These popups cannot be closed and remain on screen. Browser lockers are also common which serve the same purpose. To prompt the user to call the support helpline.
While many more experienced users would know how to close the browser – CTRL+ALT+DEL and shut down the browser via Windows Task Manager – less experienced users may panic and call the helpline number, especially when the popup claims to be from a well-known company such as Microsoft or even law enforcement.
The typical process used in these tech support scams is to establish contact by telephone, get the user to download software to remove a fictitious virus or malware that has previously been installed by the attackers. Remote administration tools are used that allows the scammer to access the computer. The user is convinced there is malware installed and told they must pay for support. Payment is made and the fictitious problem is fixed.
These techniques are nothing new, it is just that more cybercriminals have got in on the act and operations have been expanded due to the high success rate. Fortunately, there are simple steps to take that can prevent users from falling for these tech support scams.
To avoid becoming a victim of such a scam:
- Never open any email attachments you receive from unknown senders
- Do not visit hyperlinks in email messages from unknown senders
- If contacted by phone, take a number and say you will call back. Then contact the service provider using verified contact information, not the details supplied over the telephone
- If you are presented with a warning via a popup message or website claiming your device has been infected, stop and think before acting. Genuine warnings do not include telephone numbers and do not have spelling mistakes or questionable grammar
- If you receive a warning about viruses online and want to perform a scan, download free antivirus software from a reputable firm from the official website (Malwarebytes, AVG, Avast for instance)
- Before making any call, verify the phone number. Use a search engine to search for the number and see if it has been associated with scams in the past
- ISPs and service providers rarely make unsolicited telephone calls to customers about viruses and technical issues and offer to fix the device
If you believe you are a victim of a tech support scam, report the incident to the service provider who was spoofed and notify appropriate authorities in your country of residence.
In the USA, that is the Federal Trade Commission or the FBI’s IC3; in the UK it is the National Fraud and Cyber Crime Reporting Center, the European Consumer Center in Ireland, or the equivalent organizations in other countries.
Two new phishing campaigns have been detected in the past few days that have seen phishers sink to new lows. An active shooter phishing campaign has been detected that uses fear and urgency to steal credentials, while a Syrian refugee phishing campaign takes advantage of compassion to increase the probability of victims paying ransom demands.
Active Shooter Phishing Campaign
Mass shootings at U.S schools are on the rise, with the latest incident in Parkland, Florida placing teachers and other staff on high alert to the threat of campus shootings. A rapid response is essential when an active shooter alert is issued. Law enforcement must be notified quickly to apprehend the suspect and children and staff must be protected.
It is therefore no surprise that fake active shooter threats have been used in a phishing campaign. The emails are designed to get email recipients to click without thinking to receive further information on the threat and have been developed to cause fear and panic.
The active shooter phishing campaign was being used in a targeted attack on a Florida school – an area of the country where teachers are hypersensitive to the threat of shootings, given recent events in the state.
Three active shooter phishing email variants were reported to the anti-phishing and security awareness platform provider KnowBe4, all of which were used to direct recipients to a fake Microsoft login page where they were required to enter in their login credentials to view the alert. Doing so would give those credentials to the attacker.
The email subject lines used – although other variants could also be in use – were:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
It is likely that similar campaigns will be conducted in the future. Regardless of the level of urgency, the same rules apply. Stop and think about any message before taking any action suggested in the email.
Syrian Refugee Phishing Campaign
Phishing campaigns often use crises, major world events, and news of sports tournaments to get users to click links or open email attachments. Any news that is current and attracting a lot of interest is more likely to result in users taking the desired action.
There have been several Syrian refugee phishing campaigns run in recent months that take advantage of compassion to infect users with malware and steal their credentials. Now researchers at MalwareHunterTeam have identified a ransomware campaign that is using the terrible situation in Syria to convince victims to pay the ransom – By indicating the ransom payments will go to a very good cause: Helping refugees.
Infection with what has been called RansSIRIA ransomware will see the victim presented with a ransom note that claims all ransom payments will be directed to the victims of the war in Syria. A link is also provided to a video showing the seriousness of the situation in Syria and links to a WorldVision document explaining the plight of children affected by the war.
While the document and images are genuine, the claim of the attackers is likely not. There is no indication that any of the ransom payments will be directed to the victims of the war. If infected, the advice is not to pay and to try to recover files by other means. If you want to do your bit to help the victims of the war, make a donation to a registered charity that is assisting in the region.
Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.
All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.
If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.
The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.
Many Businesses Fail to Provide Effective Security Awareness Training for Employees
One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.
These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.
27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.
Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.
The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.
Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.
The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.
Tips for Developing Effective Employee Security Awareness Training Programs
Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:
- Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
- Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
- Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
- Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
- Use different training methods to help with knowledge retention
- Keep security fresh in the mind with newsletters, posters, quizzes, and games
- Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes
Lire cet article en français.
Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.
The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.
While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.
The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.
Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.
Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.
While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.
While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.
Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.
Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.
An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.
Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced spam filtering solutions for businesses are now a necessity.
If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.
A recent Lazio phishing scam has potentially resulted in a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a scammer.
The Lazio phishing scam involved some insider knowledge as the scammer was aware that part of the transfer fee for a player was outstanding. An email was carefully crafted and sent to the Italian football team that appeared to have come from representatives of the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was demanded. Stefan de Vrij had joined Lazio from Feyenoord in 2014.
The email looked official and appeared to have been sent from a legitimate source. The accounts department at the Italian club responded and proceeded with the transfer of funds – approximately $2,460,840 – to the bank account as requested. However, the bank account details supplied in the email were not those of Feyenoord.
When Feyenoord was contacted, the club denied all knowledge of any email communication about the player and confirmed that no funds had been received. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor any representative of the player.
The payment has been tracked and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that will be possible.
The Lazio phishing scam has certainly made the headlines, but many similar attacks go unreported. Scams such as this are commonplace, and businesses are being fooled into making huge transfers of funds to criminals’ accounts.
While this attack clearly involved some insider knowledge, that information can easily be gained with a simple phishing email. If the CFO of an organization can be fooled into revealing their email login credentials, the account can be accessed and a treasure trove of information can be found. The account can then be used to send an email request to a member of the accounts department or a company that is in the process of making a sizeable purchase.
The attacker can match the writing style of the CTO and copy the usual format of email requests. All too often the recipient is fooled into making the transfer.
This type of scam is called business email compromise – or BEC – and it is costing businesses billions. One recent report estimates the total losses to BEC attacks alone is likely to reach $9 billion in 2018.
These scams are far different to the typical phishing scams of years gone by where huge numbers of emails were sent in the hope of a few individuals responding. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the time and effort.
Businesses need to protect themselves against these types of phishing attacks, but there is no silver bullet. Layered defenses are essential. Businesses need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is a must, DMARC should be implemented to prevent brand abuse, and security awareness training for staff is essential. Policies should also be developed and implemented that require two-factor verification on any wire transfer over a certain threshold.
Even if an email filter could not block the Lazio phishing email and the email was so believable to fool a security aware employee, a quick telephone call to confirm the request could have highlighted the scam for what it was.
No matter how many cybersecurity solutions you have deployed or the maturity of your cybersecurity program, it is now essential for develop and effective security awareness program and to ensure all employees and board members are trained how to recognize email threats.
Threat actors are now using highly sophisticated tactics to install malware, ransomware, and obtain login credentials and email is the attack method of choice. Businesses are being targeted and it will only be a matter of time before a malicious email is delivered to an employee’s inbox. It is therefore essential that employees are trained how to recognize email threats and told how they should respond when a suspicious email arrives in their inbox.
The failure to provide security awareness training to staff amounts to negligence and will leave a gaping hole in your security defenses. To help get you on the right track, we have listed some key elements of an effective security awareness program.
Important Elements of an Effective Security Awareness Program
Get the C-Suite Involved
One of the most important starting points is to ensure the C-Suite is on board. With board involvement you are likely to be able to obtain larger budgets for your security training program and it should be easier to get your plan rolled out and followed by all departments in your organization.
In practice, getting executives to support a security awareness program can be difficult. One of the best tactics to adopt to maximize the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial benefits that come from having an effective security awareness program. Provide data on the extent that businesses are being attacked, the volume of phishing and malicious emails being sent, and the costs other businesses have had to cover mitigating email-based attacks.
The Ponemon Institute has conducted several major surveys and provides annual reports on the cost of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of stats. Present information clearly and show the benefit of the program and what you require to ensure it is a success.
Get Involvement from Other Departments
The IT department should not be solely responsible for developing an effective security awareness training program. Other departments can provide assistance and may be able to offer additional materials. Try to get the marketing department on board, human resources, the compliance department, privacy officers. Individuals outside of the security team may have some valuable input not only in terms of content but also how to conduct the training to get the best results.
Develop a Continuous Security Awareness Program
A one-time classroom-based training session performed once a year may have once been sufficient, but with the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer enough.
Training should be an ongoing process provided throughout the year, with up to date information included on current and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for everyone. Develop a training program using a variety of training methods including annual classroom-based training sessions, regular computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues fresh in the mind.
Use Incentives and Gamification
Recognize individuals who have completed training, alerted the organization to a new phishing threat, or have scored highly in security awareness training and tests. Try to create competition between departments by publishing details of departments that have performed particularly well and have the highest percentage of employees who have completed training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.
Security awareness training should ideally be enjoyable. If the training is fun, employees are more likely to want to take part and retain knowledge. Use gamification techniques and choose security awareness training providers that offer interesting and engaging content.
Test Employees Knowledge with Phishing Email Simulations
You can provide training, but unless you test your employees’ security awareness you will have no idea how effective your training program has been and if your employees have been paying attention.
Before you commence your training program it is important to have a baseline against which you can measure success. This can be achieved using security questionnaires and conducting phishing simulation exercises.
Conducting phishing simulation exercises using real world examples of phishing emails after training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be turned into a training opportunity.
Comparing the before and after results will show the benefits of your program and could be used to help get more funding.
Train your staff regularly and test their understanding and in a relatively short space of time you can develop a highly effective human firewall that complements your technological cybersecurity defenses. If a malicious email makes it past your spam filter, you can be confident that your employees will have the skills to recognize the threat and alert your security team.
The cybersecurity threat level is at an all time high, according to a recently published threat report from McAfee. The AV solution provider has compiled a report from data collected over the final quarter of 2017 which shows the last three months of 2017 saw record numbers of new malware samples detected – 63.4 million samples. A level never before seen.
The soaring value of Bitcoin and other cryptocurrencies in the final quarter of 2017 fueled a massive rise in cryptocurrency hijacking and the use of cryptocurrency miners over other forms of malware that were favored in previous quarters. With Bitcoin valued at $19,000 in December and cryptocurrency mining hardware costing several thousand dollars, it is no surprise that so many threat actors chose to hijack other computers and steal money from cryptocurrency wallets.
Cryptocurrency miners were being used in spam email campaigns, disguised as mobile apps, and there was a massive rise in the hijacking of websites and loading cryptocurrency mining code.
While mining cryptocurrencies has proven to be highly profitable for cybercriminals, they did not abandon the use of other malware variants. The use of ransomware continues to increase, with spam email the primary method of delivery.
McAfee reports that there was 35% ransomware growth in Q4, and 59% growth in 2017. For the fourth consecutive quarter there has been an increase in new ransomware variants, with much of the increase due to the widespread use of Ransom:Win32/Genasom. There is unlikely to be a fall in use of ransomware any time soon.
The use of spam email to deliver malware and ransomware continues to grow, with two botnets – Necurs and Gamut – responsible for delivering 97% of all spam email in Q4, with the former now the most prevalent spamming botnet.
Botnets are also being developed to exploit IoT devices, which typically lack security and often have poor passwords. Infecting the devices allows massive botnets to be easily assembled for use in DDoS and DoS attacks.
Q4 was the fourth consecutive quarter where new malware samples have continued to increase, with total malware samples now just short of 700,000,000. New Mac malware also increased for the third consecutive quarter and there are now approximately 750,000 Mac malware variants, although there was a fall in new mobile malware samples from the 2-year high in Q3.
There was a rise in new Faceliker and macro malware, although the biggest increase was PowerShell malware. Q4 saw a massive jump in new PowerShell downloaders.
While the cybersecurity threat level continues to increase, and all industries are at risk, healthcare was the most targeted industry in 2017 by some distance. Healthcare may have been the third most targeted industry sector in 2016-2017, but the first three quarters of 2017 saw more than twice as many attacks on healthcare organizations than any other industry sector.
McAfee reports that there has been a 210% increase in cybersecurity incidents reported by healthcare organizations in 2017 compared to 2016, although there was some respite in Q4, which saw a 78% quarter over quarter decline in security incidents.
McAfee suggests it is poor security practices that have contributed to the rise in healthcare data breaches and cyberattacks. Many of the reported incidents could have been prevented if cybersecurity best practices had been followed.
Phishing attacks in healthcare are to be expected. Healthcare providers hold vast quantities of data on patients. Hospitals typically employ hundreds or thousands of members of staff, use many third-party vendors, and historically they have had relatively poor cybersecurity defenses compared to other industry sectors. That makes them an attractive target for phishers.
Phishing is a method of gaining access to sensitive information which typically involves a malicious actor sending an email to an employee in which they attempt to get that individual to reveal their login credentials. This is achieved using social engineering techniques to make the email recipient believe the email is a genuine. For instance, a security alert could inform the email recipient that an online account has been compromised and a password change is required. They are directed to a spoofed website where they are asked to login. The site is fake but looks genuine.
Credentials are entered and passed to the attacker who uses them to gain access to that individual’s account. Phishing can also involve malware. Emails attempt to convince the recipient to open a malware-infected attachment or download a malicious file from a compromised website.
Compliance with HIPAA Rules Helps to Prevent Phishing Attacks in Healthcare
HIPAA Rules require healthcare providers to implement administrative, technical, and physical safeguards to reduce the risk of cyberattacks and phishing. HIPAA only demands a minimum standard for data security be reached, although complying with HIPAA Rules can help to prevent phishing attacks in healthcare.
HIPAA is not technologically specific on the defenses that should be used to protect patient data. Healthcare providers can choose appropriate defenses based on the results of a risk analysis.
It is possible for healthcare organizations to be compliant with HIPAA Rules but still be vulnerable to phishing attacks. If healthcare providers are to block the majority of phishing attacks and truly secure patients’ data, they must go above and beyond the requirements of HIPAA.
HHS’ Office for Civil Rights Warns of Phishing Attacks in Healthcare
Recent phishing attacks in healthcare have prompted the HHS’ Office for Civil Rights to issue a warning about the risk from phishing.
Attacks are now highly sophisticated and can be hard to detect. The emails are often free from spelling mistakes, have near perfect grammar, include brand images and logos, and appear to have been sent from genuine domains. The reasons given for taking a specific course of action are perfectly plausible as is the need for urgent action.
OCR also highlights the rise in spear phishing attacks in healthcare. These attacks involve more targeted attempts to gain access to sensitive information and can be conducted on specific individuals or groups of individuals in an organization – The payroll or HR department for instance.
These attacks often see a CEO or superiors impersonated to add legitimacy to the attack. These attacks tend to require the opening of attachments or visiting links to download malware. Spear phishing emails are also used to request bank transfers or for sensitive information to be sent via email – W2-Forms of employees for instance. Many healthcare employees have been fooled by these scams.
Recent Phishing Attacks in Healthcare
Listed below are some of the recent examples of phishing attacks in healthcare. This is just a small selection of incidents that have resulted in healthcare records being exposed or stolen. The reality is that many data breaches start with a phishing email. Security awareness training company Cofense suggests that as many as 91% of data breaches have their root in a phishing campaign.
November 2017: 1,670 patients of Forrest General Hospital have their PHI exposed following a phishing attack on business associate HORNE.
October 2017: Henry Ford Health System discovers several email accounts were compromised as a result of employees responding to phishing emails. The PHI of 18,470 patients may have been stolen.
September 2017: Employees of UPMC Susquehanna responded to phishing emails with the attackers able to gain access to the PHI of 1,200 patients.
September 2017: A phishing attack on Wisconsin-based Network Health resulted in the PHI of approximately 51,000 patients being exposed.
August 2017: Chase Brexton Health Care in Maryland experienced a phishing attack that saw several email accounts compromised along with the PHI of 16,000 patients.
July 2017: The Medical College of Wisconsin experienced a phishing attack that allowed attackers to gain access to email accounts and the PHI of 9,500 patients.
July 2017: RiverMend Health employees responded to phishing emails and their accounts were accessed by the attackers. The PHI of 1,200 patients was potentially viewed or stolen.
June 2017: A phishing attack on Elderplan Inc., saw several email accounts compromised along with the PHI of 22,000 individuals.
June 2017: MJHS Home Care experienced a phishing attack that saw email access gained by an unauthorized individual. The compromised email accounts contained the PHI of 6,000 patients.
Staff Training and Anti-Phishing Technology
HIPAA does not specifically mention spam filters, but since phishing is used to target employees via email, spam filtering can be considered essential. By filtering out the majority of spam and malicious messages there is less potential for an employee to click on a malicious link or open a malware infected email attachment.
SpamTitan is a cloud-based anti-spam service that blocks more than 99.9% of spam emails from being delivered to inboxes and has a 0.03% false positive rate. Dual antivirus engines (Bitdefender/ClamAV) ensure malicious email attachments are blocked.
Healthcare employees are the last line of defense, so it is important for them to be able to recognize email threats and anti-phishing training is a requirement of HIPAA. In July 2017, OCR issued advice to healthcare organizations on anti-phishing training in its cybersecurity newsletter.
OCR also recommends using multi-factor authentication to ensure email accounts are not compromised when a password is guessed or stolen. Software and operating systems must be kept up to date and fully patched to prevent vulnerabilities from being exploited, and anti-virus and anti-malware solutions should be deployed to prevent infection. Regular backups can also prevent data loss in the event of a malware or ransomware infection.
Titan HQ has announced from March 5, 2018 all new customers signing up to use the SpamTitan cloud-based anti-spam service will benefit from leading antivirus and anti-malware protection from Bitdefender. All existing customers will similarly be protected by Bitdefender, although first they will need to upgrade to SpamTitan v7.00. v7.00 was released on March 5.
The primary AV engine used in previous versions of SpamTitan was provided by Kaspersky Lab, with ClamAV used as a secondary AV engine. SpamTitan v7.00 will also incorporate ClamAV as a secondary AV engine. Kaspersky AV will no longer be supported on SpamTitan suite of products from May 1, 2018.
The change to the new primary AV engine is due to a growing strategic relationship with Bitdefender. Further collaboration with the Romanian cybersecurity firm is planned for the future. Customers already using SpamTitan are encouraged to upgrade to the latest version of the product as soon as possible as several other updates have been incorporated into the latest version, including patches for recently discovered vulnerabilities in ClamAV.
These include the use-after-free vulnerability CVE-2017-12374; buffer overflow vulnerabilities CVE-2017-12375 and CVE-2017-12376; Mew Packet Heap Overflow vulnerability CVE-2017-12377; Buffer Overflow in messageAddArgument vulnerability CVE-2017-12379; and Null Dereference vulnerability CVE-2017-12380. TitanHQ has also included patches for openssl, openssh, php, and wget and updates have been included to resolve potential denial of service attacks.
Customers already on v6.x of the platform who have enabled prefetch of system updates will find the latest patches in the list of available updates on the System updates page. If this option is disabled, they should use the ‘Check for Updates Now’ option in the user interface.
Customers using SpamTitan v4 and v5 have been advised that support for both versions of SpamTitan will cease on May 1, 2018. An upgrade to version 7.00 will therefore be required before the deadline. It is important to note that the update process requires v4/5 to first be upgraded to v6 before installing SpamTitan v7.00. Upgrading to the new version will not change the existing configuration of the product.
Customers should allow 10-20 minutes for the installation of the new version and should read all product notes before installation.
This month Adobe patched a critical use-after-free vulnerability in Adobe Flash Player that affects Windows 10, Mac, Chrome, and Linux operating systems. If exploited, an attacker can gain full control of an unpatched device.
Adobe reports that an exploit for the vulnerability – tracked as CVE-2018-4878 – has been identified and is being used in attacks on Windows 10 devices.
At the time that the patch was issued, only a limited number of attacks had been detected. However, researchers at Morphisec report the vulnerability is now being exploited in a massive spam email campaign that is targeting users in the United Kingdom and United States. While the spam campaign was relatively short-lived, large quantities of emails were sent and further spam campaigns can be expected.
The emails include a shortlink which, if clicked, downloads a Word document from a recently registered domain. Opening the document sees a command prompt opened that is injected with Shellcode that connects to the attackers’ C2. Once a connection is made, a DLL file is downloaded and executed using regsvr32. According to Morphisec this bypasses whitelisting solutions. A SWF Flash file is then extracted which also had a low detection rate and the vulnerability is exploited.
What makes the attack particularly dangerous is the poor detection rate by AV solutions. In a recent blog post Morphisec said in its tests, only 1/67 AV firms on VirusTotal identified the email attachment as malicious.
The shortened goo.gl URLs used in the emails are difficult to detect as malicious and look similar to those used in legitimate email campaigns. The number of links being opened also corresponds with standard email campaigns, with high numbers of clickthroughs as the emails hit inboxes. The figures show that many email recipients have been fooled by the campaign.
This email campaign shows why it is so important for patches to be applied promptly, especially when there are active exploits for a vulnerability in the wild. This is just one campaign, and there are likely to be many conducted using the Flash exploit.
However, despite the risks from slow patching, many companies take weeks, months, or in some cases years before patches are applied, leaving them extremely vulnerable to attack.
A Colorado Department of Transportation ransomware attack on February 21, 2018 affected at least 21 computers preventing files from being accessed by employees. A prompt response to the ransomware attack limited the harm caused, although to prevent the spread of the ransomware more than 2,000 computers were shut down.
The attack has already caused considerable disruption, which is ongoing as the cleanup operation continues.
The DOT says it received a ransom demand which would need to be paid in order to obtain the keys to unlock encrypted files, but that the DOT has no intention of paying any money to the attackers. Instead the firm has called in an external cybersecurity firm (McAfee) to restore data on the affected workstations and ensure all devices are clean and protected from infection. All encrypted files will be recovered from backups.
Fortunately, the ransomware attack was limited to certain endpoints. Other computer systems that are used with surveillance cameras and traffic alerts were not affected.
The Colorado Department of Transportation ransomware attack is one of several high-profile attacks involving SamSam ransomware to have been reported this year. Hancock Health Hospital in Indiana was one notable victim. The hospital was issued with a ransom demand and paid the attackers for the keys to unlock the encryption, even though backups could have been used to recover files. A Bitcoin payment worth approximately $55,000 is believed to have been paid. The payment was believed to be considerably less than the cost of disruption while files were recovered from backups.
Another Indiana hospital – Adams Memorial Hospital was also attacked with a variant of SamSam ransomware, and Allscripts – an electronic health record provider – also suffered an attack that took down some of its web services.
SamSam ransomware first surfaced in 2015, and while some antivirus and antimalware solutions can detect the malware, the attackers continue to release new variants that are much better at evading detection.
Bleeping Computer reported on January 19 that one of the Bitcoin wallets used by the gang involved in SamSam ransomware campaign had already made approximately $300,000 from ransom payments, although that figure will almost certainly be higher since multiple Bitcoin wallets are believed to be used and the campaign is ongoing.
On February 15, Secureworks reported that the profits from the attacks had increased to at least $350,000, with the firm attributing the attacks to a hacking group called Gold Lowell.
It is unclear how the Colorado Department of Transportation ransomware attack occurred. Some sources report that the attack involved phishing emails, although Gold Lowell’s modus operandi is leveraging vulnerabilities in Remote Desktop Protocol (RDP) services.
With the campaign ongoing, all businesses should be alert to the threat from phishing and RDP attacks. Spam filters, such as TitanHQ’s cloud-based anti-spam service, are essential as is anti-phishing training for employees. If RDP is necessary, strong passwords should be set and controls implemented to reduce the potential for brute force attacks. Rate limiting on login attempts for example. It is also important to make sure that multiple data backups are performed to ensure files can be recovered in the event of an attack.
A new report has been released that shows there has been a massive rise in the global cost of cybercrime, highlighting the seriousness of the threat from hackers and scammers. 2017 global cybercrime costs exceeded $600 billion, according to the McAfee report. That represents a 20% increase since 2014, when the global cybercrime costs were calculated to be around $500 billion. The current global cybercrime costs equate to 0.8% of global GDP.
The report shows that in spite of increases in cybersecurity spending, hackers and scammers are still managing to breach organizations’ defenses and gain access to sensitive data, login credentials, corporate bank accounts, and intellectual property.
Accurately Determining the Global Cost of Cybercrime
Any calculation of global cybercrime costs involves some margin of error, as the figures cannot be totally based on reported losses by businesses. Many companies do not disclose details of data breaches, and even fewer publish information of the financial impact of cyberattacks. When details about financial losses are published, typically only a fraction of the losses are reported. In many cases the losses are not known until many years after the event. It is therefore difficult to obtain a true picture of the losses due to cybercrime because of the shortage of data.
To try to gain an accurate picture of the total cost of cybercrime, McAfee had to turn to the same modelling techniques used by government agencies to determine the costs of criminal activities such as drug trafficking, prostitution, maritime piracy, and organizational crime groups.
McAfee is not the only company to make these predictions. Compared to some reports the figures from McAfee seem quite conservative. The true cost could be considerably higher.
Factors Contributing to the Increase in Losses
McAfee reports that several factors have contributed to the large increase in cybercrime costs over the past few years. The growth in popularity of ransomware has played a part. Ransomware has proved to be a particularly plump cash cow, allowing cybercriminals to rake in millions by extorting companies. The anonymity of cryptocurrencies has helped these cybercriminal gangs obtain payments without detection, while the use of TOR has helped the gangs stay under the radar of law enforcement agencies.
Ransomware-as-a-service has also boosted profits for cybercriminals. The increase in the number of individuals conducting attacks has made it possible to increase the scale of operations and distribute the malicious code more effectively. State-sponsored hacks have also increased, including attacks aimed at sabotaging businesses and critical infrastructure as well as major heists that have seen millions of dollars stolen.
McAfee cites research showing around 300,000 new malware samples are now being identified on a daily basis, while data breaches are exposing a staggering 780,000 records a day.
Personal records can sell for big bucks on darknet forums; however, one of the biggest costs is the theft of intellectual property, which McAfee estimates has resulted in at least 25% of the annual losses to cybercrime. When patented processes are obtained, the benefits of millions in research and development is lost and companies can lose their competitive advantage.
One thing is clear from the report. With global cybercrime costs rising, and the sophistication and frequency of attacks increasing, companies have little alternative than to invest more in cybersecurity and develop more sophisticated defenses.
Cybercriminal gangs operating in Nigeria have been discovered to be using phishing kits in a highly sophisticated phishing campaign that has seen millions of dollars obtained from big businesses.
The scammers are regularly fooling employees into revealing their email login credentials – The first stage of the complex scam. The ultimate goal of the attackers is to gain access to corporate bank accounts and convince accounts department employees to make sizeable transfers to their accounts.
According to research conducted by IBM, these scams have been highly successful. Fortune 500 companies are being targeted and losses have been estimated to be of the order of several million dollars.
These scams take time to pull off and considerable effort is required on the part of the scammers. However, the potential rewards are worth the effort. Bank transfers of tens or hundreds of thousands of dollars can be made and business email accounts can be plundered.
A Sophisticated Multi-Stage Phishing Scam
In order to pull off the scam, the attackers must first gain access to at least one corporate email account. Access is gained using phishing emails, with social engineering tactics used to convince employees to click on a malicious link. Those links direct the email recipients to malicious DocuSign login pages where credentials are harvested. These malicious pages have been created on multiple websites.
According to IBM, the gang behind this campaign has created more than 100 of these pages, many of which have been loaded onto genuine websites that have been compromised by the attackers.
Once access to one email account is gained, it is easy to obtain email addresses from the contact list to fool other employees. When an email account is accessed, the attackers search the account for messages involving accounts and payments. The attackers then send emails carrying on conversations between staff members, inserting themselves into conversations and continuing active discussions.
“The attackers typically took a week between the point they gained initial access to a user’s email account and the time they started setting up the infrastructure to prepare a credible ruse,” said IBM’s X-Force researchers. “During this time, they likely conducted extensive research on the target’s organizational structure, specifically focusing on the finance department’s processes and vendors.”
By setting up email rules and filters, it is possible to block genuine conversations between the employees that could uncover the scam. By doing this, all conversations take place between a specific individual and the attacker.
This method of attack allows the attackers to gain access to banking credentials and send highly convincing emails requesting transfers to their accounts. Targeted employees are unlikely to be unaware that they are not emailing a legitimate contact.
This is a manual, labor-intensive scam involving no malware. That has the advantage of allowing the attackers to evade anti-malware technologies.
How to Protect Against These Sophisticated Email Scams
While these scams are complex, they start with a simple phishing email to gain access to a corporate email account. Once access to an email account has been gained, stopping the scam becomes much harder. The easiest time to prevent such an attack is at the initial stage, by preventing the phishing emails from reaching the inboxes of employees and training employees how to identify phishing emails.
That requires an advanced spam filtering solution that can identify the common signatures of spam and scam emails. By setting aggressive filtering policies, the vast majority of spam emails will be captured and quarantined. With the SpamTitan cloud-based anti-spam service, that equates to more than 99.9% of all spam and malicious emails. SpamTitan also has a particularly low false positive rate – less than 0.03% – ensuring genuine emails are still delivered.
No spam solution can be 100% effective, so it is also important to prepare the workforce and train staff how to identify malicious emails. Security awareness and anti-phishing training allows organizations to create a ‘human firewall’ to complement technical solutions.
Spear phishing – highly targeted email attacks – are harder to block, but it is possible to implement solutions to prevent scams such as this from resulting in credentials being obtained. In this campaign, links are sent in emails. By implementing a web filtering solution, those links can be blocked. In tandem with a spam filter, organizations with a security aware workforce will be well protected from phishing attacks.
Further, the use of two-factor authentication is an important security measure to implement. This will prevent attackers from using an unknown device to access an email account.
For further information on web filters and spam filters, and the benefits of installing them at your organization, contact the TitanHQ team today and take the first step toward improving your defenses against sophisticated phishing scams.
Saturn ransomware is a new threat recently identified by security researchers at MalwareHunterTeam. Saturn ransomware takes its name from the extension added to encrypted files (.saturn).
While it is easy to determine the ransomware variant used in an attack, this will be of little use to victims. There is currently no decryptor available to recover files.
A single infection can rapidly spread laterally, encrypting files on an infected device as well as network shares. Recovering files from backups may prove difficult. Saturn ransomware searches for and deletes shadow volume copies, clears the Windows backup catalog, and also disables Windows startup repair.
If no viable backup exists, the victim must pay a ransom payment in bitcoin of approximately $300 per infected device. If payment is not made within 7 days of infection, the ransom payment doubles.
As with many new ransomware variants, attacks can come from all angles. That is because the new ransomware variant is being offered to affiliates as ransomware-as-a-service.
Ransomware-as-a-service allows the malware developers to maximize the number of infections – and profits – by recruiting a large team of distributors to send spam emails, load the ransomware onto malicious websites, and install the malicious software by taking advantage of poor security defenses. In exchange for their efforts, affiliates are given a percentage of the ransom payments that are received.
The developers of Saturn ransomware have made it as easy as possible for affiliates. A portal has been developed that allows affiliates to obtain copies of the ransomware binaryeither embedded in exe files or Office, PDF files or other documents. To tempt individuals into using this ransomware variant instead of other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.
The ease of running campaigns together with the high potential rewards for infection means many affiliates are likely to start using the new ransomware variant in attacks. The new malware is already being offered on various darknet forums.
How to Block Saturn Ransomware Attacks
Spam email is the easiest way of spreading ransomware. Massive spam campaigns require little skill and there is no shortage of email addresses for sale on the dark web. We can therefore expect this new ransomware variant to be widely distributed over the coming weeks.
With spam email likely to be the main vector of attack, one of the best defenses to deploy to prevent infection is to use anti spam software such as SpamTitan. SpamTitan blocks more than 99.9% of spam email. With SpamTitan in place, emails can be blocked and will not reach end users inboxes.
However, no single defense can provide total protection from ransomware attacks. Layered defenses are required. Antivirus and antimalware solutions should be used, although signature and heuristics-based defenses will not provide total protection. Businesses should also use a technology that identifies changes to files to ensure that if infection occurs, rapid action can be taken to limit the spread of the ransomware.
Multiple copies of files should also be made to ensure that should the unthinkable happen, data will not be lost. Businesses should make at least three backups, stored on two different media, with at least one copy stored securely off-site. Good patch management policies are also required to prevent vulnerabilities from being leveraged to install the ransomware.
Technical defenses are essential, but don’t forget the human element. Ransomware spread via spam email requires some user interaction – the opening of an email attachment or the clicking of a link. Security awareness training and phishing email simulations are now a necessity to reduce user susceptibility to email-based attacks.
Every February, Valentine’s day email scams are to be expected and this year has been no different. On Monday, a massive new phishing campaign was launched. The Necurs botnet was used to deliver millions upon millions of dating, romance and Valentine’s themed emails.
Dating and Valentine’s Day Email Scams Pose Problems for Businesses
Dating scams increased significantly in January and continued in February. You have probably seen the emails already in one of your inboxes.
The emails appear to have been sent by Russian women desperate to find love. Unsolicited emails from attractive women complete with suggestive pictures and messages claiming the recipient is particularly attractive are certain to be spam, yet the emails are effective. The FBI’s figures indicate around $230 million is lost to these scams alone each year. In 2016, the FBI received around 15,000 complaints about financial losses as a result of dating and romance scams.
There were two major peaks in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were delivered via the Necurs botnet. Over 230 million messages were sent in a two-week period in January. The aim of the campaign is to obtain credit card details, payments to cover flights to bring the women over to the US, but in many cases the purpose is to fool the email recipient into downloading malware.
Cybercriminals use all manner of tactics to entice users to click. Another effective technique, highlighted by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, especially on Valentine’s Day. Links are sent that appear to be from legitimate eCard sites that require users to click the link to view a Valentine’s day card from a secret admirer. The purpose is to deliver malware.
Valentine’s day email scams this year also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments claiming to be delivery receipts.
It is the likelihood of these emails being opened that makes defending against them a major headache for businesses. One single click is all it takes for malware to be installed, and since many malware variants can rapidly spread laterally, one click could be all it takes to compromise an entire network.
The Winter Olympics Scams Continue
This month has also seen plenty of Winter Olympics phishing campaigns conducted. Cybercriminals have been taking advantage of interest in the games to get their emails opened. Malicious links are used to direct users to websites that claim to have up to date news on the events, the competitors, fake news, and the results of events.
The reality is these links direct users to phishing websites, exploit kits, and sites where malware is silently downloaded. With workers unable to watch the sports live at work, these malicious emails stand a high chance of being opened.
With Valentine’s day and the Winter Olympics, February has been a busy month for scammers and with the Pyeongchang Winter Olympics still in full flow, businesses need to be on high alert.
Fortunately, there is one technology in particular that can help businesses counter these email-based threats. An advanced spam filtering solution: The most effective defense against email-based attacks. An advanced spam filter such as SpamTitan blocks more than 99.9% of spam emails, 100% of known malware, and ensures that phishing and other malicious emails do not reach inboxes.
To find out more about SpamTitan – the best spam filter for business use – contact the TitanHQ team today.
A new FedEx phishing scam has been detected that appears to be targeting universities and businesses. Spam emails with the subject line ‘FedEx Delivery Notification’ are sent to users that explain FedEx was unable to deliver a package. The email claims the package was over the allowable weight limit and did not qualify for free delivery.
The email recipients are informed that in order to collect the package, they must visit their local FedEx depot in person. The package will not be released unless the user presents a label to the dispatcher, which the user is required to print.
The sophisticated FedEx phishing scam involves no email attachments, only a link. However, the link does not appear to be a malicious site. The attackers are using Google Drive to distribute their malware.
This is an increasingly common tactic that abuses trust of Google. Since the website is genuine – drive.google.com – users are less likely to believe that they are being scammed. The hyperlink will direct the user to Google Drive and will trigger the download of a file called Lebal copy.exe. An executable file that if run, will install malware.
Many people know not to run executable files, although in this case the file is disguised as a PDF and has the PDF icon. If known file extensions are not configured to be displayed on the user’s computer – which is now common- they would not be aware that the file is not a PDF.
The latest scam was uncovered by researchers at Comodo, who identify the malware as a Trojan called TrojWare.Win32.Pony.IENG that steals cookies and credentials. It is capable of stealing information from FTP clients, attempts to obtain and access cryptocurrency wallets, and extracts a wide range of user data and transmits the information to its command and control server. The malware uses various tactics to avoid detection by anti-malware and anti-virus defences.
Universities and Businesses Fall for FedEx Phishing Scam
According to Comodo, so far there have been 23 businesses, several government employees, and five university employees that have fallen for the scam. Since those businesses were protected by anti-virus software that was able to block the malware they avoided infection, although many others will not be so fortunate.
Protecting against scams like this requires layered defenses and user vigilance. Spam filters should be used by businesses to detect and quarantine spam emails such as this. Links to Google Drive can be difficult to block, as Google Drive is a legitimate website. Antivirus and anti-malware defenses must therefore be in place to detect the malicious download.
Businesses should not forget the human element of the security chain. Security awareness training and phishing simulations can help users to detect a FedEx phishing scam such as this.
Netflix Users Targeted by Scammers
A new sophisticated Netflix scam has appeared in the past few days. The emails claim users will have their Netflix membership suspended due to a problem processing the most recent payment.
The email appears to have been sent from Netflix and includes all the appropriate branding, making the email look highly convincing. The subject line is ‘Suspension of your membership’.
The email says there was a problem validating the most recent payment, and a link is supplied in the email that requires the user to validate their payment and billing information.
Clicking the link directs the user to what appears to be the Netflix website where they are asked to go through a series of steps to validate their account. The validation process requires them to re-enter their payment card information. The failure to complete the step will result in the suspension of their Netflix account.
The website contains the correct branding and looks exactly like the legitimate site. The URL is different, but the website is HTTPS and has the green padlock. A casual glance at the URL may not reveal there is anything wrong with the site.
Spam filtering solutions such as SpamTitan can detect this type of scam, but users must exercise caution as not all phishing emails can be blocked.
Users should carefully check the URL of any site they visit to make sure it is legitimate before entering sensitive information. Links sent in emails should be checked by hovering the mouse arrow over the link to find out the true URL.
An email such as this should prompt the user to visit Netflix using their usual bookmark or by typing in the URL into their browser, rather than visiting any links in the email.
Phishing emails cost a North Carolina school district $314,000 to resolve and caused considerable disruption while the infection was removed.
The high cost of resolving the attack was due to a particularly nasty and difficult to remove malware variant called Emotet malware which had been installed on endpoints and servers after employees responded to phishing emails.
The Rockingham County School District was attacked in late November. Numerous employees of the school district received a phishing email in their inboxes which appeared to be an incorrect invoice from their anti-virus provider. The emails contained an attachment and asked users to open the file to confirm. Doing so triggered the infection process, that resulted in the Emotet virus being downloaded.
The purpose of the malware is to obtain banking credentials. To ensure the maximum number of credentials are stolen, the virus is able to spread to other users. It was the attempt to spread that saw the infection detected. Some employees of the school district discovered their Google email accounts had been disabled as a result of spamming, which prompted an investigation. Internet access through web browsers was also impacted, suggesting a widespread malware infection.
While a malware infection was confirmed, removing the virus was not an easy task. There is no anti-virus software program that can remove the virus and prevent infection. The school district was able to clean and reimage some infected devices, but they were subsequently reinfected.
Unable to resolve the malware infection internally, the school district was forced to bring in external security consultants. In total, approximately a dozen infected servers had to be rebuilt to remove the infection. The school district also had to cover the cost of reimaging 3,000 workstations. The recovery is expected to involve some 1,200 on-site hours by IT staff and the process is expected to take up to a month.
During that time, the school district has had limited access to computers and had to loan around 200 Windows devices for key personnel. In order to cover the cost of the phishing attack, the school district took $314,000 in funds from its coffers.
“We feel like the $314,000 will get us back to where we were before we had the virus,” said school district Superintendent Rodney Shotwell.
The high cost of the phishing attack and the disruption caused shows just how important it is to deploy an advanced anti spam software solution to prevent malicious emails from reaching inboxes, and the importance of providing security awareness training to all employees to help them identify potential phishing attacks.
What industries are the most susceptible to phishing scams? What industries must do more to prevent phishing attacks on their employees?
Recent research shows organizations that fail to implement technological defenses to block phishing emails and do not provide phishing awareness training to their employees are likely to suffer costly data breaches.
This year’s cost of a data breach study conducted by the Ponemon Institute suggests the average cost of mitigating a data breach is $3.62 million, while the FBI’s figures show that between 2013 and 2016, more than $1.6 billion was lost to phishing scams – Approximately $500 million a year. Phishing attacks on organizations have also been increasing year on year.
Unfortunately, while public awareness of the threat from phishing has improved considerably in recent years, an alarming number of employees continue to fall for phishing scams. A recent survey conducted by the phishing awareness training company Knowbe4 showed an astonishing 27% of employees clicked on a potentially malicious link or opened an email attachment sent via its phishing simulation tests. In some industry sectors, more than a third of employees failed the phishing simulations.
The Industries Most Susceptible to Phishing
Many studies produce questionable results due to a low sample size. However, the Knowbe4 study used data from 11,000 organizations and 6 million users. The results of the study therefore paint an accurate picture of just how susceptible employees are to phishing attacks.
Phishing simulations were run prior to the provision of security awareness training to obtain a baseline of the susceptibility of employees to phishing attacks. The results showed the industries most susceptible to phishing were insurance, manufacturing, retail, and non-profits. In the 1-249 employee category, 35.46% of insurance employees failed phishing tests, and 33.32% of employees failed the tests in the 250-999 employee category – The highest level of susceptibility of any industry sector in both categories.
Manufacturing was second worse in the 1-249 employee category with a failure rate of 33.21% followed by not-for-profits on 32.63%. In the 250-999 employee category, manufacturing (31.06) and business services (31.01%) were second and third.
The 1000+ employee category showed much reduced phishing susceptibility rates, ranging from business services on 19.40% to not-for-profits on 30.97%. Even the best performing industry sector saw almost 2 out of 10 employees fail phishing tests.
90 days after implementing a phishing awareness program, susceptibility to phishing was dramatically reduced. In the insurance sector, susceptibility rates fell from 35% and 33% in the small and medium sized business categories to 13% and 16%. A massive improvement. Overall, after a year – once phishing awareness training programs had matured – the overall susceptibility rates fell to a level of around 1% to 2%, with the highest percentages at the 5% level.
The survey shows just how important it is to provide ongoing training for the workforce to improve security awareness and the clear benefits of doing so.
It will never be possible to reduce phishing susceptibility to zero, therefore organizations should ensure that phishing emails are not delivered inboxes in the first place, and for that, an advanced anti spam software solution such as SpamTitan is required.
The exponential growth in the price of cryptocurrencies has been accompanied by similar growth in email campaigns spreading cryptocurrency mining malware. There has also been a big rise in new mining malware variants, with three new malware variants detected in the past week. Conservative estimates suggest one malware variant has already been installed on at least 15 million systems, although the true figure could well be closer to 30 million.
The data comes from the cybersecurity firm Palo Alto Networks, which performed an analysis of the URLs used in the campaign using Bitly telemetry. It is difficult to determine how many systems have been affected since Bitly is not the only URL shortening service being used in the campaign. AdFly is also in use, which suggests the number of infected systems could well be twice as high.
The malicious links for this campaign are being sent in spam email. Clicking the links will direct the user to a malicious website containing executable files that install the Monero mining application XMRig using VBS scripts. The popularity of Monero mining is due to the lower processor demands than cryptocurrencies such as Bitcoin. Monero mining can take place on less powerful computers such as those typically at home. In addition to spam email campaigns, the malicious executable files are being loaded to popular file sharing websites
Cryptocurrency mining malware does not pose such a big threat to organizations as other forms of malware and ransomware, but there are implications for businesses. The malware does require a considerable amount of processing power, so there will be an impact on performance on infected machines. Infection will see applications slow considerably, and that will have an impact on productivity.
Campaigns are also being conducted that target businesses. The aim is to installing cryptocurrency mining malware on business servers. These attacks are not email-based, instead vulnerabilities are identified and exploited to install the malware, with Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) vulnerabilities commonly exploited.
Preventing Infection with Cryptocurrency Mining Malware
Businesses can prevent cryptocurrency mining malware from being installed on their servers by ensuring all applications are patched and kept up to date. The patch to fix the Apache Struts vulnerability was released in September 2017, yet many businesses have not applied the patch. The DNN vulnerability has also been patched.
The risk of infections on employee and home computers requires antivirus and antimalware software and an advanced spam filter to prevent malicious messages from reaching inboxes. Businesses should also be training their staff how to recognize malicious emails. Training programs and phishing email simulations have been shown to help reduce susceptibility to email-based attacks by up to 95%.
The past few months have also seen a rise in cryptocurrency mining malware infections via unsecured WiFi networks, with cybercriminals performing man-in-the-middle attacks that hack the WiFi sessions of any user connected to one of the rogue WiFi access points. Unsecured public WiFi hotspots should be avoided, or VPNs used.
Tax season is open season for cybercriminals and phishers, who increase their efforts to obtain personal information and Social Security numbers in the run up to – and during – tax season. Until April, we can expect many W2 phishing attacks. Make sure you are prepared and do not fall for a scam.
Anatomy of a W2 Phishing Attack
The most common method of stealing the information needed to file fraudulent tax returns is phishing. Phishing emails are sent in the millions to individuals in an effort to obtain their sensitive information. Individuals must be on high alert for malicious emails during tax season, but it is businesses that are most likely to be targeted.
Payroll employees have access to the W2 forms of the entire workforce. If a single worker can be convinced to email the data, the attacker can file thousands of fraudulent tax returns in the names of employees.
The way cybercriminals get payroll staff to part with sensitive data is by impersonating the CEO or CFO in what is referred to as a Business Email Compromise Scam – otherwise known as a BEC attack or CEO fraud.
The most successful attacks require access to the CEO or CFO’s email account to be gained. That means the CEO or CFO must first be targeted with a spear phishing email and lured into parting with his/her login credentials. Once access to the email account is gained, the impostor can craft an email and send it to a select group of individuals in the company: Payroll and accounts department employees.
The company is researched, individuals likely to have access to W2 forms are identified, and emails are sent. A request is made to attach the W2 forms of all employees who worked for the company in the past year, or for a specific group of employees. A series of emails may be sent, rather than asking for the information straight away.
Since the attacker has access to the CEO’s or CFO’s email account, they can delete sent emails and replies before they are seen by the account holder.
An alternative way of conducting BEC attacks is to spoof an email address. The CFO or CEO is identified from social media sites or LinkedIn, the email address is obtained or guessed based on the format used by the company, and the email is made to appear as if it has come from that email account. An alternative is for the attacker to purchase a similar domain to that used by the company, with two transposed letters for instance. Enough to fool an inattentive worker.
Oftentimes, W2 phishing attacks are not detected until days or weeks after the W2 forms have been sent, by which times IRS tax refund checks have been received and cashed.
How to Defend Against W2 Phishing Attacks
There are several methods that can be used to block W2 phishing attacks. A software or cloud-based anti-spam service should be used to block attacks that come from outside the company. Configured correctly, the spam filter should block spoofed emails and emails sent from similar domains to that used by the company. However, a spam filter will not block emails that come from the CFO or CEOs account.
Multi-factor authentication should be set up on all email accounts to help prevent the first phish that gives the attacker access to a C-suite email address. W2 phishing attacks using spoofed email addresses are much easier to identify and block.
It is therefore important to raise awareness of the threat of W2 phishing attacks with accounts and payroll staff, and anyone else with access to W2 forms. Training can greatly reduce susceptibility to W2 phishing attacks. Training should also be provided to the C-suite, not just employees.
The number of staff who have access to W2 forms should be restricted as far as is possible. Policies should also be introduced that require any request for W2 data to be verified. At a minimum, a request for the data should be checked by a supervisor. Ideally, the request should be confirmed face to face with the sender of the email, or with a quick phone call. The scammers rely on this check not taking place.
The insurance, telecoms, and financial service sectors are being targeted by malicious actors spreading Zyklon malware. A large-scale spam email campaign has been detected that leverages three separate Microsoft Office vulnerabilities to download the malicious payload.
Zyklon malware is not a new threat. The malware variant was first detected at the start of 2016, but it stopped being detected soon after and was not extensively used until the start of 2017.
Zyklon malware is a backdoor with a wide range of malicious functions. The malware acts as a password harvester, keylogger, and data scraper, obtaining sensitive information and stealing credentials for further attacks. The malware can also be used to conduct DoS attacks and mine cryptocurrency.
The latest variant of Zyklon malware can download and run various plugins and additional malware variants. It can identify, decrypt, and steal serial keys and license numbers from more than 200 software packages and can also hijack Bitcoin addresses. All told, this is a powerful and particularly nasty and damaging malware variant that is best avoided.
While the latest campaign uses spam email, the malware is not included as an attachment. A zip file is attached to the email that contains a Word document. If the document is extracted, opened, and the embedded OLE object executed, it will trigger the download of a PowerShell script, using one of three Microsoft Office vulnerabilities.
The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was patched by Microsoft in October.
The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared through shared memory. This protocol is leveraged to deliver a dropper that will download the malware payload. This vulnerability has not been patched, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.
The third vulnerability is far older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been around for 17 years. The flaw was only recently identified and patched by Microsoft in November.
The second stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.
According to the FireEye researchers who identified the campaign, the malware can remain undetected by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”
Campaigns such as this highlight the importance of applying patches promptly. Two of the vulnerabilities were patched in the fall of 2017, yet many organizations have yet to apply the patches and remain vulnerable. If patches are not applied, it will only be a matter of time before vulnerabilities are exploited.
FireEye researchers have warned that while the campaign is currently only targeting three industry sectors, it is probable that the campaign will be widened to target other industry sectors in the near future.
The advice is to implement an advanced cloud-based anti-spam service such as SpamTitan to identify and quarantine malicious emails, and ensure that operating systems and software is kept up to date.