Spam Software

Spam software is a network security 101 basic protection that should be in place at every organization. Spam software filters out productivity-draining spam messages and prevents phishing emails and other email-based threats from being delivered to employees’ inboxes.

Research conducted by the intelligence software and anti-phishing training company PhishMe shows that 91% of cyberattacks start with a phishing email. Phishing emails aim to get the recipient to divulge sensitive information such as bank account information or login credentials. However, over the course of the past 12 months, cybercriminals have increasing used spam email to distribute ransomware. In Q3, 2016, PhishMe reported that 97% of phishing emails were being used to deliver ransomware or ransomware downloaders. Spam email is now the number one vector used to deliver malware and ransomware.

Spam email campaigns are also becoming more sophisticated and it is becoming much harder to distinguish spam from genuine emails. Many of the latest campaigns contain no spelling mistakes, are grammatically correct and use imagery from well-known brands with smart, professional layouts.

Cybercriminals are also using social engineering techniques to fool end users into clicking malicious links and opening infected email attachments. Without spam software to quarantine those emails, they will be delivered to inboxes and employees are likely to be fooled into taking the requested actions.

Fortunately, advanced spam solutions can now filter out more than 99% of spam emails, with SpamTitan preventing more than 99.9% of spam emails from being delivered. This category contains up to date information on spam software, new threats that are now blocked and advice for organizations on improving defenses against email threats.

Irish Phishing Study Shows Millennials’ Confidence in Security Awareness is Misplaced

According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.

Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.

Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.

A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.

Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.

Irish Phishing Study Findings

The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.

In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups.  Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.

Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.

It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.

Phishing Protection for Businesses

The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.

The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.

Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.

To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.

How to Improve Office 365 Security

In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.

Hackers are Targeting Office 365 Accounts

It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.

One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.

Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.

When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.

So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.

Enforce the Use of Strong Passwords

Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.

The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.

Implement Multi-Factor Authentication

Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.

Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.

Enable Mailbox Auditing in Office 365

Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.

Improve Office 365 Security with a Third-Party Spam Filter

As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.

Office 365 Spam Filtering Controls Failed to Prevent Costly Malware Infection

A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.

Multi-Layered Defenses Breached

If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.

The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.

However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.

How Was the Malware Installed?

The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.

The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.

The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.

Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.

Remediation Took 6 Weeks

Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.

The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.

The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.

While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.

Additional Protection is Required for Office 365 Inboxes

The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.

Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.

Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.

One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.

You can find out more about how SpamTitan improves protection for Office 365 in this article – Protecting Office 365 from Attack.

Sextortion Scams Now Combine Threat of Exposure with Multiple Malware Infections

Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.

In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.

Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.

This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.

However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.

The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.

Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.

Warning About Uptick in Holiday Season Gift Card Scams

The search for Christmas gifts can be a difficult process. All too often that search proves to be unfruitful and consumers opt to buy gift cards instead. At least with a gift card you can be sure that your friends and family members will be able to buy a gift that they want; however, beware of holiday season gift card scams. Many threat actors are using gift cards as the lure to fool end users into installing malware or parting with sensitive information.

Holiday Season Sees Marked Increase Gift Card Phishing Scams

Holiday season gift card scams are commonplace, and this year is no exception. Many gift card-themed scams were detected over Thanksgiving weekend that offered free or cheap gift cards to lure online shoppers into parting with their credit card details.

Everyone loves a bargain and the offer of something for nothing may be too hard to resist. Many people fall for these scams which is why threat actors switch to gift card scams around this time of year.

Consumers can be convinced to part with credit card details, but businesses too are at risk. Many of these campaigns are conducted to gain access to login credentials or are used to install malware. If an end user responds to such a scam while at work, it is their employer that will likely pay the price.

This year has seen many businesses targeted with gift card scams. Figures from Proofpoint suggest that out of the organizations that have been targeted with email fraud attacks, almost 16% had experienced a gif card-themed attack: Up from 11% in Q2, 2018.

This year has also seen an increase in business email compromise (BEC) style tactics, with emails appearing to have been sent from within a company. The emails claim to have been sent from the CEO (or another executive) requesting accounts and administration staff purchase gift cards for clients or ask for gift cards be purchased to be used for charitable donations.

To reduce the risk from gift card scams and other holiday-themed phishing emails, businesses need to ensure they have powerful spam filtering technology in place to block the emails at source and prevent them from being delivered to inboxes.

Advanced Anti-Phishing protection for Office 365

Many businesses use Office 365, but even Microsoft’s anti-phishing protections see many phishing emails slip through the net, especially at businesses that have not paid extra for advanced phishing protection. Even with the advanced anti-phishing controls, emails still make it past Microsoft’s filters.

To block these malicious messages, an advanced third-party spam filter is required. SpamTitan has been developed to work seamlessly with Office 365 to improved protection against malware, phishing emails, and more sophisticated phishing attacks.

SpamTitan blocks more than 99.9% of spam email, while dual anti-virus engines block 100% of known malware. What really sets SpamTitan in a different class is the level of protection it offers against new threats. A combination of Bayesian analysis, greylisting, machine learning, and heuristics help to identify zero-day attacks, which often slip past Office 365 defenses.

If you want to improve protection from email-based attacks and reduce the volume of spam and malicious messages that are being delivered to Office 365 inboxes, give TitanHQ a call today and book a product demonstration to see SpamTitan in action. You can sign up for a free trial of SpamTitan to test the solution in your own environment and see for yourself the difference it makes.

Phishing Attacks on Retailers and Food Industry Install Remote Access Trojans

There has been an increase in phishing attacks on retailers, supermarket chains, and restaurants in recent weeks. The aim of the phishing attacks is to deliver remote access Trojans and remote manipulator software to gain persistent access to computers and, ultimately, obtain banking credentials and sensitive customer data on POS systems.

Several new campaigns have been detected in recent weeks targeting retail and food sector companies, both of which are well into the busiest time of the year. With employees working hard, it is likely that less care will be taken opening emails which gives cybercriminals an opportunity.

PUB Files Used in Phishing Attacks on Retailers

Over the past few weeks, security researchers have noted an uptick in phishing attacks on retailers, with one threat group switching to using.pub files to install malware. Many phishing attacks use Word documents containing malicious macros. The use of macros with .pub files is relatively uncommon. The change to this new attachment type may fool employees, as they will be less likely to associate these files with cyberattacks.

Social engineering techniques are used to fool end users into opening the files, with the .pub files masquerading as invoices. Many emails have been intercepted that appear to have been sent from within a company, which helps to make the files appear genuine.

If opened, the .pub files, via malicious macros, run Microsoft Installer (MSI) files that deliver a remote access Trojan. Since these installers will most likely be familiar to end users, they may not realize the installers are malicious. Further, the MSI files are time delayed so they do not run immediately when the .pub files are opened, increasing the probability that the RAT downloads will go unnoticed.

The TA505 threat group is using this tactic to install the FlawedAmmy remote access Trojan and other malicious payloads such as Remote Manipulator System (RMS) clients.

The phishing emails used to deliver these malicious files are targeted and tailored to a specific business to increase the likelihood of success. These targeted spear phishing attacks are now becoming the norm, as threat actors move away from the spray and pray tactics of old.

Cape Cod Community College Phishing Attack Results in Theft of More Than $800,000

Phishing attacks on retailers have increased, but other industries are also at risk. Educational institutions are also prime targets, as has been highlighted by a recent phishing attack on Cape Cod Community College.

The Cape Cod Community College phishing attack involved sophisticated messages that delivered malware capable of evading the college’s anti-virus software. The malware was used to obtain the banking credentials of the college, and once those credentials had been obtained, the hackers proceeded to make fraudulent transfers and empty bank accounts. Transfers totaling $807,130 were made, and so far, the college and its bank have only been able to recover $278,887.

All too often, fraudulent transfers are not detected quickly enough to recover any funds. Once the transfers have cleared the attacker-controlled bank accounts are emptied, after which the probability of recovering funds falls to near zero.

Defense in Depth the Key to Phishing Protection

Email is the primary vector used to phish for sensitive information and deliver malware to businesses. Regardless of whether businesses use local email systems or cloud-based email services such as Office 365, advanced spam filtering controls are required to block threats. For instance, SpamTitan blocks more than 99.9% of spam email and 100% of known malware. SpamTitan also uses heuristics, machine learning, and Bayesian analysis to identify previously unseen threats – One of the areas of weakness of Office 365’s anti-phishing defenses.

Network segmentation is also essential. Critical services must be separated to ensure that the installation of malware or ransomware on one device will not allow the attackers to gain access to the entire network. This is especially important for retailers and other businesses with POS systems. Network segmentation will help to keep POS systems and the financial data of customers secure.

Advanced endpoint protection solutions offer far greater protection than standard antivirus solutions and are less reliant on malware signatures. Standard AV solutions will only block known malware. With standard AV solutions, new malware variants can easily slip through the net.

End user security awareness training should be mandatory for all employees and training needs to be a continuous process. A once a year training session is no longer sufficient. Regular training throughout the year is required to ensure employees are made aware of the latest threats and tactics being used to gain access to login credentials and install malware.

For further information on improving email security to improve protection against phishing attacks, contact the TitanHQ team today.

Thanksgiving Themed Spam Emails Used to Spread Emotet Malware

There has been an increase in malspam campaigns spreading Emotet malware in recent weeks, with several new campaigns launched that spoof financial institutions – the modus operandi of the threat group behind the campaigns.

The Emotet malware campaigns use Word documents containing malicious macros. If macros are enabled, the Emotet malware payload is downloaded. The Word documents are either sent as email attachments or the spam emails contain hyperlinks which direct users to a website where the Word document is downloaded.

Various social engineering tricks have been used in these campaigns. One new tactic that was identified by Cofense is the wrapping of malicious hyperlinks in Proofpoint’s (PFPT) TAP URL Defense wrapping service to make the email appear benign.

According to Cofense, the campaign delivers Emotet malware, although Emotet in turn downloads a secondary payload. In past campaigns, Emotet has been delivered along with ransomware. First, Emotet steals credentials, then the ransomware is used to extort money from victims. In the latest campaign, the secondary malware is the banking Trojan named IcedID.

A further campaign has been detected that uses Thanksgiving themed spam emails. The messages appear to be Thanksgiving greetings for employees, and similarly contain a malicious hyperlink or document. The messages claim the document is a Thanksgiving card or greeting. Many of the emails have been personalized to aid the deception and include the user’s name. In this campaign, while the document downloaded appears to be a Word file, it is actually an XML file.

Emotet malware has been updated recently. In addition to stealing credentials, a new module has been added that harvests emails from an infected user. The previous 6 months’ emails – which include subjects, senders, and message content – are stolen. This new module is believed to have been added to improve the effectiveness of future phishing campaigns, for corporate espionage, and data theft.

The recent increase in Emotet malware campaigns, and the highly varied tactics used by the threat actors behind these campaigns, highlight the importance of adopting a defense in depth strategy to block phishing emails. Organizations should not rely on one cybersecurity solution to provide protection against email attacks.

Phishing campaigns target a weak link in security defenses: Employees. It is therefore important to ensure that all employees with corporate email accounts are taught how to recognize phishing threats. Training needs to be ongoing and should cover the latest tactics used by cybercriminals to spread malware and steal credentials. Employees are the last line of defense. Through security awareness training, the defensive line can be significantly strengthened.

As a frontline defense, all businesses and organizations should deploy an advanced spam filtering solution. While Office 365 email includes a basic level of protection against phishing attacks, a powerful third-party anti-phishing and spam filtering solution is required to provide protection against more sophisticated email attacks.

SpamTitan is an advanced email filtering solution that uses predictive techniques to provide superior protection against phishing attacks, zero-day attacks, and new malware variants that bypass signature-based defenses.

In addition to scanning message content, headers, attachments, and hyperlinks for spam and malware signatures, SpamTitan uses heuristics, machine learning, and Bayesian analysis to identify emerging threats. Greylisting is used to identify and block large scale spam campaigns, such as those typically conducted by the threat actors spreading banking Trojans and Emotet malware.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

A web filter – such as WebTitan – adds an additional layer of protection against web-based attacks by preventing end users from visiting malicious websites where malware is downloaded. A web filter assesses all attempts to access web content, checks sites against blacklists, assesses the domain, scans web content, and blocks access to sites that violate its policies.

For further information on how you can improve your defenses against web-based and email-based attacks and block malware, ransomware, botnets, viruses, phishing, and spear phishing attacks, contact TitanHQ today.

How to Improve the Office 365 Spam Filter

Office 365 has many benefits, so it is no surprise that it is proving so popular with businesses, but one common complaint is the number of spam and malicious emails that sneak past Microsoft’s defenses. If you have a problem with spam and phishing emails, there is an easy solution to improve the Office 365 spam filter.

Office 365 Email Protection

More than 135 million commercial users are now on Office 365. Unfortunately, the popularity of Office 365 has made it a target for hackers. Microsoft has been proactively taking steps to improve the Office 365 spam filter to make it more effective at blocking spam and phishing attempts. Office 365 phishing protections have been improved and more malicious emails are now being blocked; however, even with the recent anti-phish enhancements, many businesses still have to deal with spam, phishing emails, and other malicious messages.

Businesses using Office 365 as a hosted email solution are likely to have their email filtered using Exchange Online protection or EOP. EOP does provide a decent level of protection and blocks spam, phishing emails, and malware. Osterman Research confirmed that EOP eliminates 100% of known malware and blocks 99% of spam email but struggles with the last 1%. Many businesses have found that EOP blocks basic phishing attacks but comes up short at blocking more advanced email threats such as spear phishing and advanced persistent threats.

To improve the Office 365 spam filter, it is necessary to upgrade to Advanced Threat Protection, the second level of protection offered with Office 365. The level of protection is much better, although Advanced Threat Protection cannot identify zero-day threats and falls short of many third-party solutions on blocking other advanced threats. A SE Labs study in the summer of 2017 found that even with the additional level of protection, which is only available in the Office 365 E5 license tier, protection only ranked in the low-middle of the market.

The number of cases of hackers exploiting vulnerabilities in Office 365 and the volume of direct attacks on Office 365 users has seen an increasing number of businesses looking for a way to improve the Office 365 spam filter further.

An Easy Way to Improve the Office 365 Spam Filter

Businesses that want to further improve the Office 365 spam filter (and those looking for an Office 365 Advanced Threat Protection alternative) need to consider implementing a third-party anti-spam solution.

Fortunately, there is a solution that will not only improve Office 365 spam filtering, it is quick and easy to implement, requires no software downloads, and no hardware purchases are necessary. In fact, it can be implemented, configured, and be up and running in a few minutes.

SpamTitan is a powerful cloud-based email security solution that has been developed to provide superior protection against spam, phishing, malware, zero-day attacks, and data loss via email.

In contrast to Office 365, SpamTitan uses predictive techniques such as Bayesian analysis, machine learning, and heuristics to block zero-day attacks, advanced persistent threats, new malware variants, and new spear phishing methods.

SpamTitan searches email headers, analyzes domains, and scans email content to identify phishing threats. Embedded hyperlinks, including shortened URLs, are scanned in real time and subjected to URL multiple reputation checks, while dual antivirus engines scan and block 100% of known malware.

SpamTitan also incorporates data loss prevention tools for emails and attachments, which are not available with EOP. Users can create tags for keywords and data elements such as Social Security numbers to protect against theft by insiders. SpamTitan also serves as a backup for your mail server to ensure business continuity.

With SpamTitan you get a greater level of protection against spam and malicious emails, a higher spam catch rate (over 99.9%), greater granularity, improved control over outbound email, and better business continuity protections.

If you have transitioned to Office 365 yet are still having problems with spam, phishing, and other malicious emails or if you are an MSP that wants to offer clients enhanced Office 365 email security, contact the TitanHQ team today.

The TitanHQ team will be happy to schedule a product demonstration and help you put SpamTitan through the paces in your own environment in a no-obligation free trial.

How Can MSPs Make Office 365 More Profitable?

Reselling Office 365 doesn’t offer much in the way of profit for MSPs, although there are benefits for MSPs that come from offering Office 365 and it is possible to make Office 365 more profitable.

Before explaining where the margin is for MSPs in Office 365, let’s first take a look at the benefits for MSPs from offering Office 365.

Benefits for MSPs from Offering Office 365 to Clients

SMBs are increasingly moving from on-premises solutions to the cloud and Office 365 is one of the most popular cloud services. Office 365 now has more than 135 million commercial monthly users and that number is growing rapidly.

MSPs may not be able to make much from Office 365 alone, but by providing Office 365 MSPs can win more business and gain a competitive advantage. There is no outlay involved with offering Office 365 to clients, the product is great and meets clients’ needs, and money can be made from handling Office 365 migrations.

MSPs can also benefit from migrating existing clients from Exchange or SBS Exchange to Office 365. Office 365 is far easier to manage so they stand to save a great deal of time on troubleshooting and maintenance, which can be a major headache with Exchange.

By offering Office 365 you can win more business, reduce operational costs, and stay competitive. However, the best way to make money from Office 365 is through add-on services.

How MSPs Can Make Office 365 More Profitable

The margins for MSPs on Office 365 are rather thin to say the least. Many MSPs find that offering Office 365 on its own doesn’t provide any profit at all. Charging extra per license to improve profitability is an option, but clients could just go direct to avoid the extra cost.

The margins may be small, but managing Office 365 does not require a great deal of effort. You may only make around 50c or $1 per user but sign up enough clients and you could get a reasonable return. There is an opportunity for profit at scale; however, to make a decent return you need to sell services around Office 365.

One of the best ways to make Office 365 more profitable is by offering additional security services. Security is an area where Office 365 can be significantly improved, especially spam filtering. Microsoft has incorporated a spam filter and anti-phishing protections into Office 365, but they fall short of the protection offered by a dedicated third-party spam filter.

Phishing is the number one security threat faced by businesses and Office 365 anti-phishing protections leave a lot to be desired. By offering enhanced spam and phishing protection through a third-party spam filter, not only can MSPs make a decent margin on the add-on solution, by blocking phishing attacks and malware at source, a considerable amount of time can be saved on support.

There are plenty of other opportunities for selling third-party solutions to make up for the lack of options in Office 365. Email archiving is an easy sell and a quick win for MSPs. An email archive is important for compliance and security, saves on storage space, and improves efficiency, and gives clients access to emails from any location.

Spam filtering, email archiving, web filtering, and encryption can be bundled together as an enhanced security package, with each element providing a decent return for MSPs. Given the cost of mitigating a data breach, by preventing breaches, an enhanced security offering will pay for itself. Consequently, Office 365 security should be an easy sell.

Office 365 MSP Add-ons from TitanHQ

For more than 20 years TitanHQ has been developing innovative security solutions for businesses. Today, more than 7,500 businesses are protected by TitanHQ security solutions and more than 2,000 MSPs have signed up to the TitanHQ MSP Alliance Program.

All TitanHQ solutions have been developed from the ground to meet the needs of the SMB marketplace and MSPs. TitanHQ’s spam filtering solution – SpamTitan, email archiving solution – ArcTitan, and web filtering solution – WebTitan, save MSPs support and engineering time, have great margins, and can be easily integrated into MSPs security stacks to make Office 365 more profitable.

To find out more about TitanHQ’s MSP offerings, for details of pricing and MSP margins, contact the TitanHQ MSP Alliance Program team today and take the first step toward making Office 365 more profitable.

New Dharma Ransomware Variant Detected

A new Dharma ransomware variant has been developed that is currently evading detection by the majority of antivirus engines. According to Heimdal Security, the latest Dharma ransomware variant captured by its researchers was only detected as malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also known as CrySiS) first appeared in 2006 and is still being developed. This year, several new Dharma ransomware variants have been released, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In the past two months alone four new Dharma ransomware variants have been detected.

The threat actors behind Dharma ransomware have claimed many victims in recent months. Successful attacks have been reported recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been developed, the constant evolution of this ransomware threat rapidly renders these decryptors obsolete.  Infection with the latest variants of the ransomware threat only give victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file loss.

The latter is not an option given the extent of files that are encrypted. Restoring files from backups is not always possible as Dharma ransomware can also encrypt backup files and can delete shadow copies. Payment of a ransom is not advised as there is no guarantee that files can or will be decrypted.

Protecting against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly conducted via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and via email malspam campaigns.

The latest Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections occur via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is obtained, the malicious payload is deployed.

While it is not exactly clear how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just before file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To protect against RDP attacks, RDP should be disabled unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be set. Rate limiting on login attempts should be configured to block login attempts after a set number of failures.

Naturally, good backup policies are essential. They will ensure that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy stored securely off site.

To protect against email-based attacks, an advanced spam filter is required. Spam filters that rely on AV engines may not detect the latest ransomware variants. Advanced analyses of incoming messages are essential.

SpamTitan can improve protection for businesses through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been uploaded to AV engines.

For further information on SpamTitan and protecting your email gateway from ransomware attacks and other threats, speak to TitanHQ’s security experts today.

What are the Top Phishing Lures of 2018?

Phishing is the number one security threat faced by businesses. In this post we explore why phishing is such as serious threat and the top phishing lures that are proving to be the most effective at getting employees to open malicious attachments and click on hyperlinks and visit phishing websites.

Phishing is the Biggest Security Threat Faced by Businesses

Phishing is a tried and tested social engineering technique that is favored by cybercriminals for one very simple reason. It is very effective. Phishing emails can be used to fool end users into installing malware or disclosing their login credentials. It is an easy way for hackers to gain a foothold in a network to conduct further cyberattacks on a business.

Phishing works because it targets the weakest link in security defenses: End users. If an email is delivered to an inbox, there is a relatively high probability that the email will be opened. Messages include a variety of cunning ploys to fool end users into taking a specific action such as opening a malicious email attachment or clicking on an embedded hyperlink.

Listed below are the top phishing lures of 2018 – The messages that have proven to be the most effective at getting end users to divulge sensitive information or install malware.

Top Phishing Lures of 2018

Determining the top phishing lures is not straightforward. Many organizations are required to publicly disclose data breaches to comply with industry regulations, but details of the phishing lures that have fooled employees are not usually made public.

Instead, the best way to determine the top phishing lures is to use data from security awareness training companies. These companies have developed platforms that businesses can use to run phishing simulation exercises. To obtain reliable data on the most effective phishing lures it is necessary to analyze huge volumes of data. Since these phishing simulation platforms are used to send millions of dummy phishing emails to employees and track responses, they are useful for determining the most effective phishing lures.

In the past few weeks, two security awareness training companies have published reports detailing the top phishing lures of 2018: Cofense and KnowBe4.

Top Phishing Lures on the Cofense Platform

Cofense has created two lists of the top phishing lures of 2018. One is based on the Cofense Intelligence platform which collects data on real phishing attacks and the second list is compiled from responses to phishing simulations.

Both lists are dominated by phishing attacks involving fake invoices. Seven out of the ten most effective phishing campaigns of 2018 mentioned invoice in the subject line. The other three were also finance related: Payment remittance, statement and payment. This stands to reason. The finance department is the primary target in phishing attacks on businesses.

The list of the top phishing lures from phishing simulations were also dominated by fake invoices, which outnumbered the second most clicked phishing lure by 2 to 1.

Rank Phishing Subject/Theme Number of Reported Emails
1 Attached Invoice 4,796
2 Payment Notification 2,267
3 New Message in Mailbox 2,088
4 Online Order (Attachment) 679
5 Fax Message 629
6 Secure Message (MS Office Macro) 408
7 Online Order (Hyperlink) 399
8 Confidential Scanned document (Attachment) 330
9 Conversational Wire transfer (BEC Scam) 278
10 Bill Copy 251

 

Top Phishing Lures on the KnowBe4 Platform

KnowBe4 has released two lists of the top phishing lures of Q3, 2018, which were compiled from responses to simulated phishing emails and real-world phishing attempted on businesses that were reported to IT security departments.

The most common real-world phishing attacks in Q3 were:

Rank Subject
1 You have a new encrypted message
2 IT: Syncing Error – Returned incoming messages
3 HR: Contact information
4 FedEx: Sorry we missed you.
5 Microsoft: Multiple log in attempts
6 IT: IMPORTANT – NEW SERVER BACKUP
7 Wells Fargo: Irregular Activities Detected on Your Credit Card
8 LinkedIn: Your account is at risk!
9 Microsoft/Office 365: [Reminder]: your secured message
10 Coinbase: Your cryptocurrency wallet: Two-factor settings changed

 

The most commonly clicked phishing lures in Q3 were:

Rank Subject % of Emails Clicked
1 Password Check Required Immediately 34%
2 You Have a New Voicemail 13%
3 Your order is on the way 11%
4 Change of Password Required Immediately 9%
5 De-activation of [[email]] in Process 8%
6 UPS Label Delivery 1ZBE312TNY00015011 6%
7 Revised Vacation & Sick Time Policy 6%
8 You’ve received a Document for Signature 5%
9 Spam Notification: 1 New Messages 4%
10 [ACTION REQUIRED] – Potential Acceptable Use Violation 4%

 

The Importance of Blocking Phishing Attacks at their Source

If login credentials to email accounts, Office 365, Dropbox, and other cloud services are obtained by cybercriminals, the accounts can be plundered. Sensitive information can be stolen and Office 365/email accounts can be used for further phishing attacks on other employees. If malware is installed, cybercriminals can gain full control of infected devices. The cost of mitigating these attacks is considerable and a successful phishing attack can seriously damage a company’s reputation.

Due to the harm that can be caused by phishing, it is essential for businesses of all sizes to train staff how to identify phishing threats and implement a system that allows suspicious emails to be reported to security teams quickly. Resilience to phishing attacks can be greatly improved with an effective training program and phishing email simulations. It is also essential to deploy an effective email security solution that blocks threats and ensures they are not delivered to inboxes.

SpamTitan is a highly effective, easy to implement email filtering solution that blocks more than 99.9% of spam and phishing emails and 100% of known malware through dual anti-virus engines (Bitdefender and ClamAV). With SpamTitan protecting inboxes, businesses are less reliant on their employees’ ability to identify phishing threats.

SpamTitan subjects each incoming email to a barrage of checks to determine if a message is genuine and should be delivered or is potentially malicious and should be blocked. SpamTitan also performs checks on outbound emails to ensure that in the event that an email account is compromised, it cannot be used to end spam and phishing emails internally and to clients and contacts, thus helping to protect the reputation of the business.

Improve Office 365 Email Security with SpamTitan

There are more than 135 million subscribers to Office 365, and such high numbers make Office 365 a big target for cybercriminals. One of the main ways that Office 365 credentials are obtained is through phishing. Emails are crafted to bypass Office 365 defenses and hyperlinks are used to direct end users to fake Office 365 login pages where credentials are harvested.

Businesses that have adopted Office 365 are likely to still see a significant number of malicious emails delivered to inboxes. To enhance Office 365 security, a third-party email filtering control is required. If SpamTitan is installed on top of Office 365, a higher percentage of phishing emails and other email threats can be blocked at source.

To find out more about SpamTitan, including details of pricing and to register for a free trial, contact the TitanHQ team today. During the free trial you will discover just how much better SpamTitan is at blocking phishing attacks than standard Office 365 anti-spam controls.

New Office 365 Threat Uses Windows Components to Install Banking Trojans

A new Office 365 threat has been detected that stealthily installs malware by hiding communications and downloads by abusing legitimate Windows components.

New Office 365 Threat Uses Legitimate Windows Files to Hide Malicious Activity

The attack starts with malspam containing a malicious link embedded in an email. Various themes could be used to entice users into clicking the link, although one recent campaign masquerades as emails from the national postal service in Brazil.

The emails claim the postal service attempted to deliver a package, but the delivery failed as there was no one in. The tracking code for the package is included in the email and the user is requested to click the link in the email to receive the tracking information.

In this case, clicking the link will trigger a popup asking the user to confirm the download of a zip file, which it is alleged contains the tracking information. If the zip file is extracted, the user is required to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will create a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which instructs the certis.exe file to connect to a different C2 server to download malicious files.

The aim of this attack is to use legitimate Windows files to download the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and downloading files helps the attackers bypass security controls and install the malicious payload undetected.

These Windows files have the capability to download other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign targets users in Brazil, but this Office 365 threat should be a concern for all users as other threat actors have also adopted this tactic to install malware.

Due to the difficultly distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is easiest at the initial point of attack: Preventing the malicious email from being delivered to an inbox and providing security awareness training to employees to help them identify this Office 365 threat. The latter is essential for all businesses. Employees can be turned into a strong last line of defense through security awareness training. The former can be achieved with a spam filtering solution such as SpamTitan. SpamTitan will prevent the last line of defense from being tested.

How to Block this Office 365 Threat with SpamTitan and Improve Email Security

Microsoft uses several techniques to identify malspam and prevent malicious messages from reaching users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still delivered.

To improve Office 365 security, a third-party spam filtering solution should be used. SpamTitan has been developed to allow easy integration into Office 365 and provides superior protection against a wide range of email threats.

SpamTitan uses a variety of methods to prevent malspam from being delivered to end users’ inboxes, including predictive techniques to identify threats that are misidentified by Office 365 security controls. These techniques ensure industry-leading catch rates in excess of 99.9% and prevent malicious emails from reaching inboxes.

How SpamTitan Spam Filtering Works

How SpamTitan Protects Businesses from Email Threats

Security Solutions for MSPs to Block Office 365 Threats

Many MSPs resell Office 365 licenses to their customers. Office 365 allows MSPs to capture new business, but the margins are small. By offering additional services to enhance Office 365 security, MSPs can make their Office 365 offering more desirable to businesses while improving the profitability of Office 365.

TitanHQ has been developing innovative email and web security solutions for more than 25 years. Those solutions have been developed from the ground up with MSPs for MSPs. Three solutions are ideal for use with Office 365 for compliance ad to improve security – SpamTitan email filtering, WebTitan web filtering, and ArcTitan email archiving.

By incorporating these solutions into Office 365 packages, MSPs can provide clients with much greater value as well as significantly boosting the profitability of offering Office 365.

To find out more about each of these solutions, speak to TitanHQ. The MSP team will be happy to explain how the products work, how they can be implemented, and how they can boost margins on Office 365.

Warning Issued After Increase in Phishing Attacks on Publishers and Literary Scouting Agencies

Financial institutions, healthcare organizations and universities have seen an increase in cyberattack in recent months, but there has also been an increase in phishing attacks on publishers and literary scouting agencies.

Any business that stores sensitive information that can be monetized is at risk of cyberattacks, and publishers and literary scouting agencies are no exception. Like any employer, scouting agencies and publishers store sensitive information such as bank account numbers, credit card details, Social Security numbers, contract information, and W-2 Tax forms, all of which carry a high value on the black market. The companies also regularly make wire transfers and are therefore targets for BEC scammers.

However, in a somewhat new development, there have been several reports of phishing attacks on publishers and literary scouting agencies that attempt to gain access to unpublished manuscripts and typescripts. These are naturally extremely valuable. If an advance copy of an eagerly awaited book can be obtained before it is published, there will be no shortage of fans willing to pay top dollar for a copy. Theft of manuscripts can result in extortion attempts with ransoms demanded to prevent their publication online.

2018 has seen a significant increase in phishing attacks on publishers and literary scouting agencies. Currently, campaigns are being conducted by scammers that appear to have a good understanding of the industry. Highly realistic and plausible emails are being to publishing houses and agencies which use the correct industry terminology, which suggests they are the work of an industry insider.

One current campaign is spoofing the email account of Catherine Eccles, owner of the international literary scouting agency Eccles Fisher.  Emails are being sent using Catherine Eccles’ name, and include her signature and contact information. The messages come from what appears to be her genuine email account, although the email address has been spoofed and replies are directed to an alternative account controlled by the scammer. The messages attempt to get other literary agencies to send manuscripts via email or disclose their website passwords.

An increase in phishing attacks on publishers on both sides of the Atlantic have been reported, with the threat already having prompted Penguin Random House North America to send out warnings to employees to alert them to the threat.  According to a recent report in The Bookseller, several publishers have been targeted with similar phishing schemes, including Penguin Random House UK and Pan Macmillan.

Protecting against phishing attacks requires a combination of technical solutions, policies and procedures, and employee training.

Publishers and scouting agencies should deploy software solutions that can block phishing attacks and prevent malicious emails from being delivered to their employees’ inboxes.

SpamTitan is a powerful anti-phishing tool that blocks 99.97% of spam emails and 100% of known malware. DMARC email-validation is incorporated to detect email spoofing and prevent malicious emails from reaching employees’ inboxes.

End user training is also essential to raise awareness of the risks of phishing. All staff should be trained how to recognize phishing emails and other email threats to ensure they do not fall for these email scams.

If you run a publishing house or literary scouting agency and are interested in improving your cyber defenses, contact the TitanHQ team today for further information on cybersecurity solutions that can improve your security posture against phishing and other email and web-based threats.

Cyberattacks on Universities Rise as Hackers Search for Valuable Research Data

Hackers have been going back to school and entering higher education. Quite literally in fact, although not through conventional channels. Entry is gained through cyberattacks on universities, which have increased over the course of the past 12 months, according to figures recently released by Kaspersky Lab.

Cyberattacks on Universities on the Rise

Credit cards information can be sold for a few bucks, but universities have much more valuable information. As research organizations they have valuable proprietary data. The results of research studies are particularly valuable. It may not be possible to sell data as quickly as credit cards and Social Security numbers, but there are certainly buyers willing to pay top dollar for valuable research. Nation state sponsored hacking groups are targeting universities and independent hacking groups are getting in on the act and conducting cyberattacks on universities.

There are many potential attack vectors that can be used to gain access to university systems. Software vulnerabilities that have yet to be patched can be exploited, misconfigured cloud services such as unsecured S3 buckets can be accessed, and brute force attempts can be conducted to guess passwords. However, phishing attacks on universities are commonplace.

Phishing is often associated with scams to obtain credit card information or login credentials to Office 365 accounts, with businesses and healthcare organizations often targeted. Universities are also in the firing line and are being attacked.

The reason phishing is so popular is because it is often the easiest way to gain access to networks, or at least gain a foothold for further attacks. Universities are naturally careful about guarding their research and security controls are usually deployed accordingly. Phishing allows those controls to be bypassed relatively easily.

A successful phishing attack on a student may not prove to be particularly profitable, at least initially. However, once access to their email account is gained, it can be used for further phishing attacks on lecturers for example.

Spear phishing attacks on lecturers and research associates offer a more direct route. They are likely to have higher privileges and access to valuable research data. Their accounts are also likely to contain other interesting and useful information that can be used in a wide range of secondary attacks.

Email-based attacks can involve malicious attachments that deliver information stealing malware such as keyloggers, although many of the recent attacks have used links to fake university login pages. The login pages are exact copies of the genuine login pages used by universities, the only difference being the URL on which the page is located.

More than 1,000 Phishing Attacks on Universities Detected in a Year

According to Kaspersky Lab, more than 1,000 phishing attacks on universities have been detected in the past 12 months and 131 universities have been targeted. Those universities are spread across 16 countries, although 83/131 universities were in the United States.

Preventing phishing attacks on universities, staff, and students requires a multi layered approach. Technical controls must be implemented to reduce risk, such as an advanced spam filter to block the vast majority of phishing emails and stop them being delivered to end users. A web filtering solution is important for blocking access to phishing websites and web pages hosting malware. Multi-factor authentication is also essential to ensure that if account information is compromised or passwords are guessed, an additional form of authentication is required to access accounts.

As a last line of defense, staff and students should be made aware of the risk from phishing. Training should be made available to all students and cybersecurity awareness training for researchers, lecturers, and other staff should be mandatory.

Office 365 Phishing Attacks Are Abusing Cloud Service Providers’ SSL Certificates

Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.

Office 365 Phishing Attacks Can Be Difficult to Identify

In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.

There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.

Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.

Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.

Microsoft Azure Blog Storage Phishing Scam

One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.

In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.

Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.

CloudFlare IPFS Gateway Abused

A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.

Office 365 Phishing Protections are Insufficient

Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.

Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.

How to Make Office 365 More Secure

While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.

Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.

To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below:

To find out more about making Office 365 more secure and how SpamTitan can benefit your company, contact TitanHQ. Our highly experienced sales consultants will be able to advise you on the full range of benefits of SpamTitan, the best deployment option, and can offer you a free trial to allow you to personally evaluate the solution before committing to a purchase.

Leading MSPs are Reaping the Rewards from Security-as-a-Service

Managed service providers (MSPs) are discovering the huge potential for profit from offering security-as-a-service to their clients. Managed security services are now the biggest growth area for the majority of leading MSPs, with security-as-a-service well ahead of cloud migration, cloud management, and managed Office 365 services according to a recent survey conducted by Channel Futures.

Channel Futures conducted the survey as part of its annual MSP 501 ranking initiative, which ranks MSPs based on their ability to act on current trends and ensure they remain competitive in the fast-evolving IT channel market. The survey evaluated MSP revenue growth, hiring trends, workforce dynamics, service deliverables, business models, and business strategies.

The survey revealed that by far the biggest growth area is managed security services. Security-as-a-service was rated the biggest growth area by 73% of MSPs. 55% of MSPs said professional services were a major growth area, 52% said Office 365, and 51% said consulting services.

It is no surprise that security-as-a-service is proving so popular as the volume of attacks on enterprises and SMBs has soared. Cybercriminals are attacking enterprises and SMBs trying to gain access to sensitive data to sell on the black market. Attacks are conducted to sabotage competitors, nation-state-sponsored hackers are attempting to disrupt critical infrastructure, and data is being encrypted to extort money. There is also a thriving market for proprietary data and corporate secrets.

The cost of mitigating attacks when they succeed is considerable. For enterprises, the attacks can make a significant dent in profits, but cyberattacks on SMBs can be catastrophic. A study conducted by the National Cyber Security Alliance suggests as many as 60% of SMBs go out of business in the 6 months following a hacking incident.

Enterprises and SMBs alike have had to respond to the increased threat by investing heavily in security, but simply throwing money at security will not necessarily mean all security breaches are prevented. Companies need to employee skilled IT security professionals to implement, monitor and maintain those cybersecurity solutions, conduct vulnerability scans, and identify and address security gaps. Unfortunately, there is a major shortage of skilled staff and attracting the right talent can be next to impossible. Faced with major challenges, many firms have turned to MSPs to and have signed up for security-as-service offerings.

Forward-thinking MSPs have seized the opportunity and are now providing a comprehensive range of managed security services to meet the needs of their clients. They are offering a wide range of tools and services from phishing protection to breach mitigation services; however, for many MSPs, developing such a package is not straightforward.

Security-as-a-service is in high demand, but MSPs must be able to package the right services to meet customers’ needs and have a platform that can handle the business end. They too must attract the staff who can implement, monitor, and manage those services for their clients.

When devising a security-as-a-service offering, one option is to use a common security architecture for all clients and provide them with a range of solutions from the same provider. Many companies have implemented a slew of different security tools from multiple providers, only to discover they are still experiencing breaches. It is a relatively easy sell to get them to move over to a system where all the component parts are seamlessly integrated and to benefit from an MSP’s expertise in managing those solutions. There is a risk of course that clients will just choose to go direct rather than obtain those services from an MSP. This single platform strategy has been adopted by Liberty Technology – ranked 242 in the MSP 501 list – and is working well, especially for clients that have fewer than 1,000 employees.

At the other end of the spectrum is Valiant Technologies, ranked 206 in the MSP 501 list. Valiant has chosen a wide range of products from multiple cybersecurity solution providers and has built a unique package of products for its security service.

The products were chosen for the level of protection they offered and how well they work together. This approach has been a success for the firm. “Providing a bundle of offerings from different vendors that work well together is the most effective way for an MSP to retain its role as a trusted adviser,” said the firm’s CEO Tom Clancy. The security service has been added to other business services provided by the MSP and has proved to be an easy sell to clients.

ComTec Solutions, which ranked in position 248 in the MSP 501 list, is still deciding on the best way forward. The provision of security-as-a-service is a no brainer, but the company is currently assessing whether it is worthwhile building a security operations center (SOC) and becoming a managed security service provider (MSSP) or outsourcing the SOC service.

There are several different approaches to take when developing a managed security service offering. What is vital is that such a service is provided. The MSP 501 survey has shown that the most successful MSPs have responded to demand and are now helping their clients secure their networks through their security-as-a-service offerings. Those MSPs are clearly reaping the rewards.

If you are an MSP that is considering developing a security-as-a-service offering, be sure to speak to TitanHQ about its world-class cloud-based security solutions for MSPs – WebTitan and SpamTitan – and find out how they can be integrated into your security stack.

Python-Based PyLocky Ransomware Distributed in Spam Email Campaigns in Europe

A new Python-based form of ransomware has been detected that masquerades as Locky, one of the most widely used ransomware variants in 2016. The new ransomware variant has been named PyLocky ransomware by security researchers at Trend Micro who have observed it being used in attacks in Europe, particularly France, throughout July and August.

The spam email campaigns were initially sent in relatively small batches, although over time the volume of emails distributing PyLocky ransomware has increased significantly.

Various social engineering tactics are being used by the attackers to get the ransomware installed, including fake invoices. The emails intercepted by Trend Micro have included an embedded hyperlink which directs users to a malicious webpage where a zip file is downloaded. The zip file contains PyLocky ransomware which has been compiled using the PyInstaller tool, which allows Python applications to be converted to standalone executable files.

If installed, PyLocky ransomware will encrypt approximately 150 different file types including Office documents, image files, sound files, video files, databases, game files, archives, and program files. Files stored on all logical drives will be encrypted and the original copies will be overwritten. A ransom note is then dropped on the desktop which has been copied from the note used by the threat actors behind Locky, although the two cryptoransomware threats are unrelated. Ransom notes are written in French, English, Korean, and Italian so it is probable that the attacks will become more widespread over the coming weeks.

While Python is not typically used to create ransomware, PyLocky is not the only Python-based ransomware variant to have been created. Pyl33t was used in several attacks in 2017, and CryPy emerged in 2016. What makes the latest ransomware variant stand out is its anti-machine learning capabilities, which help to prevent analysis using standard static analysis methods.

The ransomware abuses Windows Management Instrumentation (WMI) to determine the properties of the system on which it is installed. If the total visible memory of a system is 4GB or greater, the ransomware will execute immediately. If it is lower than 4GB, the ransomware will sleep for 11.5 days – an attempt to determine if it is in a sandbox environment.

Preventing attacks requires a variety of cybersecurity measures. An advanced spam filtering solution such as SpamTitan will help to prevent the spam emails being delivered to end users’ inboxes. A web filter, such as WebTitan, can be employed to control the websites that can be accessed by end users and block malicious file downloads. Security awareness training will help to ensure that end users recognize the threat for what it is. Advanced malware detection tools are required to identify the threat due to its anti-machine learning capabilities.

There is no free decryptor for PyLocky. Recovery without paying the ransom will depend on a viable backup copy existing, which has not also been encrypted in the attack.

ICO and IQY Files Used in Spam Campaigns Delivering Marap and Loki Bot Malware

A spam email campaign is being conducted targeting corporate email accounts to distribute Loki Bot malware. Loki Bot malware is an information stealer capable of obtaining passwords stored in browsers, obtaining email account passwords, FTP client logins, cryptocurrency wallet passwords, and passwords used for messaging apps.

In addition to stealing saved passwords, Loki Bot malware has keylogging capabilities and is potentially capable of downloading and running executable files. All information captured by the malware is transferred to the attacker’s C2 server.

Kaspersky Lab researchers identified an increase in email spam activity targeting corporate email accounts, with the campaign discovered to be used to spread Loki Bot malware. The malware was delivered hidden in a malicious email attachment.

The intercepted emails included an ICO file attachment. ICO files are copies of optical discs, which are usually mounted in a virtual CD/DVD drive to open. While specialist software can be used to open these files, most modern operating systems have the ability to access the contents of the files without the need for any additional software.

In this case, the ICO file contains Loki Bot malware and double clicking on the file will result in installation of the malware on operating systems that support the files (Vista and later).

It is relatively rare for ICO files to be used to deliver malware, although not unheard of. The unfamiliarity with ICO files for malware delivery may see end users attempt to open the files.

The campaign included a wide range of lures including fake purchase orders, speculative enquiries from companies containing product lists, fake invoices, bank transfer details, payment requests, credit notifications, and payment confirmations. Well-known companies such as Merrill Lynch, Bank of America, and DHL were spoofed in some of the emails.

Spam Email Campaign Distributing Marap Malware Targets Financial Institutions

A separate and unrelated spam email campaign has been identified that is using IQY files to deliver a new form of malware known as Marap. Marap malware is a downloader capable of downloading a variety of different payloads and additional modules.

Upon installation, the malware fingerprints the system and gathers information such as username, domain name, IP address, hostname, language, country, Windows version, details of Microsoft .ost files, and any anti-virus solutions detected on the infected computer. What happens next depends on the system on which it is installed. If the system is of particular interest, it is earmarked for a more extensive compromise.

Four separate campaigns involving millions of messages were detected by researchers at Proofpoint. One campaign included an IQY file as an attachment, one included an IQY file within a zip file and a third used an embedded IQY file in a PDF file. The fourth used a Microsoft Word document containing a malicious macro. The campaigns appear to be targeting financial institutions.

IQY files are used by Excel to download web content directly into spreadsheets. They have been used in several spam email campaigns in recent weeks to install a variety of different malware variants. The file type is proving popular with cybercriminals because many anti-spam solutions fail to recognize the files as malicious.

Since the majority of end users would not have any need to open ICO or IQY files, these file types should be added to the list of blocked file types in email spam filters to prevent them from being delivered to end users’ inboxes.

AdvisorsBot: A Versatile New Malware Threat Distributed Through Spam Email

Hotels, restaurants, and telecommunications companies are being targeted with a new spam email campaign that delivers a new form of malware called AdvisorsBot. AdvisorsBot is a malware downloader which, like many malware variants, is being distributed vis spam emails containing Microsoft Word attachments with malicious macros.

Opening an infected email attachment and enabling macros on the document will see Advisorsbot installed. Advisorsbot’s primary role is to perform fingerprinting on an infected device. Information will be gathered on the infected device is then communicated to the threat actors’ command and control servers and further instructions are provided to the malware based on the information gathered on the system. The malware records system information, details of programs installed on the device, Office account details, and other information. It is also able to take screenshots on an infected device.

AdvisorsBot malware is so named because the early samples of the malware that were first identified in May 2018 contacted command and control servers that contained the word advisors.

The spam email campaign is primarily being conducted on targets in the United States, although infections have been detected globally. Several thousands of devices have been infected with the malware since May, according to the security researchers at Proofpoint who discovered the new malware threat. The threat actors believed to be behind the attacks are a APT group known as TA555.

Various email lures are being used in this malware campaign to get the recipients to open the infected attachment and enable macros. The emails sent to hotels appear to be from individuals who have been charged twice for their stay. The campaign on restaurants uses emails which claim that the sender has suffered food poisoning after eating in a particular establishment, while the attacks on telecommunications companies use email attachments that appear to be resumes from job applicants.

AdvisorsBot is written in C, but a second form of the malware has also been detected that is written in .NET and PowerShell. The second variant has been given the name PoshAdvisor. PoshAdvisor is executed via a malicious macro which runs a PowerShell command that downloads a PowerShell script which executes shellcode that runs the malware in the memory without writing it to the disk.

These malware threats are still under development and are typical of many recent malware threats which have a wide range of capabilities and the versatility to be used for many different types of attack such as information stealing, ransomware delivery, and cryptocurrency mining. The malicious actions performed are determined based on the system on which the malware has been installed. If that system is ideally suited for mining cryptocurrency, the relevant code will be installed. If the business is of particular interest, it will be earmarked for a more extensive compromise.

The best form of defense against this campaign is the use of an advanced spam filtering solution to prevent the emails from being delivered and security awareness training for employees to condition them how to respond when such a threat arrives in their inbox.

Why Are Email Account Compromises Soaring and How Can Email Accounts Be Protected?

The past year has seen a steady increase in the number of reported email account compromises, with the healthcare industry one of the main targets for hackers.

Some of those breaches have seen the protected health information of thousands of patients compromised, with the largest phishing attack in 2018 – The phishing attack on Boys Town National Research Hospital – seeing more than 105,000 patients’ healthcare information exposed. Due to reporting requirements under HIPAA, healthcare phishing attacks are highly visible, although email account compromises are occurring across all industry sectors and the problem is getting worse.

284% Increase in Email Account Compromises in a Year

The increase in successful phishing attacks has been tracked by Beazley, a provider of specialist insurance services. The company’s research shows the number of reported phishing attacks increased every quarter since Q1, 2017 when there were 45 reported breaches that involved email accounts being compromised. In Q2, 2018, there were 184 email account compromises reported. Between Q1, 2017 and Q1, 2018, the number of reported data breaches involving compromised email accounts increased by 284%.

Why are email account compromises increasing? What do hackers gain from accessing email accounts rather than say, gaining access to networks which store vast amounts of data?

It can take a significant amount of time and effort to identify a vulnerability such a missed patch, an exposed S3 bucket, or an unsecured medical device, and exploit it.

By comparison, gaining access to an email account is relatively easy. Once access is gained, accessing further email accounts becomes easier still. If a hacker can gain access to an email account with the right level of administrative privileges, it may be possible for the entire mail system of an organization to be accessed.

If a hacker can gain access to a single email account, the messages in the account can be studied to gain valuable information about a company, its employees, and vendors. The hackers can identify further targets within an organization for spear phishing campaigns – termed Business Email Compromise (BEC) attacks – and attacks on contractors and suppliers.

Once One Account is Breached, Others Will Follow

If an executive’s email account is compromised, it can be used to send requests for wire transfers to the accounts department, HR can be emailed requesting W2-Forms that contain all the information necessary for filing fake tax returns and for identity theft. Requests can be sent via email to redirect employees’ paychecks and phishing emails can be sent to other employees directing them to websites where they have to divulge their email credentials.

Figures from the FBI show just how lucrative these Business Email Compromise (BEC) phishing attacks can be. Since October 2013, more than $12.5 billion has been lost to BEC attacks, up from $5.3 billion in December 2016.

Once access to the email system is gained, it is much easier to craft highly convincing spear phishing emails. Past email conversations can be studied, and an individual’s style of writing emails can be copied to avoid raising any red flags.

Email Account Compromises Are Costly to Resolve

Beazley also notes that email account compromises are some of the costliest breaches to resolve, requiring many hours of painstaking work to manually checking each email in a compromised account for PII and PHI. One example provided involved a programmatic search of compromised email accounts to identify PHI, yet that search uncovered 350,000 documents that required a manual check. The cost of checking those documents alone was $800,000.

Beazley also notes that when investigating breaches, the breached entity often discovers that only half of the compromised email accounts have been identified. The data breaches are usually much more extensive than was initially thought.

Unfortunately, once access to a single email account is gained, it is much harder to prevent further email compromises as technological controls are not so effective at identifying emails sent from within a company. However, it is relatively easy to block the initial phishing attempt.

How to Prevent Email Account Compromises

Many companies fail to implement basic controls to block phishing attacks. Even when a phishing-related breach is experienced, companies often remain susceptible to further breaches. The Ponemon Institute/IBM Security Cost of a Data Breach study showed there is a 27.9% probability of a company experiencing a further breach in the 24 months following a data breach.

To prevent phishing attacks, companies need to:

  • Deploy an advanced spam filtering solution that blocks the vast majority of malicious messages
  • Provide ongoing security awareness training to all staff and teach employees how to identify phishing emails
  • Conduct regular phishing simulation exercises to reinforce training and condition employees to be more security aware
  • Implement two-factor authentication to prevent attempts to access email accounts remotely
  • Implement a web filter as an additional control to block the accessing of phishing websites
  • Use strong, unique passwords or passphrases to make brute force and dictionary attacks harder
  • Limit or prevent third party applications from connecting to Office 365 accounts, which makes it harder for PowerShell to be used to access email accounts for reconnaissance.

1.4 Million Patients Potentially Affected by UnityPoint Health Phishing Attack

In recent weeks, several large healthcare data breaches have been reported that have seen cybercriminals gain access to employees’ email accounts and sensitive data, although the recently disclosed UnityPoint Health phishing attack stands out due to the huge number of individuals that have been impacted and the extent of sensitive data exposed.

UnityPoint Health is one of the largest healthcare systems serving Iowa residents. The Des Moines-based healthcare provider recently discovered that its employees have been targeted in a phishing campaign that has seen several email accounts compromised. Those email accounts contained the sensitive information of approximately 1.4 million patients.

That not only makes this the largest phishing incident to have been suffered by a U.S. healthcare provider in 2018, it is also the largest healthcare data breach of 2018 and one of the most serious phishing attacks and data breaches ever reported.

The UnityPoint Health phishing attack has seen highly sensitive data compromised, including names, addresses, health insurance information, medical record numbers, diagnoses, treatment information, lab test results, medications, providers, dates of service, Social Security numbers, driver’s license numbers and, for a limited number of patients, their payment card information.

The phishing emails were sent to employees between March 14 and April 3, 2018, although the breach was not detected until May 31. As is common in phishing attacks on businesses, access to email accounts was gained through the impersonation of a senior executive.

A series of spoofed emails were sent to employees that appeared to have come from a trusted executive’s email account. Employees who opened the email were instructed to click a link that required them to enter their email login information. That information was captured by the attackers who were then able to gain access to the employees’ email accounts.

The UnityPoint Health phishing attack potentially gave the hackers access to all the information stored in the compromised email accounts – Information that could be used for identity theft and fraud. It is unclear whether mailboxes were downloaded, although UnityPoint Health said its forensic investigation suggests that the primary goal was to divert payroll payments and to use account access to fool accounts department staff into making fraudulent wire transfers. It is unclear if any of those attempts succeeded.

This is also not the only UnityPoint Health phishing attack to be reported this year. In March, UnityPoint Health announced that 16,400 patients had been affected by a separate phishing attack that saw multiple email accounts compromised.

The latest incident has prompted the healthcare provider to implement new technology to detect phishing and BEC attacks, multi-factor authentication has been implemented, and additional security awareness training has been provided to employees. Credit monitoring and identify theft monitoring services have been offered to patients whose driver’s license or Social Security number has been exposed, and all patients have been notified by mail.

As the Ponemon Institute’s 2018 Cost of a Data Breach Study showed, the cost of these million-record+ data breaches is considerable. The average cost of such a breach was estimated to be around $40 million.

Cosco Ransomware Attack Affects Americas Arm of Shipping Firm

One of the world’s biggest shipping firms – Cosco – has experienced a ransomware attack that has seen its local email system and network telephone in the Americas taken out of action as the result of widespread file encryption.

The Cosco ransomware attack is believed to have been contained in the Americas region. As a precaution and to prevent further spread to other systems, connections to all other regions have been disabled pending a full investigation. A warning has also been issued to all other regions warning of the threat of attack by email, with the firm telling its staff not to open any suspicious email communications. IT staff in other regions have also been advised to conduct scans of their network with antivirus software as a precaution.

The attack started on Tuesday, July 24, and its IT infrastructure remains down; however, the firm has confirmed that that attack has not affected any of its vessels which continue to operate as normal. Its main business systems are still operational, although the operators of terminals at some U.S ports are experiencing delays processing documentation and delivery orders.

It would appear that the Cosco ransomware attack is nowhere near the scale of the attack on the world’s biggest shipping firm A.P. Møller-Maersk, which like many other firms, fell victim to the NotPetya attacks last year. In that case, while the malware appeared to be ransomware, it was actually a wiper with no chance of file recovery.

The attack, which affected more than 45,000 endpoints and 4,000 servers, is estimated to have cost the shipping company between $250 million and $350 million to resolve. All servers and endpoints needed to be rebuilt, and the firm was crippled for 10 days. In that case, the attack was possible due to an unpatched vulnerability.

Another major ransomware attack was reported last week in the United States. LabCorp, one of the leading networks of clinical testing laboratories in the United States, experienced a ransomware attack involving a suspected variant of SamSam ransomware.  While the variant of ransomware has not been confirmed, LabCorp did confirm the ransomware was installed as a result of a brute force attack on Remote Desktop Protocol (RDP).

Labcorp was both quick to detect the attack and contain it, responding within 50 minutes, although 7,000 systems and 1,900 servers are understood to have been affected. It has taken several days for the systems to be brought back online, during which time customers have been experiencing delays obtaining their lab test results.

Several cybersecurity firms have reported that ransomware attacks are in decline, with cryptocurrency mining offering better rewards, although the threat from ransomware is still ever present and attacks are occurring through a variety of attack vectors – exploitation of vulnerabilities, brute force attacks, exploit kit downloads, and, commonly, through spam and phishing emails.

To protect against ransomware attacks, companies must ensure security best practices are followed. Patches must be applied promptly on all networks, endpoints, applications, and databases, spam filtering software should be used to prevent malicious messages from reaching inboxes, web filters used to prevent downloads of ransomware from malicious websites, and all staff should receive ongoing cybersecurity awareness training.

Additionally, systems should be implemented to detect anomalies such as excessing file renaming, and networks should be segmented to prevent lateral movement in the event that ransomware is deployed.

Naturally, it is also essential that data are backed up regularly to ensure recovery is possible without having to resort to paying the ransom demand. As the NotPetya attacks showed, paying a ransom to recover files may not be an option.

New Rakhni Ransomware Variant Decides Whether to Encrypt Files or Turn Device into a Cryptocurrency Miner

Rakhni ransomware, a malware variant first detected in 2013, has spawned many variants over the past three years and is still an active threat. Rakhni ransomware locks files on an infected device to prevent the user from accessing their data. A ransom demand is issued and if payment is made, the attackers will supply the keys to unlock the encryption. If the ransom is not paid the files will remain encrypted. In such cases, the only option for file recovery is to restore files from backups.

Now the developers of Rakhni ransomware have incorporated new functionality. Checks are performed on an infected device to determine whether it has sufficient processing power to be used as a cryptocurrency mining slave. If so, cryptocurrency mining malware will be downloaded. If not, ransomware will be deployed.

This new development should not come as a major surprise. The massive rise in the value of many cryptocurrencies has made mining cryptocurrencies far more profitable for cybercriminals than ransomware. When ransomware is installed, many victims choose not to pay and instead recover files from backups. Infection is no guarantee that a payment will be received. If a cryptocurrency miner can be installed, it gets straight to work generating money for the attackers. Ransomware attacks are still a major threat, although many cybercriminals have switched their operations to mining cryptocurrencies. In fact, cryptocurrency mining malware attacks are now much more common than ransomware attacks.

However, not all computers have sufficient CPU processing power to make cryptocurrency mining worthwhile, so the method used by the threat actors behind Rakhni ransomware helps them maximize their profits.

The new Rakhni ransomware campaign was detected by researchers at Kaspersky Lab. The malware used is Delphi-based and is being distributed in phishing emails containing a Microsoft Word file attachment.

The user is advised to save the document and enable editing. The document contains a PDF file icon which, if clicked, launches a fake error message suggesting the DLL file required to open the PDF file has not been found. The user needs to click on the OK box to close the error message.

When the error box is closed, the malware performs a series of checks on the machine to identify the processes running on the device and assesses those processes to determine if it is running in a sandbox environment and the likelihood of it being able to run undetected. After these checks have been performed the system is assessed to determine its capabilities.

If the machine has more than two processors and does not have a Bitcoin folder in the AppData folder, a cryptocurrency miner will be installed. The cryptocurrency miner uses fake root certificates which show the program has been issued by Microsoft Corporation to help disguise the miner as a trusted application.

If a Bitcoin folder does exist, certain processes will be stopped, and Rakhni ransomware will be downloaded and run. If there is no Bitcoin folder and only one processor, the malware will use its worm component and twill attempt to spread to other devices on the network where the process starts over.

Advanced anti-virus software can provide protection against this attack, while spam filtering solutions can prevent the phishing emails from being delivered to end users. Businesses should also ensure that their employees are made aware of the risk of these types of attacks through security awareness training. Employees should be instructed never to open attachments in emails from unknown senders and taught the warning signs of a potential attack in progress. Naturally, good data backup practices are essential to ensure that if all other controls fail, files can be recovered without paying a ransom.

Children’s Mercy Hospital Phishing Attack Highlights Need for Effective Anti-Phishing Protections

A major Children’s Mercy Hospital phishing attack has highlighted the importance of implementing effective spam filtering controls and the need to provide security awareness training to end users.

Phishing is a method of fraudulently obtaining sensitive information through deception. While attacks can occur over the telephone, via social media sites, or through text messages and chat platforms, the most common attack vector is email.

Convincing emails are sent to end users urging them to open an email attachment or to click on a malicious link. Attachments are used to install malware, either directly through malware attached to the email, or more commonly, using macros or other malicious code in documents which download scripts that in turn download the malicious payload.

In the case of embedded hyperlinks in emails, they typically direct an end user to a website that asks them to login. The website could ask for their email credentials, appear to be a Google login box, Dropbox login page, or other file sharing platform. Disclosing login credentials on that webpage sends the information to the attackers. These login pages are convincing. They look exactly like the sites that they are spoofing.

That was the case with the Children’s Mercy Hospital phishing attack. The Kansas City, MO, hospital received several phishing emails which directed employees to fake login pages on criminally-controlled websites.

The phishing attack occurred on or shortly before December 2, 2017. On Dec 2, Children’s Mercy’s security team identified authorized access to two employees’ email accounts. Access to the accounts was blocked the same day and the passwords were reset. Two weeks later, on December 15 and Dec 16, two further email accounts were accessed by unauthorized individuals. Again, unauthorized access was detected and blocked the same day. A fifth email account was accessed on January 3, 2018 with access blocked the following day.

The prompt action in response to the Children’s Mercy phishing attack limited the potential for those email accounts to be abused. When criminals gain access to email accounts they often use them to send further phishing emails. Since those emails come from a legitimate email account, the recipients of the messages sent from that account are more likely to open the emails as they come from a trusted source. That is why business email compromise scams are so effective – because employees trust the sender of the email and take action as requested in the belief that they are genuine communications.

In the case of the Children’s Mercy phishing attack, the criminals acted quickly. Following a forensic investigation into the attacks, Children’s Mercy discovered on January 19, 2018, that even though access to the accounts was promptly blocked, the attackers had successfully downloaded the mailboxes of four of the five employees. The messages contained a wide range of protected health information (PHI) of 63,049 patients.

The PHI included information such as name, gender, age, height, weight, BMI score, procedure dates, admission dates, discharge dates, diagnosis and procedure codes, diagnoses, health conditions, treatment information, contact details, and demographic information.

While Social Security numbers, insurance information, and financial data were not obtained – information most typically required to commit fraud – such detailed information on patients could be used in impersonation attacks on the patients. It would be quite easy for the attackers to pretend they were from the hospital and convince patients to provide their insurance information for example, which could then be used for medical identity fraud.

Due to the scale of the attack and number of emails in the compromised accounts, it has taken a considerable time to identify the individuals affected. The Kansas City Star reports that some patients are only just being notified.

In response, the hospital implemented 2-factor authentication and other technical controls to prevent further attacks.

2-factor authentication is an important security measure that provides protection after a phishing attack has occurred. If login credentials are supplied, but the location or the device used to access the account is unfamiliar, an additional method of authentication is required before access to the account is granted – a code sent to a mobile phone for example.

Two of the most effective security controls to prevent credential theft via phishing are spam filters and security awareness training.

An advanced spam filter is an essential security measure to block phishing attacks. The changing tactics of cybercriminals means no spam filtering solution will be able to block every single phishing email, although SpamTitan, a highly effective spam filtering solution with advanced anti-phishing protections, blocks more than 99.97% of spam and malicious emails to ensure they do not arrive in end users’ inboxes.

Security awareness training helps to prevent employees from clicking on the small percentage of messages that get past perimeter defenses. Employees need to be trained to give them the skills to identify phishing attempts and report them to their security teams. An ongoing training program, with phishing simulation exercises, will help to condition employees to recognize threats and respond appropriately. Over time, phishing email detection skills will improve considerably.

An effective training program can limit the number of employees that respond to phishing attacks, either preventing the attackers from gaining access to email accounts or severely limiting the number of employees who respond and disclose their credentials.

The Children’s Mercy phishing attack is one of many such attacks on healthcare organizations and businesses, and as those attacks increase and more data is obtained by criminals, implementing advanced phishing protections has never been more important.

For further information on email security controls that can prevent phishing attacks, contact the TitanHQ team today and enquire about SpamTitan.

FBI 2017 Internet Crime Report: $1.4 Billion Lost to Business Email Compromise Scams

The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).

In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.

2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.

Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.

Business Email Compromise Scams – The Main Cause of Losses in 2017

More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.

Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.

BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.

Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information.  These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.

Phishing Extensively Used in Internet Crime

Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.

The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.

Ransomware Attack Mitigation Proves Expensive

In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.

Tech Support Fraud Losses Increased by 90%

Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.

These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.

Protecting Against Internet Crime

One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.

Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.

A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.

These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.

Fake WannaCry Ransomware Campaign Detected

UK users are being targeted with a fake WannaCry ransomware alert threatening file encryption if a ransom demand is not paid.

Fraudsters Claim WannaCry is Back!

In May last year, WannaCry ransomware attacks brought many companies to a standstill, with the UK’s National Health Service (NHS) a notable victim. Now, a little more than a year later, a new WannaCry ransomware campaign is being run, or so the sender of a batch of phishing emails claims.

Email recipients are told “WannaCry is back!” and are warned that their devices have been hacked and ransomware has been installed.

Email recipients are warned that the threat actors have perfected their ransomware and this time around antivirus software and firewalls will not prevent file encryption. Further, recovery will not be possible if the ransom is not paid.

Failure to pay, or any attempt to try to remove the ransomware without paying the ransom demand will result in permanent file deletion. Further, the ransomware can propagate and infect the local network, cloud data, and remote devices, regardless of operating system.

Email recipients are told that the ransomware has already been deployed and payment of a ransom of 0.1 Bitcoin – Around $650 – must be made to stop the attack. Email recipients are given just 24 hours to pay the ransom before data are permanently deleted.

The email is signed by WannaCry-Hack-Team, and so far, more than 300 copies of the message have been reported to the UK government’s National Fraud and Cyber Crime Reporting Centre, Action Fraud.

A Phishing Scam that Preys on WannaCry Fears

There are some signs that the email is not a genuine threat, and instead is just preying on fears about another WannaCry style attack.

Ransomware attackers encrypt data then ask for a ransom to unlock files. They do not send a warning saying they will encrypt data if a ransom is not paid. That tactic may be used by some DDoS attackers, but not by ransomware threat actors.

Email recipients are told that this version of WannaCry will work on “any version of Windows, iOS, Android, and Linux.” The original version of WannaCry took advantage of a vulnerability in Windows Server Message Block. WannaCry only affected vulnerable Windows devices that had not been patched. The ransomware was not a threat on other operating systems.

Phishing campaigns often include spelling mistakes in the subject line and message body and this email is no different. The subject line is – “Attantion WannaCry”.

This is simply a phishing campaign that attempts to extort money from the recipient. No ransomware has been installed and the attackers cannot encrypt any files.

If you receive such a message threatening file encryption unless you pay a ransom, report the message to Action Fraud (UK), US-CERT (phishing-report@us-cert.gov) in the United States, or the government Fraud and Cyber Crime agency in your country of residence and delete the email and do not pay any Bitcoin ransom.

Of course, not all ransomware threats are as benign as this and many attackers will be able to encrypt your data. To protect against real ransomware threats ensure you create multiple backups of your files, deploy a spam filtering solution, ensure your operating system and all software are kept up to date, and keep your anti-virus protection up to date.

Beware of These World Cup 2018 Phishing Scams

World Cup 2018 phishing scams can be expected over the coming weeks. There has already been a spike in World Cup related phishing emails and many malicious World Cup-themed domains have been registered.

World Cup 2018 Phishing Scams Detected!

The World Cup may be two weeks away, but interest in the soccer extravaganza is already reaching fever pitch. The World Cup is watched by billions of people around the world, and there are expected to be around 5 million soccer fans expected to travel to Russia to see the matches live between June 14 to July 15. With such interest in the sporting event it should be no surprise that cybercriminals are poised to take advantage.

Kaspersky Lab has already detected several World Cup 2018 phishing scams, with many of the early scams using emails to direct soccer fans to malicious websites offering the opportunity to buy tickets for the games.

Fake Tickets and Fake Touts

With tickets for the big matches scarce and demand outstripping supply, many fans are turning to touts to secure tickets to the big matches. Steps have been taken by FIFA to make it harder for ticket touts to operate, such as only allowing one ticket for a game to be purchased by any football fan. That individual is also named on the ticket. However, it is still possible for individuals to purchase tickets for guests and touts are taking advantage. The price for guest tickets is extortionate – up to ten times face value – and that price will likely rise as the event draws closer.

Such high prices mean the opportunity of snapping up a cheaper ticket may seem too good to miss. However, there are plenty of scammers who have registered websites and are posing as touts and third parties that have spare tickets.

Purchasing a ticket through any site other than the official FIFA is a tremendous risk. The only guarantee is that the price paid will be substantially higher, but there are no guarantees that a ticket will be sent after payment is made. Even if a ticket is purchased from an unofficial seller, it may turn out to be a fake. Worse, paying with a credit or debit card could see bank accounts emptied.

Kaspersky Lab detected large numbers of malicious domains set up and loaded with phishing pages to take advantage of the rush to buy tickets ahead of the tournament. The websites are often clones of the official site.To add credibility, domains have been purchased that include the words worldcup2018 and variations along that theme. Cheap SSL certifications have also been purchased, so the fact that a website starts with HTTPS is no guarantee that a site is legitimate. Tickets should only be purchased through the official FIFA website.

Competition Scams

Why pay a high price for a ticket when there is a chance of obtaining one for free? Many competition-themed World Cup 2018 phishing emails have been detected. These emails are sent out in the millions offering soccer fans the change to win a free ticket to a match. To be in with a chance, the email recipient is required to register their contact details. Those details are subsequently used for further phishing and spamming campaigns. Stage two of the scam, where the ‘lucky’ registrant is told they have one tickets, involves opening an email attachment, which installs malware.

Notifications from FIFA and Prizes from FIFA World Cup 2018 Partners

Be wary of any communications from FIFA or any company claiming to be an official World Cup Partner. Kaspersky Lab has detected several emails that appear, at face value, to have been sent by FIFA or its World Cup 2018 partners. These emails usually request the recipient to update their account for security reasons.

Visa is one brand in particular that is being spoofed in World Cup 2018 phishing emails for obvious reasons. Fake security alerts from Visa require credit card credentials to be entered on spoofed websites. If any security alert is received, visit the official website by typing in the official domain into the browser. Do not click the links contained in the emails.

Cheap Travel Accommodation Scams

Airline tickets to cities staging World Cup matches may be difficult to find, and with more than 5 million fans expected in Russia for the World Cup, accommodation will be scarce. Scammers take advantage of the scarcity of flights and accommodation and the high prices being charged and offer cheap deals, usually via spam email. A host of malicious websites have been set up mimicking official travel companies and accommodation providers to fool the unwary into disclosing their credit card details. Retail brands are also being spoofed, with offers sent via email for cut price replica shirts and various other World Cup apparel.

These World Cup 2018 phishing scams can usually be identified from the domain name, which needs to be checked carefully. These websites are often clones and are otherwise indistinguishable from the official websites.

Team and Match News and World Cup Gossip

As the World Cup gets underway, there are likely to be waves of spam emails sent with news about matches, team information, betting odds, and juicy gossip about teams and players. Every major sporting event sees a variety of lures sent via spam email to get users to click links and visit malicious websites. Hyperlinks often direct users to webpages containing fake login pages – Facebook and Google etc. – where credentials need to be entered before content is displayed.

How to Avoid Becoming a Victim of a World Cup 2018 Phishing Scam

These are just a few of the World Cup 2018 phishing scams that have been detected so far and a great deal more can be expected by the time the World Cup winner lifts the trophy on July 15.

Standard security best practices will help soccer fans avoid World Cup 2018 phishing scams. Make sure you:

  • Only buy tickets from the official FIFA website
  • Only book travel and accommodation from trusted vendors and review the vendors online before making a purchase
  • Never buy products or services advertised in spam email
  • Never opening attachments in World Cup-themed emails from unknown senders
  • Do not click hyperlinks in emails from unknown senders
  • Never click a hyperlink until you have checked the true domain and avoid clicking on shortened URLs
  • Ensure all software, including browsers and plugins, is patched and kept fully up to date
  • Ensure anti-virus software is installed and is kept up to date
  • Consider implementing a third-party spam filtering solution to prevent spam and malicious messages from being delivered – Something especially important for businesses to stop employees from being duped into installing malware on work computers.
  • Stay alert – If an offer seems to good to be true, it most likely is

Cybersecurity Breaches Survey Shows Almost Half of UK Businesses Experienced a Cyberattack in 2017

The UK Government’s Department for Digital, Culture, Media, & Sport has published its Cybersecurity Breaches Survey for 2018. The survey, conducted by Ipsos MORI, was a quantitative and qualitative survey conducted in the winter of 2017 on 1,519 UK businesses and 569 UK registered charities.

The purpose of the cybersecurity breaches survey was to identify the nature and significance of cyberthreats, determine how prevalent cyberattacks are, and what is being done to prevent such attacks.

The cybersecurity breaches survey revealed UK businesses and charities are being targeted by cybercriminals intent on gaining access to sensitive information, email accounts, corporate networks, and bank accounts and attacks are on the rise.

43% of businesses and 19% of charities experienced a cybersecurity breach or cyberattack in the past 12 months with large businesses and charities more likely to be attacked. 72% of large businesses – those with more than 250 employees – and 73% of large charities – with incomes over £5 million – experienced a cyberattack in the past year.

While not all security breaches result in material losses such as theft of data or personal information, when there is a material outcome the costs can be significant. The average costs of breaches with a material outcome is £3,100 for businesses and £1,030 for charities, although the larger the business, the greater the cost. Medium sized businesses have average costs of £16,100 and large businesses have an average breach cost of £22,300.

The high probability of a breach occurring and the high cost of remediating breaches has seen cybersecurity become a priority for senior managers. The percentage of businesses (74%) and charities (53%) that say cybersecurity is a high priority has risen year on year and the percentage of businesses (30%) and charities (24%) that say cybersecurity is a low priority has fallen once again. Cybersecurity is also now a high priority for many small businesses (42%) having risen from 33% last year when the survey was conducted. Cybersecurity may be a high priority, but just 3 out of 10 businesses and under a quarter of charities have board members with a responsibility for cybersecurity.

The most common type of breaches and cyberattacks involve fraudulent emails directing employees to malicious websites. 75% of UK businesses and 74% of UK charities that experienced a breach in the past year experienced these types of attacks. Email impersonation attacks were the second most common breach type with 28% of UK businesses and 27% of UK charities saying they had experienced these types of incidents in the past 12 months.

Not only are these types of attacks common, they also cause the most disruption. 48% of UK businesses and charities said fraudulent emails and being directed to malicious websites caused the most disruption out of all cybersecurity breaches experienced, well ahead of malware infections which were rated as the most disruptive cyberattacks by 13% of UK businesses and 12% of UK charities.

The cybersecurity breaches survey clearly highlights the importance of implementing robust defenses to prevent malicious emails from being delivered to employees’ inboxes and to ensure staff are well trained and taught how to identify malicious emails.

TitanHQ offers two cybersecurity solutions that can help UK businesses block the most common and most disruptive types of cyberattack. SpamTitan is a powerful spam filtering solution that blocks more than 99.97% of spam emails and 100% of known malware from being delivered to end users’ inboxes.

WebTitan is a cloud-based web filtering solution that prevents employees from visiting malicious websites, such as those used in phishing emails to steal credentials and spread malware.  Implementing these solutions is far cheaper than having to cover the cost of remediating cyberattacks.

There is also clearly a problem with training in the UK. Only 20% of UK businesses and 15% of UK charities have had staff attend internal or external cybersecurity training in the past year, even though security awareness training has clearly been shown to be effective at reducing susceptibility to email-based attacks.

Leominster School District Ransomware Attack Sees $10,000 Ransom Paid

Another school district has fallen victim to a ransomware attack, which has seen files encrypted and systems taken out of action for two weeks. The Leominster school district ransomware attack saw a ransom demand of approximately $10,000 in Bitcoin was issued for the keys to unlock the encrypted files, which includes the school’s entire student database.

School districts attacked with ransomware often face a difficult decision when ransomware is installed. Attempt to restore systems and recover lost data from backups or pay the ransom demand. The first option is time consuming, costly, and can see systems remain out of action for several days. The second option includes no guarantees that the attackers will make good on their promise and will supply valid keys to unlock the encryption. The keys may not be held, it may not be possible to unlock files, or a further ransom demand could be issued. There have been many examples of all three of those scenarios.

The decision not to pay the ransom demand may be the costlier option. The recent ransomware attack on the City of Atlanta saw a ransom demand issued in the region of $50,000. The cost of recovering from the attack was $2.6 million, although that figure does include the cost of improvements to its security systems to prevent further attacks.

School districts are often targeted by cybercriminals and ransomware offers a quick and easy way to make money. The attackers know all too well that data can most likely be recovered from backups and that the ransom does not need to be paid, but the cost of recovery is considerable. Ransom demands are set accordingly – high enough for the attackers to make a worthwhile amount, but low enough to tempt the victims into paying.

In the case of the Leominster ransomware attack, the second option was chosen and the ransom demand of was paid. That decision was taken after carefully weighing up both options. The risk that no keys would be supplied was accepted. In this case, they were supplied, and efforts are well underway to restore files and implement further protections to ensure similar incidents do not occur in the future.

Even though the ransom was paid, the school district was still without access to its database and some of its computer systems two weeks after the attack. Files were encrypted on April 14, but systems were not brought back online until May 1.

Unfortunately for the Leominster School District, ransom payments are not covered by its cyberinsurance policy, so the payment had to come from its general fund.

There is no simple way to defend against ransomware attacks, as no single cybersecurity solution will prove to be 100% effective at blocking the threat. Multiple attack vectors are used, and it is up to school districts to implement defenses to protect the entire attack surface. The solution is to defend in numbers – use multiple security solutions to create layered defenses.

Some of the most important defenses include:

  • An advanced firewall to defend the network perimeter
  • Antivirus and anti-malware solutions on all endpoints/servers
  • Vulnerability scanning and good patch management policies. All software, systems, websites, applications, and operating systems should be kept up to date with patches applied promptly
  • An advanced spam filtering solution to prevent malicious emails from being delivered to end users. The solution should block all executable files
  • Disable RDP if it is not required
  • Provide security awareness training for employees and teach staff and students the skills to enable them to identify malicious emails and stop risky behaviors
  • A web filtering solution capable of blocking access to malicious websites

The cost of implementing these solutions is likely to be far lower than the cost of a ransom payment and certainly lower than the cost of mitigating a ransomware attack.

Study Highlights Lack of Effective Security Awareness Training for Employees

Providing security awareness training for employees helps to eradicate risky behaviors that could potentially lead to a network compromise. Training programs should cover all the major threats faced by your organization, including web-based attacks, phishing emails, malware, and social engineering scams via the telephone, text message, or social media channels.

All too often, businesses concentrate on securing the network perimeter with firewalls, deploying advanced anti-malware solutions, and implementing other technological controls such as spam filters and endpoint protection systems, yet they fail to provide effective security awareness training for employees. Even when security awareness training programs are developed, they are often once-a-year classroom-based training sessions that are forgotten quickly.

If you view security awareness training for employees as a once-a-year checkbox item that needs to be completed to ensure compliance with industry regulations, chances are your training will not have been effective.

The threat landscape is changing rapidly. Cybercriminals often change their tactics and develop new methods to attack organizations. If your security program does not incorporate these new methods of attack, and you do not provider refresher security awareness training for employees throughout the year, your employees will be more likely to fall for a scam or engage in actions that threaten the security of your data and the integrity of your network.

Many Businesses Fail to Provide Effective Security Awareness Training for Employees

One recent study has highlighted just own ineffective many security awareness training programs are. Positive Technologies ran a phishing and social engineering study on ten organizations to determine how effective their security awareness programs were and how susceptible employees are to some of the most common email-based scams.

These include emails with potentially malicious attachments, emails with hyperlinks to websites where the employee was required to enter their login credentials, and emails with attachments and links to a website. While none of the emails were malicious in nature, they mirrored real-world attack scenarios.

27% of employees responded to the emails with a link that required them to enter their login credentials, 15% responded to emails with links and attachments, and 7% responded to emails with attachments.

Even a business with 100 employees could see multiple email accounts compromised by a single phishing campaign or have to deal with multiple ransomware downloads. The cost of mitigating real world attacks is considerable. Take the recent City of Atlanta ransomware attack as an example. Resolving the attack has cost the city $2.7 million, according to Channel 2 Action News.

The study revealed a lack of security awareness across each organization. While employees were the biggest threat to network security, accounting for 31% of all individuals who responded to the emails, 25% were team supervisors who would have elevated privileges. 19% were accountants, administrative workers, or finance department employees, whose computers and login credentials would be considerably more valuable to attackers. Department managers accounted for 13% of the responders.

Even the IT department was not immune. While there may not have been a lack of security awareness, 9% of responders were in IT and 3% were in information security.

The study highlights just how important it is not only to provide security awareness training for employees, but to test the effectiveness of training and ensure training is continuous, not just a once a year session to ensure compliance.

Tips for Developing Effective Employee Security Awareness Training Programs

Employee security awareness training programs can reduce susceptibility to phishing attacks and other email and web-based threats. If you want to improve your security posture, consider the following when developing security awareness training for employees:

  • Create a benchmark against which the effectiveness of your training can be measured. Conduct phishing simulations and determine the overall level of susceptibility and which departments are most at risk
  • Offer a classroom-style training session once a year in which the importance of security awareness is explained and the threats that employees should be aware of are covered
  • Use computer-based training sessions throughout the year and ensure all employees complete the training session. Everyone with access to email or the network should receive general training, with job and department-specific training sessions provided to tackle specific threats
  • Training should be followed by further phishing and social engineering simulations to determine the effectiveness of training. A phishing simulation failure should be turned into a training opportunity. If employees continue to fail, re-evaluate the style of training provided
  • Use different training methods to help with knowledge retention
  • Keep security fresh in the mind with newsletters, posters, quizzes, and games
  • Implement a one-click reporting system that allows employees to report potentially suspicious emails to their security teams, who can quickly take action to remove all instances of the email from company inboxes

Phishing Attacks Expected Following Massive MyFitnessPal Data Breach

Under Armour has experienced a massive MyFitnessPal data breach that has resulted in the personal information of 150 million users being accessed and stolen by a hacker.

The data relates to users of the mobile MyFitnessPal app and the web version of the fitness and health tracking platform. The types of data stolen in the MyFitnessPal data breach include hashed usernames, passwords and email addresses.

While payment card data is held by Under Armour, the information is processed and stored separately and was unaffected. Other highly sensitive information typically used for identity theft and fraud such as Social Security numbers was not obtained by the attacker.

The MyFitnessPal data breach is notable for the sheer volume of data obtained and is the largest data breach to be detected this year; however, the theft of hashed data would not normally pose an immediate risk to users. That is certainly the case for the passwords, which were hashed using bcrypt – a particularly strong hashing algorithm. However, usernames and passwords were only hashed using the SHA-1 hashing function, which does not offer the same level of protection. It is possible to decode SHA-1 hashed data, which means the information could potentially be accessed by the attacker.

Further, the attacker has had the data for some time. Under Armour became aware of the breach on March 25, 2018, but the attack took place more than a month before it was detected – some six weeks before the announcement about the data breach was made.

Given the method used to protect the usernames and passwords, the data can be considered accessible and it is almost certain the person or persons responsible for the attack will attempt to monetize the data. If the attacker cannot personally decrypt the data, it is certain that the data will be some to someone who can.

While it is possible that the bcrypt-encrypted passwords can be decoded, it is unlikely that decryption will be attempted. To do so would take a considerable amount of time and effort. Further, Under Armour is notifying affected users and is encouraging them to change their passwords as a precaution to ensure accounts cannot be accessed.

While MyFitnessPal accounts may remain secure, that does not mean that users of MyFitnessPal will be unaffected by the breach. The attacker – or current holders of the data – will no doubt use the 150 million email addresses and usernames for phishing campaigns.

Under Armour started notifying affected users four days following the MyFitnessPal data breach. Any user affected should login and change their password as a precaution to prevent their account from being accessed. Users also need to be alert to the risk from phishing.

Phishing campaigns related to the MyFitnessPal data breach can be expected although the attackers will likely develop a variety of phishing emails to target breach victims.

An incident of the scale of the MyFitnessPal data breach also poses a risk to businesses. If an employee was to respond to a phishing campaign, it is possible that they could download malware onto their work device – an action that could result in the business network being compromised.

Attacks on this scale are becoming far more common, and with huge volumes of email addresses now being used for phishing campaigns, advanced spam filtering solutions for businesses are now a necessity.

If you have yet to implement a spam filter, are unhappy with your current provider and the detection/false positive rate, contact TitanHQ to find out about SpamTitan – The leading anti-spam software for enterprises and SMBs.

Phishing Attacks in Healthcare Prompt HHS’ Office for Civil Rights to Issue Warning and Advice

Phishing attacks in healthcare are to be expected. Healthcare providers hold vast quantities of data on patients. Hospitals typically employ hundreds or thousands of members of staff, use many third-party vendors, and historically they have had relatively poor cybersecurity defenses compared to other industry sectors. That makes them an attractive target for phishers.

Phishing is a method of gaining access to sensitive information which typically involves a malicious actor sending an email to an employee in which they attempt to get that individual to reveal their login credentials. This is achieved using social engineering techniques to make the email recipient believe the email is a genuine.  For instance, a security alert could inform the email recipient that an online account has been compromised and a password change is required. They are directed to a spoofed website where they are asked to login. The site is fake but looks genuine.

Credentials are entered and passed to the attacker who uses them to gain access to that individual’s account. Phishing can also involve malware. Emails attempt to convince the recipient to open a malware-infected attachment or download a malicious file from a compromised website.

Compliance with HIPAA Rules Helps to Prevent Phishing Attacks in Healthcare

HIPAA Rules require healthcare providers to implement administrative, technical, and physical safeguards to reduce the risk of cyberattacks and phishing. HIPAA only demands a minimum standard for data security be reached, although complying with HIPAA Rules can help to prevent phishing attacks in healthcare.

HIPAA is not technologically specific on the defenses that should be used to protect patient data. Healthcare providers can choose appropriate defenses based on the results of a risk analysis.

It is possible for healthcare organizations to be compliant with HIPAA Rules but still be vulnerable to phishing attacks. If healthcare providers are to block the majority of phishing attacks and truly secure patients’ data, they must go above and beyond the requirements of HIPAA.

HHS’ Office for Civil Rights Warns of Phishing Attacks in Healthcare

Recent phishing attacks in healthcare have prompted the HHS’ Office for Civil Rights to issue a warning about the risk from phishing.

Attacks are now highly sophisticated and can be hard to detect. The emails are often free from spelling mistakes, have near perfect grammar, include brand images and logos, and appear to have been sent from genuine domains. The reasons given for taking a specific course of action are perfectly plausible as is the need for urgent action.

OCR also highlights the rise in spear phishing attacks in healthcare. These attacks involve more targeted attempts to gain access to sensitive information and can be conducted on specific individuals or groups of individuals in an organization – The payroll or HR department for instance.

These attacks often see a CEO or superiors impersonated to add legitimacy to the attack. These attacks tend to require the opening of attachments or visiting links to download malware. Spear phishing emails are also used to request bank transfers or for sensitive information to be sent via email – W2-Forms of employees for instance. Many healthcare employees have been fooled by these scams.

Recent Phishing Attacks in Healthcare

Listed below are some of the recent examples of phishing attacks in healthcare. This is just a small selection of incidents that have resulted in healthcare records being exposed or stolen. The reality is that many data breaches start with a phishing email. Security awareness training company Cofense suggests that as many as 91% of data breaches have their root in a phishing campaign.

November 2017: 1,670 patients of Forrest General Hospital have their PHI exposed following a phishing attack on business associate HORNE.

October 2017: Henry Ford Health System discovers several email accounts were compromised as a result of employees responding to phishing emails. The PHI of 18,470 patients may have been stolen.

September 2017: Employees of UPMC Susquehanna responded to phishing emails with the attackers able to gain access to the PHI of 1,200 patients.

September 2017: A phishing attack on Wisconsin-based Network Health resulted in the PHI of approximately 51,000 patients being exposed.

August 2017: Chase Brexton Health Care in Maryland experienced a phishing attack that saw several email accounts compromised along with the PHI of 16,000 patients.

July 2017: The Medical College of Wisconsin experienced a phishing attack that allowed attackers to gain access to email accounts and the PHI of 9,500 patients.

July 2017: RiverMend Health employees responded to phishing emails and their accounts were accessed by the attackers. The PHI of 1,200 patients was potentially viewed or stolen.

June 2017: A phishing attack on Elderplan Inc., saw several email accounts compromised along with the PHI of 22,000 individuals.

June 2017: MJHS Home Care experienced a phishing attack that saw email access gained by an unauthorized individual. The compromised email accounts contained the PHI of 6,000 patients.

Staff Training and Anti-Phishing Technology

HIPAA does not specifically mention spam filters, but since phishing is used to target employees via email, spam filtering can be considered essential. By filtering out the majority of spam and malicious messages there is less potential for an employee to click on a malicious link or open a malware infected email attachment.

SpamTitan is a cloud-based anti-spam service that blocks more than 99.9% of spam emails from being delivered to inboxes and has a 0.03% false positive rate. Dual antivirus engines (Bitdefender/ClamAV) ensure malicious email attachments are blocked.

Healthcare employees are the last line of defense, so it is important for them to be able to recognize email threats and anti-phishing training is a requirement of HIPAA. In July 2017, OCR issued advice to healthcare organizations on anti-phishing training in its cybersecurity newsletter.

OCR also recommends using multi-factor authentication to ensure email accounts are not compromised when a password is guessed or stolen. Software and operating systems must be kept up to date and fully patched to prevent vulnerabilities from being exploited, and anti-virus and anti-malware solutions should be deployed to prevent infection. Regular backups can also prevent data loss in the event of a malware or ransomware infection.

Bitdefender AV Protection Incorporated into SpamTitan v7.00

Titan HQ has announced from March 5, 2018 all new customers signing up to use the SpamTitan cloud-based anti-spam service will benefit from leading antivirus and anti-malware protection from Bitdefender. All existing customers will similarly be protected by Bitdefender, although first they will need to upgrade to SpamTitan v7.00. v7.00 was released on March 5.

The primary AV engine used in previous versions of SpamTitan was provided by Kaspersky Lab, with ClamAV used as a secondary AV engine. SpamTitan v7.00 will also incorporate ClamAV as a secondary AV engine. Kaspersky AV will no longer be supported on SpamTitan suite of products from May 1, 2018.

The change to the new primary AV engine is due to a growing strategic relationship with Bitdefender. Further collaboration with the Romanian cybersecurity firm is planned for the future. Customers already using SpamTitan are encouraged to upgrade to the latest version of the product as soon as possible as several other updates have been incorporated into the latest version, including patches for recently discovered vulnerabilities in ClamAV.

These include the use-after-free vulnerability CVE-2017-12374; buffer overflow vulnerabilities CVE-2017-12375 and CVE-2017-12376; Mew Packet Heap Overflow vulnerability CVE-2017-12377; Buffer Overflow in messageAddArgument vulnerability CVE-2017-12379; and Null Dereference vulnerability CVE-2017-12380. TitanHQ has also included patches for openssl, openssh, php, and wget and updates have been included to resolve potential denial of service attacks.

Customers already on v6.x of the platform who have enabled prefetch of system updates will find the latest patches in the list of available updates on the System updates page. If this option is disabled, they should use the ‘Check for Updates Now’ option in the user interface.

Customers using SpamTitan v4 and v5 have been advised that support for both versions of SpamTitan will cease on May 1, 2018. An upgrade to version 7.00 will therefore be required before the deadline. It is important to note that the update process requires v4/5 to first be upgraded to v6 before installing SpamTitan v7.00. Upgrading to the new version will not change the existing configuration of the product.

Customers should allow 10-20 minutes for the installation of the new version and should read all product notes before installation.

Sophisticated Multi-Stage Phishing Scam Used to Obtain Millions of Dollars from Businesses

Cybercriminal gangs operating in Nigeria have been discovered to be using phishing kits in a highly sophisticated phishing campaign that has seen millions of dollars obtained from big businesses.

The scammers are regularly fooling employees into revealing their email login credentials – The first stage of the complex scam. The ultimate goal of the attackers is to gain access to corporate bank accounts and convince accounts department employees to make sizeable transfers to their accounts.

According to research conducted by IBM, these scams have been highly successful. Fortune 500 companies are being targeted and losses have been estimated to be of the order of several million dollars.

These scams take time to pull off and considerable effort is required on the part of the scammers. However, the potential rewards are worth the effort. Bank transfers of tens or hundreds of thousands of dollars can be made and business email accounts can be plundered.

A Sophisticated Multi-Stage Phishing Scam

In order to pull off the scam, the attackers must first gain access to at least one corporate email account. Access is gained using phishing emails, with social engineering tactics used to convince employees to click on a malicious link. Those links direct the email recipients to malicious DocuSign login pages where credentials are harvested. These malicious pages have been created on multiple websites.

According to IBM, the gang behind this campaign has created more than 100 of these pages, many of which have been loaded onto genuine websites that have been compromised by the attackers.

Once access to one email account is gained, it is easy to obtain email addresses from the contact list to fool other employees. When an email account is accessed, the attackers search the account for messages involving accounts and payments. The attackers then send emails carrying on conversations between staff members, inserting themselves into conversations and continuing active discussions.

“The attackers typically took a week between the point they gained initial access to a user’s email account and the time they started setting up the infrastructure to prepare a credible ruse,” said IBM’s X-Force researchers.  “During this time, they likely conducted extensive research on the target’s organizational structure, specifically focusing on the finance department’s processes and vendors.”

By setting up email rules and filters, it is possible to block genuine conversations between the employees that could uncover the scam. By doing this, all conversations take place between a specific individual and the attacker.

This method of attack allows the attackers to gain access to banking credentials and send highly convincing emails requesting transfers to their accounts. Targeted employees are unlikely to be unaware that they are not emailing a legitimate contact.

This is a manual, labor-intensive scam involving no malware. That has the advantage of allowing the attackers to evade anti-malware technologies.

How to Protect Against These Sophisticated Email Scams

While these scams are complex, they start with a simple phishing email to gain access to a corporate email account. Once access to an email account has been gained, stopping the scam becomes much harder. The easiest time to prevent such an attack is at the initial stage, by preventing the phishing emails from reaching the inboxes of employees and training employees how to identify phishing emails.

That requires an advanced spam filtering solution that can identify the common signatures of spam and scam emails. By setting aggressive filtering policies, the vast majority of spam emails will be captured and quarantined. With the SpamTitan cloud-based anti-spam service, that equates to more than 99.9% of all spam and malicious emails. SpamTitan also has a particularly low false positive rate – less than 0.03% – ensuring genuine emails are still delivered.

No spam solution can be 100% effective, so it is also important to prepare the workforce and train staff how to identify malicious emails. Security awareness and anti-phishing training allows organizations to create a ‘human firewall’ to complement technical solutions.

Spear phishing – highly targeted email attacks – are harder to block, but it is possible to implement solutions to prevent scams such as this from resulting in credentials being obtained. In this campaign, links are sent in emails. By implementing a web filtering solution, those links can be blocked. In tandem with a spam filter, organizations with a security aware workforce will be well protected from phishing attacks.

Further, the use of two-factor authentication is an important security measure to implement. This will prevent attackers from using an unknown device to access an email account.

For further information on web filters and spam filters, and the benefits of installing them at your organization, contact the TitanHQ team today and take the first step toward improving your defenses against sophisticated phishing scams.

IRS Impersonated in Rapid Ransomware Email Scam

A new IRS-themed rapid ransomware email scam has been detected that uses the threat of significant financial penalties for late tax payments to fool victims into installing ransomware.

Tax season is well underway and cybercriminals have been increasing their efforts to obtain tax credentials to file fraudulent tax returns in the names of their victims. Businesses are the prime targets, as a successful scam can see the tax credentials of hundreds or thousands of employees obtained from a single response to an scam email.

However, it is not only tax fraudsters that are taking advantage of tax season. Ransomware attacks are also likely, as has been highlighted by a recently uncovered email scam that impersonates the IRS.

The purpose of this scam is to install Rapid ransomware. Rapid ransomware is a relatively new ransomware variant first detected in January 2018. In contrast to many ransomware variants that encrypt files and then terminate, rapid ransomware remains active after encryption and will encrypt any further files that are created on the infected device.

In addition to encrypting files, the ransomware deletes Windows shadow volume copies and disables automatic repair to hamper any attempts to restore files without paying the ransom. There is currently no decryptor for Rapid ransomware. Recovery will depend on backups being available or the ransom demand must be paid.

IRS Spoofed to Spread Rapid Ransomware

The Rapid ransomware email scam is similar to many other scams conducted during tax season. The emails are well written and plausible. There is urgency to encourage rapid action and a threat of financial penalties if the emails are ignored.

The emails have the subject line: ‘Please Note – IRS Urgent Message 164’ and contain a zipped notification attachment which email recipients are required to open to obtain further information.

In the body of the email, the recipient is led to believe they have significant tax arrears related to a property. The recipient is told that no action is taken by the IRS when tax arrears are cleared within 4-6 months of their due date, but since the recipient’s tax is 7 months out of date they are liable for a fine. They are told that if they do not respond to the email within one day and attempt to rectify the situation, ‘significant charges and fines may apply’. They are also told to open and study the attached document. The zip file contains a Word file containing a macro. If allowed to run, the macro downloads a PowerShell file, which in turn downloads Rapid ransomware.

Security aware individuals should be able to identify signs that the email is not genuine. First, the email is addressed ‘Dear Customer.’ In the event of the IRS contacting an individual about tax arrears, it would be likely that the email would be addressed using the individual’s name. However, such a situation would not occur. The IRS has confirmed in numerous warnings about phishing emails that it does not initiate contact about tax arrears via email. Further, tax arrears are serious, but not so serious that a response of 1 day would be given for a response.

The scammers behind this campaign have made some glaring mistakes in their campaign. The email address spoofed has the domain nottscc.gov.uk. While the email address looks official, it relates to Nottinghamshire County Council in the UK and the IRS is the American tax agency. However, many devices do not show the full domain so this may not be noticed. Another major error is the use of German language in the Word document, including instructions for enabling the macro.

Scam Highlights Need for Spam Filters and Security Awareness Training

Due to the errors made by the scammers, in particular the use of German and a UK local government email address – this email scam should be easily detected by employees and consumers, but such mistakes are not always made. The email is plausible, and otherwise it would be likely that many individuals would be fooled by such a scam.

For businesses, these scams can prove incredibly costly. In this case, there is no set ransom payment. Victims need to email the scammers to find out how to pay the ransom and how much is being charged. If the emails come from a business domain, the ransom payment would likely be increased. Further, ransomware can spread laterally within a network and result in file encryption on multiple endpoints and servers. With ransoms typically charged for each infected device, the costs can be considerable.

This Rapid ransomware email scam highlights the need for spam protections to be put in place to prevent malicious emails from being delivered. With SpamTitan implemented, more than 99.9% of spam email is blocked, preventing employees from having their phishing email identification skills tested.

It is also important to provide security awareness training to employees to teach them the skills they need to identify scams such as this. Not all email scams will be as easy to detect as this one. Training goes a long way toward ensuring that when emails slip past security defenses they are quickly identified by the workforce.

Saturn Ransomware: A New Ransomware Variant Offered as RaaS

Saturn ransomware is a new threat recently identified by security researchers at MalwareHunterTeam. Saturn ransomware takes its name from the extension added to encrypted files (.saturn).

While it is easy to determine the ransomware variant used in an attack, this will be of little use to victims. There is currently no decryptor available to recover files.

A single infection can rapidly spread laterally, encrypting files on an infected device as well as network shares. Recovering files from backups may prove difficult. Saturn ransomware searches for and deletes shadow volume copies, clears the Windows backup catalog, and also disables Windows startup repair.

If no viable backup exists, the victim must pay a ransom payment in bitcoin of approximately $300 per infected device. If payment is not made within 7 days of infection, the ransom payment doubles.

As with many new ransomware variants, attacks can come from all angles. That is because the new ransomware variant is being offered to affiliates as ransomware-as-a-service.

Ransomware-as-a-service allows the malware developers to maximize the number of infections – and profits – by recruiting a large team of distributors to send spam emails, load the ransomware onto malicious websites, and install the malicious software by taking advantage of poor security defenses. In exchange for their efforts, affiliates are given a percentage of the ransom payments that are received.

The developers of Saturn ransomware have made it as easy as possible for affiliates. A portal has been developed that allows affiliates to obtain copies of the ransomware binaryeither embedded in exe files or Office, PDF files or other documents. To tempt individuals into using this ransomware variant instead of other RaaS offerings, the developers are offering a large percentage of the ransom payments to affiliates – 70%.

The ease of running campaigns together with the high potential rewards for infection means many affiliates are likely to start using the new ransomware variant in attacks. The new malware is already being offered on various darknet forums.

How to Block Saturn Ransomware Attacks

Spam email is the easiest way of spreading ransomware. Massive spam campaigns require little skill and there is no shortage of email addresses for sale on the dark web. We can therefore expect this new ransomware variant to be widely distributed over the coming weeks.

With spam email likely to be the main vector of attack, one of the best defenses to deploy to prevent infection is to use anti spam software such as SpamTitan. SpamTitan blocks more than 99.9% of spam email. With SpamTitan in place, emails can be blocked and will not reach end users inboxes.

However, no single defense can provide total protection from ransomware attacks. Layered defenses are required. Antivirus and antimalware solutions should be used, although signature and heuristics-based defenses will not provide total protection. Businesses should also use a technology that identifies changes to files to ensure that if infection occurs, rapid action can be taken to limit the spread of the ransomware.

Multiple copies of files should also be made to ensure that should the unthinkable happen, data will not be lost. Businesses should make at least three backups, stored on two different media, with at least one copy stored securely off-site. Good patch management policies are also required to prevent vulnerabilities from being leveraged to install the ransomware.

Technical defenses are essential, but don’t forget the human element. Ransomware spread via spam email requires some user interaction – the opening of an email attachment or the clicking of a link. Security awareness training and phishing email simulations are now a necessity to reduce user susceptibility to email-based attacks.

Malware Campaign Uses Microsoft Word Without Macros

A new malware campaign has been detected that uses Microsoft Word without macros. Opening a Word document sent via email will not generate the usual warnings that macros must be enabled.

Employees may have been warned to be wary of any emails containing attachments, and never to enable macros on documents received via email. However, the use of Microsoft Word without macros means that even opening email attachments can see malware downloaded, if patches have not been applied.

The multi-stage infection process uses the CVE-2017-11822 Word vulnerability to install an information stealer. CVE-2017-11822 was patched by Microsoft last year, although companies that have not patched their systems recently will be vulnerable to this attack.

CVE-2017-11822 is a vulnerability in Office Equation Editor. The bug has been present in Microsoft Office for the past 17 years. Last year, Microsoft rated the code execution vulnerability as important rather than critical, but many security professionals disagreed and claimed the vulnerability was very dangerous as the bug could be exploited to run arbitrary code and the vulnerability was present in all Office versions.

Microsoft Equation Editor is an application that allows the insertion and editing of complex equations in Office documents as OLE items. Last year, security researchers were able to exploit the vulnerability to run a sequence of commands, including the downloading of files from the Internet. This campaign similarly triggers the downloading of a document – a Rich Text File (RTF) via an OLE object embedded in the Word document.

The OLE object opens the RTF file which uses the vulnerability to run a MSHTA command line, which downloads and runs an HTA file containing a VBScript. The VBScript unpacks a PowerShell script, which in turn downloads and runs the information-stealing malware. The purpose of the malware is to steal passwords from web browsers, email accounts and FTP servers.

The email campaign has been developed to target businesses. So far, four email templates have been detected by SpiderLabs researchers, although more will almost certainly be used over the coming days and weeks.

The four emails intercepted by have the subject lines:

  • TNT Statement of Account
  • Request for Quotation (RFQ)
  • Telex Transfer Notification
  • Swift Copy for Balance Payment

While a patch was released last year to address the vulnerability, Microsoft has taken further steps this Patch Tuesday by removing some of the functionality of Microsoft Equation Editor to prevent CVE-2017-11882 from being exploited.

Businesses can mitigate this attack in three main ways:

  • Ensuring Office installations and operating systems are kept patched and 100% up to date
  • Use of anti spam software to prevent malicious emails from being delivered to end users
  • Training end users on cybersecurity best practices and the danger of opening Office documents from unknown individuals. Consider sending a warning about this campaign and the email subject lines being used

Valentine’s Day Email Scams Highlight Need for Advanced Spam Filters

Every February, Valentine’s day email scams are to be expected and this year has been no different. On Monday, a massive new phishing campaign was launched. The Necurs botnet was used to deliver millions upon millions of dating, romance and Valentine’s themed emails.

Dating and Valentine’s Day Email Scams Pose Problems for Businesses

Dating scams increased significantly in January and continued in February. You have probably seen the emails already in one of your inboxes.

The emails appear to have been sent by Russian women desperate to find love. Unsolicited emails from attractive women complete with suggestive pictures and messages claiming the recipient is particularly attractive are certain to be spam, yet the emails are effective. The FBI’s figures indicate around $230 million is lost to these scams alone each year. In 2016, the FBI received around 15,000 complaints about financial losses as a result of dating and romance scams.

There were two major peaks in spam email volume between January 15 and 17 and January 29 and February 2 when around 35 million dating spam messages were delivered via the Necurs botnet. Over 230 million messages were sent in a two-week period in January. The aim of the campaign is to obtain credit card details, payments to cover flights to bring the women over to the US, but in many cases the purpose is to fool the email recipient into downloading malware.

Cybercriminals use all manner of tactics to entice users to click. Another effective technique, highlighted by security awareness training firms KnowBe4 and PhishMe, is the use of eCards, especially on Valentine’s Day. Links are sent that appear to be from legitimate eCard sites that require users to click the link to view a Valentine’s day card from a secret admirer. The purpose is to deliver malware.

Valentine’s day email scams this year also include messages alerting the recipient about the failed delivery of flowers from Interflora and email attachments claiming to be delivery receipts.

It is the likelihood of these emails being opened that makes defending against them a major headache for businesses. One single click is all it takes for malware to be installed, and since many malware variants can rapidly spread laterally, one click could be all it takes to compromise an entire network.

The Winter Olympics Scams Continue

This month has also seen plenty of Winter Olympics phishing campaigns conducted. Cybercriminals have been taking advantage of interest in the games to get their emails opened. Malicious links are used to direct users to websites that claim to have up to date news on the events, the competitors, fake news, and the results of events.

The reality is these links direct users to phishing websites, exploit kits, and sites where malware is silently downloaded. With workers unable to watch the sports live at work, these malicious emails stand a high chance of being opened.

With Valentine’s day and the Winter Olympics, February has been a busy month for scammers and with the Pyeongchang Winter Olympics still in full flow, businesses need to be on high alert.

Fortunately, there is one technology in particular that can help businesses counter these email-based threats. An advanced spam filtering solution: The most effective defense against email-based attacks. An advanced spam filter such as SpamTitan blocks more than 99.9% of spam emails, 100% of known malware, and ensures that phishing and other malicious emails do not reach inboxes.

To find out more about SpamTitan – the best spam filter for business use – contact the TitanHQ team today.

Warning of Cyber Extortion Attacks on Schools

Following a slew of cyber extortion attacks on schools, the FBI and the Department of Education’s Office of the Inspector General have issued a warning. Schools need to be alert to the threat of cyber extortion and must take steps to mitigate risk by addressing vulnerabilities, developing appropriate policies and procedures, and using technologies to secure their networks.

K12 schools and other educational institutions are an attractive target for cybercriminals. They hold large quantities of valuable data – The types of data that can be used to commit identity theft and tax fraud. Further, in education, security defenses are typically of a much lower standard than in other industries. Poor defenses and large volumes of valuable data mean cyberattacks are inevitable.

The warning comes after several cyber extortion attacks on schools by a group of international hackers known collectively as TheDarkOverlord. The hacking group has conducted numerous attacks on the healthcare industry the public school system since April 2016.

The modus operandi of the hacking group is to search for vulnerabilities that can be easily exploited to gain access to internal networks. Once network access is gained, sensitive data is identified and exfiltrated. A ransom demand is then issued along with the threat to publish the data if payment is not made. The hacking group does not make empty threats. Several organizations that have failed to pay have seen their data dumped online. Recent attacks have also included threats of violence against staff and students.

Access to networks is typically gained by exploiting vulnerabilities such as weak passwords, poor network security, unpatched software, and misconfigured databases and cloud storage services.

The FBI reports that the hacking group has conducted at least 69 cyber extortion attacks on schools, healthcare organizations, and businesses and has stolen more that 100 million records containing personally identifiable information. More than 200,000 of those records have been released online after ransom demands were ignored. More than 7,000 students have had their PII exposed by the hackers.

The escalation of the threats to include violence have caused panic and some schools have been temporarily closed as a result. Sensitive data has been released which has placed staff and students at risk of financial losses due to fraud. The FBI recommends not paying any ransom demand as it just encourages further criminal activity. What schools must do is take steps to mitigate risk and make it harder for their institution to be attacked. By doing so, cybercriminals are likely to continue their search for organizations that are easier to attack.

Ransomware and DDoS Attacks are Rife

TDO is not the only criminal group conducting cyber extortion attacks on schools, and these direct attacks are not the only way access to school networks is gained.

The past two years have seen a massive rise in the use of ransomware on schools. Ransomware attacks are often indiscriminate, taking advantage of vulnerabilities in human firewalls: A lack of security awareness of staff and students. These attacks commonly involve email, with malicious attachments and links used to deliver the ransomware payload.

Ransomware is malicious code that is used to search for stored files and encrypt them to prevent access. With files encrypted, organizations must either restore files from backups or pay the ransom demand to obtain the key to unlock the encryption.  Since the code can also encrypt backup files, many organizations have had no alternative other than paying the ransom, since data loss is not an option.

Other cyber extortion attacks on schools do not involve data theft. DoS and DDoS attacks bombard servers with thousands or millions of requests preventing access and often damaging hardware. Cybercriminal gangs use mafia-style tactics to extort money, threatening to conduct DoS/DDoS attacks unless payment is made. Alternatively, they may conduct the attacks and demand payment to stop the attack.

The rise in cyber extortion attacks on schools means action must be taken to secure networks. A successful attack often results in educational institutions suffering major losses. The ransom payment is only a small part of the total cost. Removing ransomware, rebuilding systems, and protecting individuals whose sensitive data has been exposed can cost hundreds of thousands of dollars.

How to Protect Against Cyber Extortion Attacks on Schools

Schools and other educational institutions can develop policies and procedures and use technologies to deter cybercriminals and improve network and email security. By adhering to IT best practices and adopted a layered approach to security, it is possible to mount a robust defense and prevent cyber extortion attacks on schools.

Educational institutions should:

Implement strong passwords: Weak passwords can easily be cracked using brute force methods. Set strong passwords (Upper/lower case letters, numbers, and special characters or long 15+ digit passphrases) and use rate limiting to block access attempts after a set number of failures. Never reuse passwords for multiple accounts.

Patch promptly: Vulnerabilities in software and operating systems can easily be exploited to gain access to networks. Develop good patch management policies and ensure all software and operating systems are updated promptly.

Implement an advanced spam filter: Phishing and spam emails are commonly used to deliver ransomware and obtain login credentials. Do not rely on the spam filters of email service providers. Implement separate, advanced anti spam software or a cloud-based filtering service to block email-based threats and prevent them from reaching inboxes.

Provide security awareness training:  Cybersecurity should be taught. Staff and students should be made aware of email and web-based threats and told how to identify malicious emails and potential web-based threats.

Implement a web filter: A web filter is necessary for CIPA compliance to protect students from harm caused by viewing obscene images online. A web filter is also an important cybersecurity defense that can block malware and ransomware and stop staff and students from visiting phishing websites.

Secure remote desktop/access services: Conduct audits to determine which devices have remote access enabled. If remote access is not necessary, ensure it is disabled. If the services cannot be disabled, ensure they are secured. Use Secure Sockets Layer (SSL) Transport Layer Security for server authentication, ensure sessions are encrypted, and use strong passwords. Whitelist access is strongly recommended to ensure only authorized devices can connect.

Use two-factor authentication: Use two-factor authentication on all accounts to prevent access if a password is used on an unfamiliar device.

Limit administrator accounts: Administrator accounts should be limited. When administrator access is not required, log out from those accounts and use an account with fewer privileges.

Segment your network: Segmenting the network can limit the damage caused when malware and ransomware is installed, preventing it from spreading across the entire network.

Scan for open ports and disable: Conduct a scan to identify all open ports and ensure those open, unused ports are disabled.

Monitor audit logs: Audit logs for all remote connection protocols, check logs to ensure all accounts were intentionally created, and audit access logs to check for unauthorized activity.

Backup all data: Good backup polices are essential for recovery from ransomware attacks: Adopt a 3-2-1 approach. Make three copies of backups, store them on at least two different media, and keep one copy off site. Backups should be on air-gapped devices (not connected to the Internet or network).

FedEx Phishing Scam Targets Businesses and Educational Institutions

A new FedEx phishing scam has been detected that appears to be targeting universities and businesses. Spam emails with the subject line ‘FedEx Delivery Notification’ are sent to users that explain FedEx was unable to deliver a package. The email claims the package was over the allowable weight limit and did not qualify for free delivery.

The email recipients are informed that in order to collect the package, they must visit their local FedEx depot in person. The package will not be released unless the user presents a label to the dispatcher, which the user is required to print.

The sophisticated FedEx phishing scam involves no email attachments, only a link. However, the link does not appear to be a malicious site. The attackers are using Google Drive to distribute their malware.

This is an increasingly common tactic that abuses trust of Google. Since the website is genuine – drive.google.com –  users are less likely to believe that they are being scammed. The hyperlink will direct the user to Google Drive and will trigger the download of a file called Lebal copy.exe. An executable file that if run, will install malware.

Many people know not to run executable files, although in this case the file is disguised as a PDF and has the PDF icon. If known file extensions are not configured to be displayed on the user’s computer – which is now common- they would not be aware that the file is not a PDF.

The latest scam was uncovered by researchers at Comodo, who identify the malware as a Trojan called TrojWare.Win32.Pony.IENG that steals cookies and credentials. It is capable of stealing information from FTP clients, attempts to obtain and access cryptocurrency wallets, and extracts a wide range of user data and transmits the information to its command and control server. The malware uses various tactics to avoid detection by anti-malware and anti-virus defences.

Universities and Businesses Fall for FedEx Phishing Scam

According to Comodo, so far there have been 23 businesses, several government employees, and five university employees that have fallen for the scam. Since those businesses were protected by anti-virus software that was able to block the malware they avoided infection, although many others will not be so fortunate.

Protecting against scams like this requires layered defenses and user vigilance. Spam filters should be used by businesses to detect and quarantine spam emails such as this. Links to Google Drive can be difficult to block, as Google Drive is a legitimate website.  Antivirus and anti-malware defenses must therefore be in place to detect the malicious download.

Businesses should not forget the human element of the security chain. Security awareness training and phishing simulations can help users to detect a FedEx phishing scam such as this.

Netflix Users Targeted by Scammers

A new sophisticated Netflix scam has appeared in the past few days. The emails claim users will have their Netflix membership suspended due to a problem processing the most recent payment.

The email appears to have been sent from Netflix and includes all the appropriate branding, making the email look highly convincing. The subject line is ‘Suspension of your membership’.

The email says there was a problem validating the most recent payment, and a link is supplied in the email that requires the user to validate their payment and billing information.

Clicking the link directs the user to what appears to be the Netflix website where they are asked to go through a series of steps to validate their account. The validation process requires them to re-enter their payment card information. The failure to complete the step will result in the suspension of their Netflix account.

The website contains the correct branding and looks exactly like the legitimate site. The URL is different, but the website is HTTPS and has the green padlock. A casual glance at the URL may not reveal there is anything wrong with the site.

Spam filtering solutions such as SpamTitan can detect this type of scam, but users must exercise caution as not all phishing emails can be blocked.

Users should carefully check the URL of any site they visit to make sure it is legitimate before entering sensitive information. Links sent in emails should be checked by hovering the mouse arrow over the link to find out the true URL.

An email such as this should prompt the user to visit Netflix using their usual bookmark or by typing in the URL into their browser, rather than visiting any links in the email.